Recently, The Dental Board of California revealed that a number of dentists in the state are failing to provide patients with copies of their dental records in a timely manner. These dental records include x-ray images, photographs, test results, models, treatment information, and dentist’s notes. Those who fail to provide patient records in a timely fashion could be found in violation of state laws and the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule. According to the U.S. Department of Health & Human Services, “[the] major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.”

So, what is the information protected under the Privacy Rule?

The U.S. Department of Health and Human Services lists the following as the information protected by the Privacy Rule:

  • PHI
    • Individual’s past, present or future physical or mental health or condition,
    • the provision of health care to the individual, or
    • the past, present, or future payment for the provision of health care to the individual,
  • De-Identified Health Information
    • Information that’s been made anonymous by removing certain individual identifiers

The Privacy Rule aims to protect all individual’s health information from being disclosed without their consent and also aims to ensure that the individuals are able to obtain their personal health information so that they can receive the best heath care available to them. This rule also has a specific section for professionals that addresses the issue that California dentists are now facing, “HIPAA Privacy Rule also requires dentists and other HIPAA-covered entities to provide a copy of records in the format requested by the patient, provided that the request is reasonable, and the practice has the capability to provide records in the requested format.” Along with the federal Privacy Rule, each state also has some of their own regulations. So, the dentists in question not only violated a federal law, but a state one as well.

According to California State laws, the dentists and other covered entities broke law BPC §1684.1. According to this law, the dentist or covered entity has up to 15 days after a request is submitted to provide the patient with their personal records. According to federal HIPAA laws, they broke 45 CFR § 164.524. Federal HIPAA laws state that the dentist or covered entity has 30 days from the date that the request is submitted to provide the patient with their personal records. Failure to provide copies of dental records before the 15-day deadline, in accordance with the state law, is one of the five most commonly cited violations of state laws. Failure to provide these records can also lead to other consequences.

Anyone who is not in accordance with HIPAA laws and regulations can be issued a citation or given a violation. Citations may be used when patient harm is not found, but the quality of care provided to the consumer is substandard, while a violation is received when the patient is harmed due to the actions of the health care provider. In the case of failing to provide dental records in a timely manner, violators received citations. California Legislative Information lay out the reasoning behind the citations and how one could receive them. Citations for reasons such as this have increased by 36 percent in each of the past 4 years according to Sunset Review Oversight Hearings and the California Senate.

These citations also result in fines for the health care facility that failed to follow the Privacy Rule. The state fines begin at $500 per day past the 15-day deadline and can reach a total of $5000 per record. If facilities fail to provide the records to many patients, the financial penalties can be significant. In 2011, Cignet Health of Prince George’s County received one of the first financial penalties for failing to provide medical records. Cignet Health of Prince George’s County had to pay the OCR a $4,300,000 civil monetary penalty in 2011 to resolve the HIPAA violation, said the Washington Post.

To learn more about what you need to do to protect patient health information, join HIPAAgps today.