I received a REALLY good question recently. I find this is something many dental offices struggle to answer correctly, so I thought I’d share the answer with you…

Hey Tink, We had a parent request “records” from our office. Our doctor wanted me to check with you about verbiage to use for our response.  We always offer to send films and the ledger, but we don’t send clinical notes.  Is this the standard?

Hey Rosalie, your practice’s response is typical. However, depending on what information the patient (or, in this case, parent) is requesting, may or may not be a lawful response.

With limited exceptions, the HIPAA Privacy Rule provides patients with a legal, enforceable right to see and receive copies upon request of the information in their dental records.

The HIPAA Privacy Rule generally requires covered entities (including dentists) to provide patients, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the patient’s right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the patient’s choice.

Patients have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).

A “designated record set” is defined by HIPAA as a group of records maintained by or for a covered entity that comprises the:

• Dental records and billing records about patients maintained by or for a dental provider; or
• Other records that are used, in whole or in part, by or for the covered entity to make decisions about patients.

The term “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.

Thus, patients have a right to a broad array of health information about themselves maintained by or for covered entities, including: dental records; billing and payment records; insurance information; clinical laboratory test results; diagnostic images (x-rays); and clinical notes; among other information used to make decisions about patients.

Information Excluded from the Right of Access

A patient does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about patients. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about patients. For example, a dental practice’s peer review files or practitioner or provider performance evaluations may be generated from and include a patient’s PHI but might not be in the covered entity’s designated record set and subject to access by the patient.

In addition, two categories of information are expressly excluded from the right of access:
• Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record.
• Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

However, the underlying PHI from the patient’s dental or payment records or other records used to generate the above types of excluded records or information remains part of the designated record set and is subject to access by the patient.

On another note, where a patient requests an electronic copy of PHI that a covered entity maintains electronically, the covered entity must provide the patient with access to the information in the requested electronic form and format, if it is readily producible in that form and format. When the PHI is not readily producible in the electronic form and format requested, then the covered entity must provide access to an agreed upon alternative readable electronic format.

The covered entity also may provide the patient with a summary of the PHI requested, in lieu of providing access to the PHI, or may provide an explanation of the PHI to which access has been provided in addition to that PHI, so long as the patient in advance:
(1) chooses to receive the summary or explanation; and
(2) agrees to any fees that may be charged by the covered entity for the summary or explanation.

A covered entity also must provide access in the manner requested by the patient, which includes arranging with the patient for a convenient time and place to pick up a copy of the PHI or to inspect the PHI (if that is the manner of access requested by the patient), or to have a copy of the PHI mailed or e-mailed, or otherwise transferred or transmitted to the patient to the extent the copy would be readily producible in such a manner.

It is expected that all covered entities have the capability to transmit PHI by mail or e-mail (except in the limited case where e-mail cannot accommodate the file size of requested images), and transmitting PHI in such a manner does not present unacceptable security risks to the systems of covered entities, even though there may be security risks to the PHI while in transit (such as where an patient has requested to receive her PHI by, and accepted the risks associated with, unencrypted e-mail). Thus, a covered entity may not require that an patient travel to the covered entity’s physical location to pick up a copy of her PHI if the patient requests that the copy be mailed or e-mailed.

Rosalie, I would clarify with your patient’s parent what information they are seeking. I do not advocate providing more than requested. Be sure to document your response and the date the information was provided in the patient’s record.


Dental Compliance Specialists, LLC is the Premier Dental Health Compliance and Quality Assurance provider in the country. We help Dentists develop and maintain compliance programs with the goal of keeping them out of the regulatory limelight. We have in-office and virtual programs all catered to the Provider’s specific needs. Dental Healthcare Compliance includes: DEA, ICE/Homeland Security, OIG, OSHA, HIPAA, Infection Control, Auditing and Monitoring, Record Auditing, employee training, Radiology Compliance, Medicaid Compliance and more…It’s not just about OSHA anymore!

Get in Touch

Phone 817-755-0035