The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) says it’s sending an important message to dentists with its latest enforcement actions. This time, it’s not about patient privacy breaches or security, but relates to an often unknown and widely misunderstood guideline about a patient’s right of access.
On this page, we’ll break down what happened with the latest right of access enforcement actions and how to comply with the rule, so your practice can avoid getting hit with a similar penalty.
Latest Right of Access Enforcement Actions
The latest three right of access enforcement actions targeted dentists, bringing the OCR’s total count to 41 cases for this initiative. The three cases include:
- An Illinois dental practice was fined $30,000 for only providing a patient with portions of her record rather than the entire record.
- A Georgia dental practice was fined $80,000 for attempting to charge a patient a $170 fee for a copy of her records and making her wait more than a year for her records.
- A Nevada dental practice was fined $25,000 for failing to provide a mother with a copy of her and her child’s protected health information (PHI), despite multiple requests over an eight-month period.
“These three right of access actions send an important message to dental practices of all sizes that are covered by the HIPAA Rules to ensure they are following the law,” said OCR Director Melanie Fontes Rainer in a recent press release. “Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.”
What is the HIPAA Right of Access Rule?
Simply put, the right of access rule means patients have a right to their records and PHI, which OCR refers to as a “designated record set.”
What’s Included in a Designated Record Set for Dentists?
A designated record set includes:
- Dental records
- Clinical notes
- X-rays, photos, and any other imaging
- Test results
- Billing records
- Payment and claims records
- Case management records
- Any other records used, in whole or in part, to make decisions about the individual
That said, you don’t have to give a patient everything on the list every time. “A covered entity is only required to provide access to the PHI to which the individual requests access,” the OCR notes. For this reason, it may be helpful to create a form for your practice that lists out the options and includes the different types of records as well as an option to receive a complete record set.
What Do Dental Professionals Need to Know About Right of Access?
You should read 45 CFR § 164.524 and direct any questions you have to a HIPAA compliance professional or attorney. A brief summary is provided below.
- Patients have a right to any records used to make decisions about them.
- Patients may request a designated record set in whole or in part.
- You must supply the records to the patient within 30 days, though the OCR encourages practices to complete the request as soon as possible.
- You must supply records in the patient’s preferred format, be it paper or digital. Even if you operate a paper practice and the patient wants a digital copy, you’re still expected to digitize the records and send them to the patient.
- You can require patients to complete a written request and/or verify their identity.
- You can charge a fee, but it can only include the cost of labor, supplies, postage, and preparation of a summary. If you maintain your records electronically and are sending the records electronically, you may opt to charge a flat fee rather than calculating an exact amount, though the OCR caps the amount at $6.50 in these cases.
- You can’t place unnecessary barriers, such as forcing the person to come into the office to show ID or to pick up paper copies, or require that they use a patient portal to get their records, as some may not have internet access.
- You can email records if the patient requests it and acknowledges that there may be risks involved in transmission. The OCR’s exact statement on this is:
It is expected that all covered entities have the capability to transmit PHI by mail or e-mail (except in the limited case where e-mail cannot accommodate the file size of requested images), and transmitting PHI in such a manner does not present unacceptable security risks to the systems of covered entities, even though there may be security risks to the PHI while in transit (such as where an individual has requested to receive her PHI by, and accepted the risks associated with, unencrypted e-mail).
Learn More in Our On-Demand Webinar
Get Help Complying with the Right of Access Rule
This article was reviewed for accuracy by dental HIPAA compliance specialist John Zanazzi. If you’d like help shoring up your HIPAA compliance, request a complimentary consultation from him at DentalHIPAAIT.com.
If you need help extracting records from Practice-Web or would like help creating a HIPAA-compliant records request form in the software, please connect with Practice-Web support. Assistance is free for those with paid Support. Need to renew? Click here.
Not using Practice-Web yet and want more information? Request a free demo here.