Patient's Right to Access Their Records – HIPAA and State Law
One of the fundamental rights under the HIPAA Privacy Regulations (see 45 CFR 164.524) is the patient’s ability to view and copy their records (the corresponding state law is discussed below). Since 2019, the Office of Civil Rights has promised to “vigorously enforce” that right under the HIPAA Right of Access Initiative, and has done so with numerous enforcement actions and sanctions. The first dental practice subject to enforcement was announced in December.
Section 524 generally requires prompt access – inspect and obtain a copy - by the patient or the patient’s personal representative to the patient’s protected health information. Only under specific, limited circumstances, can the provider deny access. The provider must act on a request for access no later than 30 days after its receipt of the request, and is limited to charging only a reasonable, cost-based fee for the copy of the PHI, which is probably less than allowed by state law.
In March, 2022, the OCR announced its first sanction of a dentist relating to this issue.
Dr. Donald Brockley, D.D.M., a solo dental practitioner in Butler, Pennsylvania, failed to provide a patient with a copy of their medical record. After being issued a Notice of Proposed Determination, Dr. Donald Brockley, D.D.M requested a hearing before an Administrative Law Judge. The litigation was resolved before the court made a determination by a settlement agreement in which Dr. Donald Brockley, D.D.M agreed to pay $30,000 and take corrective actions to comply with the HIPAA Privacy Rule's right of access standard.
Of course, not all dentists are covered by the HIPAA privacy rules – only those that bill and collect electronically. If a dental practice is covered, it must have written policies and procedures, one of which addresses this issue.
If HIPAA doesn’t apply to a dental practice (i.e., it doesn’t bill and collect electronically), it is still covered by R.S. 40:1165.1, which provides that “a patient or his legal representative … shall have a right to obtain a copy of the entirety of the records in the form in which they exist, except microfilm, upon furnishing a signed authorization.” This statute specifies compliance timelines, copying charges in the absence of HIPAA, penalties, and more. While there’s no explicit requirement for a written policy, having one helps to ensure that the practice’s employees have clear guidelines that will typically prevent inadvertent violations.
Both HIPAA and state law have many details and nuances, but a little proactive effort, combined with clarification and advice when situations arise, should prevent most issues.