Releasing Dental Records

Guidelines for Practice Success | Managing Professional Risks | Patient Records, Charting, and Documentation Protocols

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) gives patients the right to request that dental practices covered by the regulation send copies of their records to another person designated by the patient.

The patient’s request must be in writing, signed by the patient, and clearly identify the designated person and where to send the copied records.

Dental practices covered by HIPAA must comply with that regulation and with any applicable state law that is not contrary to HIPAA. You must also comply with any state laws that are more stringent than HIPAA.

Dental practices are considered covered entities if they transmit electronic “covered transactions,” such as electronic claims, to dental plans. It’s also possible to become a covered entity by contracting with an outside service, such as a clearinghouse, to submit electronic covered transactions on behalf of the dental practice. More information on covered entities is available in the ADA Guidelines for Practice Success™ (GPS™) module on Managing the Regulatory Environment section on the Office for Civil Rights. See the ADA Tip Sheet on Certain Provisions of the HIPAA Privacy Rule articles for more information.

It’s a good idea to have patients sign a consent form giving you permission to release their records to another healthcare provider and to keep that document as part of the patient’s dental record. The ADA Guidelines for Practice Success™ (GPS™) module on Managing the Regulatory Environment includes a copy of the ADA Sample Request for Access, courtesy of the ADA Complete HIPAA Compliance Kit.

While HIPAA does not require the use of a consent form to send records to another healthcare provider, some states may have laws requiring consent before releasing patient information in certain situations. The consent form can be a very brief document that details the records being provided and that specifies the practitioner to whom the records are being delivered. It should also have space to be signed and dated by the patient.

It’s a good rule of thumb to check with a qualified attorney about what is required in your state. Your state dental society may also be able to provide information about state law requirements. Your professional liability insurance company may consider such a release a component of good record keeping.

State law generally determines who has the right to grant permission to release medical record information on behalf of a patient. That authority is generally granted to:

  • The patient, providing he or she is a competent adult or emancipated minor
  • A personal representative or the patient, such as a legal guardian or parent if the patient is incompetent or a minor child. When determining who can be considered the patient’s “personal representative,” HIPAA defers to state law.
  • The administrator or executor of the patient's estate if the patient is deceased.

Dental practices not covered by HIPAA must comply with applicable state law, which may specify the circumstances under which another individual may act on behalf of the patient. The extent of the patient's right to access can vary from state to state. Some states may allow the dentist to determine the patient's right of access. Others may expressly grant patients access to the information contained in their dental records.

Special legal protection may apply to records that contain information about infection status (e.g., HIV), or other sensitive issues, such as a mental health diagnosis or substance abuse. For example, state law may prohibit the disclosure of HIV status test results to a third party without a specific written authorization by the patient or the patient’s representative. Any information regarding sensitive health issues should be handled with caution and special regard for the patient’s privacy. Even if any required authorization and consent is received, dentists and other healthcare professionals may be legally precluded from releasing HIV/AIDS records without specific reference to that information in the release.