HIPAA Right of Access Goes to the Dentist

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure#HCdeJure

Covered entities as defined by HIPAA come in various types and shapes. It is not just a physician’s office or a hospital. Any entity that provides healthcare services and bills insurance (very gross oversimplification) can and likely does qualify as a covered entity. That is why digital health companies and dental practices are also covered entities. When a practice is a covered entity, then it must follow and live up to the requirements set out in the regulations implementing HIPAA. As an ongoing string of settlements from the Office of Civil Rights shows, one of the bigger areas of concern is giving individuals timely and appropriate access to their records.

New Settlements

On September 20, 2022, OCR issued three new settlement notifications, all involving dental practices. While dentists may have had to settle right of access issues before, the grouping of three in one industry appears designed to remind dentists in particular of obligations under HIPAA.

Recapping the settlements helps demonstrate the common theme of being timely with access responses, but also a few nuances of how it needs to work.

The dental practice batch of settlements included:

  • Family Dental Care, P.C. (FDC) – FDC received a request for records from an individual on May 8, 2020. When records were not produced, a complaint was filed with OCR on August 8, 2020. FDC finally provided the requested records on October 12, 2020. Left unsaid, the production of the records likely occurred after some nudging from OCR.
  • Great Expressions Dental Centers of Georgia, P.C. (GEDC-GA) – An individual submitted a request for records at some point in November 2019. On November 25, 2019, GEDC-GA responded to the individual that the records would be provided, but only if a $170 copying fee was paid first. The individual eventually filed a complaint with OCR on November 4, 2020. It still took a few months until February 2, 2021 for GEDC-GA to provide the individual with the requested records.
  • Steven L. Hardy, D.D.S., Ltd. d/b/a Paradise Family Dental – On April 11, 2020, an individual email Paradise Family Dental to receive a copy of the individual’s records and the records of the individual’s minor child. Paradise Family Dental responded on April 14, 2020 with a request to confirm the individual’s email address before the records would be sent. The individual confirmed the email address on May 4, 2020. Nothing happened even after several follow up requests from the individual, until Paradise Family Dental then asked for a written request with a handwritten signature. The individual complied with the new request on December 4, 2020 and the records were provided on December 31, 2020.

Each of the listed examples included payment of a monetary amount to resolve the allegations with the normal non-admission of any wrongdoing.

Breaking Down the Settlements

The first point from the settlements is that when a request for access is made, the HIPAA Privacy Rule has some clearly stated requirements as to when a response must be sent back. The baseline is that a covered entity has 30 days to respond, ostensibly with the requested records or a reason why the request would not be granted. A covered entity may notify the requesting individual that it needs a 30 day extension to meet the request. The extension must be communicated to the individual and is not available as a matter of course, only if the records cannot be provided in the 30 days.

None of the settlements suggested that indicated that an extension was needed by any of the impacted organizations. The delays were a matter of not meeting stated requirements in the Privacy Rule.

The second point of consideration relates to what fees can be charged for a record request. As stated in the Privacy Rule, a reasonable, cost-based fee can be charged. The fee is not a predetermined amount or determined without some informed basis. Further, the fee can only take certain components into consideration. The components are labor for copying, supplies for creating the copy, and postage if needed. In the case settled that touched on the fees, OCR did not give any hint that the fee considered those elements. It is also hard to think about how creating a copy would justify a $170 copying fee. If a fee is going to be charged, then set a clear policy around how the fee will be determined and calculated. Even though a fee can be charged, a different question is whether one should even be charged? Wouldn’t it be good patient relations to just provide the copy without charge?

The third point is what requirements can be imposed as to the nature of the request. For example, can a physical hard copy request with a signature be required? The Privacy Rule states that a covered entity can require the request to be in writing, but individuals must be informed of that requirement. That is the only statement in the Privacy Rule. The rule does not speak to requiring a signature or even identifying it as an option. That compares to other areas of the Privacy Rule where the option to require a signed request is called out as being available. Given the absence of that statement in the Privacy Rule, if a covered entity imposes that requirement it could be viewed as an unnecessary barrier to making a valid request for access. Given those considerations, before a covered entity establishes a policy or imposes a requirement, familiarity with the options and obligations under the applicable portions of the regulations is necessary.

Where to Go with Access

The ongoing settlements involving the right of access are an important means of keeping the spotlight on an area of unnecessary non-compliance with HIPAA. The right of access has been around since the beginning of HIPAA and not meeting the requirements is pretty much unacceptable at this point. From that perspective, it is long past time to improve practices. At the same time, each settlement is a reminder to re-review the regulations and implementing policies, then take advantage of the opportunity to make improvements.

The important point to remember is that a request for access to records is a chance to deepen the relationship between a patient and the care team. Don’t view it as a burden or task to be ignored. Everything is a chance for good.

This article was originally published on The Pulse blog and is republished here with permission.