California Dentists at Risk of Financial Penalties for Slow Release of Copies of Dental Records

A recent report from the Dental Board of California has revealed dentists in the state are failing to provide patients with copies of their dental records in a timely manner, in violation of state laws and the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule.

Under state law (BPC §1684.1), dental practices are required to provide patients with a copy of their dental records within 15 days of a request being submitted. HIPAA (45 CFR § 164.524) requires covered dental offices to provide patients with a copy of their dental records within 30 days of the request being submitted. The HIPAA Privacy Rule also requires dentists and other HIPAA-covered entities to provide a copy of records in the format requested by the patient, provided that the request is reasonable, and the practice has the capability to provide records in the requested format.

The Dental Board has the authority to cite and fine practices that are found to have violated state laws and its 2018 Sunset Review Report for the California Legislature says citations have increased by 36% in each of the past 4 fiscal years. The failure to provide copies of dental records before the 15-day deadline is one of the five most commonly cited violations of state laws.

The Dental Board explained that “Citations may be used when patient harm is not found, but the quality of care provided to the consumer is substandard.” The Board can issue fines of up to $500 per day to a maximum of $5,000 for failing to provide copies of dental records to patients within the 15-day deadline.

Dental records can include x-ray images, photographs, test results, models, treatment information, and dentist’s notes, which should all be provided to patients on request. In addition to Dental Board fines, untimely responses to patient requests and the failure to provide copies of health information could result in a financial penalty for noncompliance with HIPAA.

While it would be unusual for state attorneys general to issue financial penalties for this aspect of noncompliance with HIPAA, one of the first financial penalties issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) for noncompliance with HIPAA was for a failure to provide patients with copies of their health records. Cignet Health of Prince George’s County had to pay OCR a $4,300,000 civil monetary penalty in 2011 to resolve the HIPAA violation.

Further, OCR explained at HIMSS19 that one of the aspects of HIPAA noncompliance that will be subject to enforcement actions in 2019 is violations of the HIPAA Privacy Rule’s right of access requirement.

Any dental office found to be routinely denying patients access to their health data or willfully failing to adhere to the 30-day deadline could be issued with a sizable financial penalty for noncompliance.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.