Copying and/or Transferring Records

Guidelines for Practice Success | Managing Professional Risks | Patient Records, Charting, and Documentation Protocols

It's imperative that you have the required permissions to release any or all of a patient’s dental record before duplicating and transferring records. This is critical to ensuring the confidentiality of the protected health information (PHI) that the document contains.

Situations under which you might be asked to provide copies of the patient record include:

  • Referring a patient for treatment by another healthcare provider
  • The patient has requested the information
  • Being mandated by the state dental board or a court of law
  • Aiding in a forensic identification
  • Dental insurance audit

According to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), permission to release the information can be obtained by having the patient sign an authorization form and adhering to the “minimum necessary standard”. Be aware that some states have more stringent requirements regarding the release of PHI.

You and your staff should be aware of applicable laws, such as HIPAA and state laws, that govern this issue. If the patient requests a copy of his or her dental record, the dentist is obligated to do so within the time frame specified under applicable state and federal law. Section 1.B. of the ADA Principles of Ethics and Code of Professional Conduct also obligates a dentist to honor a patient’s request for dental records.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) permits covered dental practices to charge a reasonable, cost-based fee for copying records. The fee must be limited to the cost of:

  • labor for copying the requested information (whether in paper or electronic form)
  • supplies for creating the paper copy or electronic media, if the patient requests an electronic copy on portable media
  • postage, if the patient requested that the copy be mailed

HIPAA regulations, and possibly even laws in your state, require you to provide patients with copies of their records even if the patient’s financial account is unpaid or past due.

Because patients have the right to access their complete records, be careful about what’s said in the progress notes. Avoid irreverent or subjective comments.

Many practices make it the norm to keep clinical and financial records separate; generally speaking, clinical records should never contain financial information. Include details on financial information only if they have an effect on decisions made regarding care; be cognizant of what you’re saying and how you’re saying it.

Check with your attorney before releasing or sharing payment information with a patient’s new dentist to be sure doing so is appropriate. It’s possible that payment records may be provided to the patient upon referral as well.

HIPAA also gives patients the right to obtain copies of their complete dental records including radiographs and photographs from a covered dental practice, and state law may give patients this right as well.

Dental practices are considered covered entities if they transmit electronic “covered transactions,” such as electronic claims, to dental plans. It’s also possible to become a covered entity by contracting with an outside service, such as a clearinghouse, to submit electronic covered transactions on behalf of the dental practice.

Be aware that state law may specify a lower limit on what can be charged for copies of the record. HIPAA does not supersede state laws that require dental practices to provide copies of a patient’s records at a lower fee than HIPAA would permit. On the other hand, HIPAA supersedes state law for electronic transfer of records if state law provides a higher fee than HIPAA.

It’s recommended that practices transferring records electronically minimize the risk of a data breach by properly encrypting electronic communications before transmitting. Be aware that HIPAA covered dental practice may be required to email unencrypted patient information if the patient has requested that the information be sent via unencrypted email and the practice has warned the patient of the potential risks associated with transferring this electronic information without the preferred safety measures.