Handle patient record requests the right way

When a patient requests copies of his or her dental records, there are steps every dental practice should take to ensure that the request is handled properly, even when someone other than the patient requests the records. CDA Practice Support's resource Access to Patient Records FAQ contains important information for practices to know about patient record requests and adhering to privacy regulations as outlined in HIPAA. 

"It's a resource that provides practices with valuable information that clarifies the circumstances for which dental practices can release patient records and how they should handle those requests," said CDA Practice Advisor Lee Bentz.

Information and images in patient records are the work product of a dental practice, but state law allows patients to have access to the information in the record once a written request is presented to the office. In addition, patients are not limited in the number of requests for access to, or copies of, the records.

Patient records include the following:

  • X-rays.
  • Photographs and models.
  • Any written document in the chart.
  • Billing records.

If patient records are maintained electronically, a patient may have, upon request, an electronic copy of the record. Practices can transmit copies of patient records via unencrypted email only if the patient consents to receiving the information in this manner after being informed of the risks of unsecure communications.

When it comes to charging patients for copies of their records, a practice may charge no more than 25 cents per page or 50 cents per page for microfilm. The dental office may also charge all reasonable costs, not exceeding actual costs, to provide patients with copies of their records, which includes the cost of copying X-rays and postage. Additionally, practices are not allowed to withhold access to records until an outstanding account is cleared.

Divorced or separated parents 

A parent generally has the right to access the health record of his or her minor child regardless of whether the parent has custody or financial responsibility. A dental practice may deny access to a parent if it determines that providing access may harm the patient. A parent does not have a right to access health records of an emancipated minor, who is under the age of 18, either married or divorced, on active duty or received a declaration of emancipation from the court.

It is important to note that a dental practice may not release information to a parent without the minor patient's consent regarding his or her drug or alcohol abuse, pregnancy, sexual assault, infectious and communicable disease status, HIV/AIDS status, sexually transmitted disease or mental health.

In addition, CDA Practice Support offers a sample letter that practices can send divorced parents to help clarify which parent has financial responsibility for the child's care. The resource, Divorced Parents Sample Letter, clarifies which parent(s) has the authority to offer consent for care and the financial responsibility regarding dental benefits.  

Releasing records to someone other than a patient

Besides record requests from patients themselves, practices should also know under what circumstances records can be released to other people, whether it's a spouse, friend or non-custodial parent.

"Written authorization is necessary, and it's important for practices to have an authorization form that meets state and HIPAA requirements," said Bentz.

Practices can release records to anyone the patient chooses as long as the dental office receives written authorization signed by the patient or patient's representative and if the dentist has determined that releasing the records will not cause harm to the patient. The authorization form should specify who is to receive the records and if the release of records or information is limited in any way. CDA Practice Support's sample authorization form, Consent Form for Use or Disclosure of Patient Health Information, meets state and HIPAA requirements and is available on cda.org/practice support.

Elements of a valid authorization form include but are not limited to:

  • Handwritten by the patient or is in a typeface no smaller than 14 point.
  • Description of the information.
  • Intended use or purpose of the information.
  • A statement that authorization may be revoked at any time.
  • An expiration date for the authorization.
  • Is not combined with any other form.
  • Does not combine multiple uses of the information into one authorization form, with few exceptions.
  • Does not place conditions on the authorization, with few exceptions.

Other instances of access to patient records

Access to Patient Records FAQ outlines other instances regarding requests for patient records, including those made by employers, associates, public health organizations, dental board, law enforcement and collection agencies. While circumstances vary regarding each entity requesting the information, it is important for practices to carefully follow regulations to minimize the risk of a HIPAA violation.

CDA Practice Support offers hundreds of dental benefit, employment, regulatory compliance and practice management resources to CDA members as a member benefit. For more information on these resources, visit cda.org/practicesupport.

Related Items

California’s data breach notification law will undergo amendments effective Jan. 1, 2016. Specifically, new state legislation, SB 570, requires changes to the format of a breach notification notice. CDA has compiled a summary of the changes dentists should be aware of.

An average dental practice data breach can cost a dentist anywhere from $100,000 to more than $1 million. According to the Office of Civil Rights, an average of 4,707 individuals are affected by a breach in a dental practice. To help dentists stay compliant, CDA has released a new, members-only, HIPAA Compliance CD Bundle. The bundle helps dentists design and implement a comprehensive compliance program using a step-by-step approach.

The use or disclosure of patient health information is dictated by both federal HIPAA law and California Confidentiality of Medical Information Act. State law is more restrictive than federal law, and it applies to all healthcare providers. State law allows the use or disclosure of patient health information with certain limitations and without patient authorization for specific purposes listed in the form's instructions. This form may be used to obtain consent to use patient’s information for any other purpose.

If legal guardians of existing minor patients of record have experienced a relationship change (divorce), customize this letter and send it to both parents of the minor patient. Responses to this letter will help you determine if you need to update the patient information and patient financial agreement forms.