Dental Practices Face Enforcement Actions for Violating Patient Right of Access under HIPAA
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced the resolution of three investigations into dental practices’ conduct, with each investigation concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule's patient right of access to their medical records:
- OCR received a complaint alleging that a dental practice failed to provide a former patient with timely access to her complete medical records. The former patient requested her entire medical records in May but received only portions. The former patient filed a complaint with OCR, and during OCR’s investigation, the practice provided her with the remainder of her records in October. This meant that the practice did not provide the patient with a complete copy of her records until more than five months after the request was made. OCR's investigation determined that the dental practice’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision. The practice agreed to pay a $30,000 fine and implement a corrective action plan.
- In another complaint, a dental and orthodontics provider with multiple locations allegedly would not provide an individual patient with copies of her medical records because she would not pay the provider’s $170 copying fee. The individual did not receive her records until over a year after she requested them, and only after OCR received the patient’s complaint. OCR's investigation determined that the provider’s failure to allow timely access to the requested medical records, and its practice of assessing copying fees that were not reasonable and cost-based, were potential violations of the HIPAA right of access provision. The provider agreed to pay an $80,000 fine and implement a corrective action plan.
- OCR received a complaint alleging that a dentist had failed to provide a mother with copies of her and her minor child’s protected health information. The mother submitted multiple record requests between April 11th and December 4th. However, the dentist did not send the records until December 31st, more than eight months after her initial request. OCR's investigation determined that the dentist’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision. The dentist agreed to pay a $25,000 fine and implement a corrective action plan.
With limited exceptions, the HIPAA Privacy Rule provides individuals (patients) with a legal, enforceable right to see and receive copies upon request of the information in their medical, dental and other health records maintained by their health care providers and health plans. This includes x-rays or other images in the record. Patients have a right to access this information for as long as it is maintained by a healthcare provider, regardless of the date the information was created or whether the information is maintained in paper or electronic systems.
The Privacy Rule states that a provider may not impose unreasonable measures that serve as barriers to, or unreasonably delay, the patient from obtaining access to their requested information. Additionally, a provider must give access to the information requested, in whole, or in part, no later than 30 calendar days from receiving the patient’s request. If a provider can’t fulfill the request within 30 calendar days, the provider must inform the patient in writing of the reasons for the delay and the date by which the provider will give the patient access to the requested information. This notification must be given within the initial 30 days. Only one extension is permitted per access request.
For more information, OCR’s guidance on patients’ right of access is available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.