Over the past month, I have frequently seen posts on social media about patients being denied access to their records and radiographs. This is a direct violation of HIPAA, and dental practices with any policy limiting or creating a barrier to the patient’s access to their records could lead to a steep fine.
This article aims to clarify the patient’s rights and provide references for dental professionals who may need to address this issue in their practice.
1) Are patients required to sign a release form for records?
The HIPAA Privacy Rule does not require a covered entity to obtain patient consent to use protected health information (PHI) for specified purposes of treatment, payment, or health care operations. Covered entities are defined as “ health plans, health care clearinghouses, and health care providers who electronically transmit any health information.”1,2
Nonetheless, covered entities may require individuals to request access in writing or through other means, such as electronic requests for records or the entities’ own supplied forms, with the caveat that it cannot create a barrier to or an unreasonable delay in the individual’s ability to access their PHI.3
For example, the following scenarios would not require an individual to sign an authorization for their PHI due to certain barriers:3
- An individual who wants a copy of their medical/dental records mailed to their home address should not be required to physically come to the doctor/dentist’s office to request access and provide proof of identity.
- Requiring the use of a web portal for requesting access, as not all individuals will have access to the portal.
- Requiring an individual to make a request via mail, as this would unreasonably delay the individual’s access.
Covered entities that request authorization are encouraged to offer multiple options for requesting access. The only requirement for entities is that they take reasonable steps to verify the individual’s identity. This can be done verbally or in writing and does not mandate any particular form of verification.3
2) Can offices charge the patient for their records?
Yes, but it must be a reasonable fee that is based on the cost to produce the PHI. The fee can only include the following:3
- Labor for copying the PHI requested.
- Supplies for creating the copy.
- Postage, if the requested PHI will be mailed.
- Preparation of an explanation or summary of the PHI if requested or necessary. This may be necessary to explain abbreviations and medical/dental terminology used in the requested records.
Nonetheless, entities are encouraged to provide individuals with their PHI free of charge.
3) Can offices withhold records due to an unpaid bill?
No. A covered entity cannot withhold PHI on the grounds that the individual has an unpaid bill. There are very limited circumstances for which an entity can deny an individual’s request for access to their PHI. For instance, denial of PHI access can be made due to the likelihood that it might endanger the life or physical safety of the individual or another person. For a comprehensive list of grounds for denial, refer to 45 CFR 164.524(a)(2)-(4).3,4
Unmet financial obligations are not an acceptable ground to deny an individual access to their PHI.3
4) Is there a timeframe in which offices must send records?
Yes. Entities have 30 calendar days to provide the requested PHI to the individual. The 30 calendar days is an outer limit, and entities are encouraged to respond and provide access to the individual’s PHI as soon as possible.3
Considering the popularity of electronically stored records, entities should be able to provide the individual with their PHI instantaneously in most scenarios. If the covered entity is unable to provide access within 30 calendar days due to the individual’s records being archived offsite, the entity may extend the time to no more than an additional 30 calendar days.3
However, in order to extend the timeframe, the entity must inform the individual within 30 calendar days in writing the reason for the need to extend the timeframe. This letter should also include a specific date the entity will provide the individual access to their PHI. Only one extension is permitted per request.3
5) What can be done if the office still refuses to release the records or radiographs?
My first course of action would be to contact the practice that is withholding the PHI and kindly advise them that they are violating the HIPAA Right to Access Provision. Though all practices should know what is required under HIPAA, some unfortunately don’t. I would give the office the benefit of the doubt unless their response were delayed without a reason for not providing access to the PHI or sending the requested records. In this case, I would recommend the patient file a complaint with the U.S. Department of Health and Human Services Office of Civil Rights (OCR).5
Anyone can file a complaint. The health care provider may assist the individual in filing a complaint, or the health care provider could file a complaint on the individual’s behalf.5
If an individual decides to file a complaint, the following are the requirements for the complaint:6
- Must be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal.
- Must name the covered entity or business associate involved and describe the acts or omissions you believed violated the requirements of the Privacy, Security, or Breach Notification Rules.
- Must be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if “good cause” can be shown.
The OCR will investigate if they determine rights were violated. If the investigation determines the entity violated HIPAA Rules, the entity will be required to do any or all of the following.7
- Voluntarily comply with the HIPAA Rules
- Take corrective action
- Agree to a settlement
HIPPA violations are determined by a penalty structure. The four tiers include:8
- Tier 1: A violation the covered entity was unaware of and could not have realistically avoided.
- Tier 2: A violation the covered entity should have been aware of but could not have avoided even with reasonable care.
- Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules in cases where an attempt has been made to correct the violation.
- Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days.
|Minimum Penalty per Violation (Adjusted)
|Max Penalty per Violation (Inflation Adjusted)
|Max Penalty per Year (Cap) (Inflation Adjusted)
|Lack of knowledge
(Not corrected within 30 days)
2023 HIPAA penalty structure Adapted from The HIPAA Journal8
HIPAA is a complex law with many provisions and rules, making it difficult to understand and be aware of all the details. Nonetheless, it is an important aspect of a patient’s right to privacy as well as their right to access their PHI. For this reason, it is imperative that health care professionals understand their responsibility to ensure HIPAA compliance.
Unfortunately, many employees who work in a position that could easily violate HIPAA provisions are unaware of the rules, such as employees with no previous background in health care (non-clinical positions). The entity or business associate is responsible for ensuring these employees have the proper training, which is why annual HIPAA training is recommended.
Unfortunately, too often, HIPAA training courses are overly abbreviated, leaving the entity open to multiple HIPAA rule violations due to a lack of understanding or awareness. HIPAA violations can come with steep fines, which could be easily avoided. I encourage all dental employees ‒ both clinical and non-clinical ‒ to take a comprehensive HIPAA training course annually to avoid risking violating HIPAA Rules.
Before you leave, check out the Today’s RDH self-study CE courses. All courses are peer-reviewed and non-sponsored to focus solely on high-quality education. Click here now.
Listen to the Today’s RDH Dental Hygiene Podcast Below:
- Office for Civil Rights. (2022, December 28). What Is the Difference Between “Consent” and “Authorization” Under the HIPAA Privacy Rule? U.S. Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-difference-between-consent-and-authorization/index.html
- To Whom Does the Privacy Rule Apply and Whom Will It Affect? (2007, February 2). U.S. Department of Health and Human Services National Institute of Health. https://privacyruleandresearch.nih.gov/pr_06.asp
- Health Information Privacy Division. (2022, October 20). Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524. U.S. Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
- Office of Civil Rights. (2016, June 24). Under What Circumstances may a Covered Entity Deny an Individual’s Request for Access to the Individual’s PHI? U.S. Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/faq/2046/under-what-circumstances-may-a-covered-entity/index.html
- Office for Civil Rights. (2020, March 31). Filing a Complaint. U.S. Department of Health and Human Services. https://www.hhs.gov/hipaa/filing-a-complaint/index.html
- Office for Civil Rights. (2022, December 23). How to File a Health Information Privacy or Security Complaint. U.S. Department of Health and Human Services. https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html
- Office for Civil Rights. (2017, June 16). Filing a HIPAA Complaint: What to Expect. U.S. Department of Health and Human Services. https://www.hhs.gov/hipaa/filing-a-complaint/what-to-expect/index.html
- What are Penalties for HIPAA Violations? (n.d.) The HIPAA Journal. https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/