Both federal and state laws protect patient health information (PHI) in part by establishing rules for its use and disclosure. This article reviews those rules. The HIPAA Privacy Rule defines and limits the situations in which a covered entity may use or disclose PHI. California law further limits the situations in which a covered entity may use or disclose PHI, and practically makes HIPAA rules for the use and disclosure of PHI applicable to all health care providers whether or not the provider is a covered entity.
The Privacy Rule requires that a covered entity provide PHI in specific instances: to an individual or his or her personal representative when the individual requests (1) access to his or her information (release of records) or (2) an accounting of disclosures and to the U.S. Department of Health and Human Services when it is conducting an investigation, review or enforcement action.
The Privacy Rule permits PHI to be used or disclosed without patient authorization for activities that fall under treatment, payment or health care operations (TPO). The circumstances that constitute TPO are discussed further in this article. Use or disclosure of PHI without patient authorization for public benefit and interest activities, such as domestic violence reporting, disaster relief, research or legal proceedings, may be done only under specific circumstances. For example, “limited data set” is patient information that has been stripped of identifiers and, without patient authorization, may be used by or disclosed to a recipient who has entered into a data use agreement with the source of the limited data set. Limited data sets are used in research and in public health surveillance.
A health care provider who has obtained informal consent from the patient, using his or her professional judgment may disclose information to a patient’s family or others or allow family to pick up prescriptions or make appointments. “Informal consent” is typically verbal, for example, the patient’s response to “May we speak to anyone at your home about your dental treatment?” Asking for informal consent allows a patient to object to a use or disclosure of information. The dental practice’s Notice of Privacy Practice will include examples of when the practice will rely on informal consent.
Absent a court order, a parent generally has a right to access the health record of his or her minor child irrespective of whether the parent has custody or financial responsibility. A dental practice may refuse to disclose information to a parent if it determines that providing access may harm the patient. If a minor patient provides information to the dental practice with
regard to his or her drug or alcohol abuse, pregnancy, sexual assault, infectious and communicable disease status, HIV/AIDS status, sexually transmitted disease or mental health, the practice may not release this information to a parent without the minor patient’s consent. A parent does not have a right to access the health record of an emancipated minor. An emancipated minor is an individual under 18 years old who is either (a) married or divorced, (b) on active duty with the U.S. armed forces or (c) received a declaration of emancipation from the court. If a parent continues to pay for the care of an adult child, a consent form signed by the patient will authorize the dental practice to provide treatment information to the parent.
A legally designated representative or beneficiary of a deceased patient may inspect or obtain a copy of the patient’s record. The representative or beneficiary also may grant third-party access to the record. The dental office should request verification of the requestor’s status as a deceased patient’s representative or beneficiary. Refer to “Patient Request to Access Records (Records Release) Form and Q&As.”
Incidental uses and disclosures of information occur during a permitted use or disclosure and cannot be reasonably prevented. Incidental disclosures are allowable as long as a health care provider has implemented appropriate safeguards and applies the “minimum necessary” rule. For example, calling the patient’s name in the waiting room is allowed as long as the purpose of the announcement is not disclosed. Having patients sign in, mailing postcard reminders and leaving voicemail messages are examples of incidental disclosures that are allowed as long as the information disclosed is the minimum necessary to complete the purpose of the disclosure and appropriate safeguards are in place. The minimum necessary rule also must be applied to uses and disclosures of PHI within the facility of a health care provider.
Written patient authorization is required for any use or disclosure that is not permitted or required by HIPAA or state law. State law is more restrictive than federal law and it applies to all health care providers. State law allows the use or disclosure of patient health information with certain limitations and without patient authorization only to:
It is prudent to obtain patient authorization to use or disclose patient health information for purposes not listed above. In addition, HIPAA requires patient authorization for the following:
A valid authorization form must meet the requirements of California Civil Code section 56.11 and HIPAA. Elements of a valid authorization form include but are not limited to the following:
If, however, the patient is not the one requesting the information or records, whether the dental office can provide it depends on whom the requestor is and why the request was made. If deciding that a requestor can have the information, the health care provider is then responsible for applying HIPAA’s “minimum necessary” rule. “Minimum necessary” is a limited set of PHI that is adequate to accomplish the intended purpose of the request for use or disclosure.
“Treatment” includes the provision or management of health care, consultation or coordination with other health care providers regarding care and referrals of a patient to another provider.
If the employment agreement does not address the subject, an associate dentist may have the contact information of his or her patients to notify them of a new practice location. The dentist may not further use the contact information to solicit the patients or to otherwise use patient health information from the former employer without first obtaining written authorization from the patient.
“Payment” activities are those that are necessary for a health care provider to be paid or reimbursed (or for a health plan to fulfill coverage responsibilities, provide benefits and obtain premiums). Such activities include, but are not limited to, determining benefit eligibility or coverage, billing and utilization review.
If an individual other than the patient is responsible for paying the patient’s bill, disclosure of patient information is allowed as long as the disclosures are limited to the minimum amount of information necessary to obtain payment. In making such disclosures, a health care provider also must honor any reasonable request for confidential communication and any agreed-to restrictions on the use or disclosure of the patient’s protected health information. The dental office’s Notice of Privacy Practices can state that if a patient designates another person as responsible for payment, the office will disclose the minimum amount of personal health information necessary to obtain payment from that person. If the patient objects to that disclosure, the office should inform the patient that he or she would have to choose between allowing the office to disclose information in order to obtain payment or paying for the services himself or herself. If a patient has paid the full cost of an item or service out of pocket and requests that the personal health information regarding the item or service not be disclosed to a health plan for purposes of payment or health care operations, the dental office must honor the patient’s request.
In general, employers do not have the right to access the information except in workers’ compensation cases or when necessary to carry out their responsibilities for workplace medical surveillance under Cal/OSHA or similar federal or state laws. Employers who self-insure may have limited access to patient information necessary to determine payment. Employer- sponsored dental benefit plans also have limited access to patient information necessary to determine payment and to conduct quality assessment audits.
“Health care operations” are certain limited administrative, legal, financial and quality improvement activities necessary to support treatment and payment functions. Examples include:
It is in this category of activities that dental practices must be cautious using and disclosing PHI. In many cases, a dental practice must get assurances that PHI will not be further disclosed by a recipient. Dentists also should know that health care operations do not include marketing or the sale of patient information. HIPAA limits the use of protected health information for marketing activities on behalf of a covered entity or a third party. With some exceptions, the law also prohibits the sale of protected health information without individual authorization. California law prohibits solicitation of an individual’s health information (including contact information) for direct marketing purposes unless the solicitor informs the individual of the intended uses of the information and obtains the individual’s permission. Communication of news or other information that does not sell or market a service or product is not considered marketing communications unless the communication is subsidized by a third party. The rules for using PHI in dental practice marketing are described in the article “Dental Practice Marketing and Advertising 101.” California law further limits the use or disclosure of PHI in these situations:
Although the HIPAA Privacy Rule allows the use and transfer of patient information to relevant parties who need that information for health care operations, including practice sales, state law does not include the same provision. In the transfer, sale, merger or consolidation of a dental practice, it is therefore prudent for the selling dentist to obtain written authorization from patients prior to allowing a potential buyer or partner to view charts. The absent provision in state law also means that following the purchase of a dental practice, the new owner should stay on the safe side of the state’s privacy laws and obtain written authorization from patients before using their records. If a patient makes an appointment to be seen by the new owner, this is viewed as an implied authorization for the dentist to view the record. Patient authorization must be separate from the acknowledgement of the office’s Notice of Privacy Practices. The records release form can be mailed to patients together with the selling dentist’s notification of transferring practice ownership. In the transfer, sale, merger or consolidation of a dental practice, the new owner may agree to take custody of the patient records (the alternative is that the former owner retains the records). As the custodian of records, the owner is legally responsible for ensuring that the contents are secure, and if records are to be destroyed, ensuring that the contents are unreadable.
HIPAA allows disclosure of PHI to a debt collection agency with a proper business associate agreement in place to recover outstanding debts for treatment. However, California’s Supreme Court has ruled that a health care provider may not send the entirety of a patient’s records to a collection agency without the patient’s authorization. A collection agency is required by law to respond to a debtor’s request for more information on a debt, but if patient authorization for disclosure of PHI is not obtained, the dental practice may only release the minimum necessary information to collect payment. This includes the debt that was incurred for dental treatment, patient’s contact and identification information the dates the patient was seen and billed, any payments that were received and amount paid to date.
HIPAA and state law permit the use or disclosure of PHI without a patient’s authorization to third parties that benefit the public or perform in the public’s interest, but only in specific circumstances. Other circumstances involving the same third parties may require a patient’s authorization to use PHI. Below are the third parties and the circumstances under which patient authorization is or is not required to use or disclose PHI.
A dental practice must disclose PHI pursuant to a legally executed subpoena issued by a state or federal court, board, commission or administrative agency, for example, the Dental Board of California and Denti-Cal. Subpoenas and search warrants presented by law enforcement do not require patient authorization for the production of PHI. If presented with a civil suit subpoena, a dental practice may disclose information if the subpoena is issued by a California or federal court and is accompanied with either the patient’s authorization or documentation that the patient has been informed of the subpoena. A dental practice should contact legal counsel if questions arise about a subpoena. An administrative order issued by a state or federal board, commission or agency is typically accompanied by a patient’s authorization for release of information.
If a dental office receives a subpoena for a patient’s record, circumstances will dictate the way to respond. If law enforcement serves the subpoena, consult your attorney immediately. Provide the officers with access to the record while informing them that you are contacting your attorney. Do not try to impede law enforcement’s access to records.
In many cases, receipt of a subpoena likely arises out of a civil lawsuit. Upon receipt of a subpoena in these cases, evaluate whether you can comply with the demand for records. Consider these questions:
The 20 days is specified because time is allowed for the court to hear motions to suppress the subpoena. If the subpoena is valid and you are not a party to the lawsuit, produce the records as requested, sign the affidavit and submit a statement for costs incurred in responding to the subpoena.
Proof of service: The date of a valid proof of service must be at least 20 days if served in person (25 days if served by mail in California; 30 days if served in another state; 35 days if served in another country) before the date demanded for production of records and at least five days before the subpoena is served on the dentist or custodian of records.
If an attorney at law or his or her representative presents a written authorization signed by an adult patient or the patient’s legal representative, a parent or guardian of a minor or the heir or personal representative of a deceased patient, a dentist shall promptly make all of the patient’s records under their custody or control available for inspection and copying by the attorney or his or her representative. Copying of the records shall not be performed by the dental practice when the requesting attorney has employed a professional photocopier as his or her representative to obtain or review the records on his or her behalf.
If the records requested are maintained electronically and if the requesting party requests an electronic copy, the dental practice shall provide the records in the electronic form and format requested, if readily producible. If the electronic form and format is not readily producible then the dental practice and the requesting party should agreed on an alternate form and format.
A dental practice must accept a signed and completed authorization form for the disclosure of health information if both of the following conditions are satisfied:
Per Evidence Code section 1158, you may seek reimbursement from the individual who provided the written authorization for copying costs (10 cents per page for standard-size documents or actual costs for reproductions of oversized documents or X-ray film), clerical costs (maximum rate of $4 per quarter-hour), actual postal costs and retrieval costs. If a copying service is used, you may charge no more than $15 plus the cost of the service.
Sometimes law enforcement will request a patient’s information from a dental practice. Although it is prudent to insist upon a subpoena, HIPAA permits a dentist, without patient authorization, to release protected health information to law enforcement under the following circumstances:
Before providing the requested information, verify the identity and credentials of the individual receiving it.
The obligation of a licensed dental professional to disclose possible domestic abuse, violence, neglect, criminal activity and other legal violations involving patients to appropriate agencies is not hindered in any way by HIPAA or California law. Patient authorization is not necessary.
California law requires and HIPAA permits health care providers to release information upon a coroner’s request to help identify the deceased, locate next of kin or investigate deaths that may involve public health concerns, organ or tissue donation, child or elder abuse, suicide, poisoning, accident, sudden infant death, suspicious deaths, unknown deaths or criminal deaths. Authorization by the patient or a patient’s representative is not required.
If a minor patient is in the temporary custody of a social service agency or probation department or is a ward of the court, a dental practice may release to those entities PHI necessary for coordinating health care services and treatment for the patient.
Incidences of communicable diseases, such as TB and measles, must be reported to a local public health agency. The report does not require patient authorization. Dental practices may provide, without patient authorization, patient information to local, state and federal health agencies for the purpose of preventing or controlling disease, public health investigations and public health surveillance. Dental practices also may report adverse events involving drugs or devices to the FDA MedWatch program.
A dentist may disclose minimum necessary PHI when he or she believes such disclosure will prevent a serious or imminent threat to a person or persons. Such disclosures may be made without patient authorization to an entity that can prevent or lessen the threat.
The IRS in the course of conducting an audit or other official business may require a dentist to provide access to protected health information. The IRS has a document, Notice CC-2004-034 “Effect of the Health Insurance Portability and Accountability Act of 1996 Privacy Regulations, 45 CFR parts 160 and 164, on the Service’s Information Gathering Activities." If you receive a demand for protected information from the IRS, share this IRS notice with your attorney and CPA who will help you determine the minimum necessary protected health information, if any, that can be provided to the agency.
Before allowing PHI to be used without patient authorization for research, a dental practice is obligated to ensure the researcher has provided it with certain assurances required by HIPAA. A dental practice also may use or disclose for research purposes and without patient authorization a limited data set of PHI. A limited data set does not include 16 specified identifiers.
PHI may be disclosed without patient authorization as authorized by workers’ compensation laws and Cal/OSHA.
A patient has the right to receive an accounting of disclosures of personal health information by health care providers who are HIPAA covered entities. It must be provided within 60 days of the request, although the patient may grant, upon request and given reason for delay, an extension of up to 30 days. No fee can be charged for the first disclosure accounting log in a 12-month period. If it is so stated in the dental office’s Notice of Privacy Practices, a reasonable fee can be charged for subsequent disclosure accounting logs requested for the same 12-month period. The subsequent disclosure accounting log can be provided after the fee is paid.
The contents of a disclosure accounting log should contain the following elements:
A patient’s right to an accounting may be suspended for one of two reasons – belief that the patient may be endangered (e.g., domestic violence situation) or upon request by law enforcement.
The HITECH Act expanded disclosure accounting rules to include HIPAA business associates. In addition, covered entities that maintain electronic health records (EHRs) are now required to provide an accounting of more types of disclosures than covered entities that do not use EHRs. However, the Department of Health and Human Services has not yet adopted regulations implementing this law so the specifics of the accounting log and the implementation date are unknown at this time.
Disclosure accounting logs with names and titles of individuals in the dental practice responsible for receiving and process- ing requests for disclosure accountings must be retained for six years. For sample forms and more information on accounting of disclosures, refer to The ADA Practical Guide to HIPAA Compliance: Privacy and Security Kit. Your office policies and procedures should describe how you would manage patient requests for accounting of disclosures.