Navigating HIPAA: Avoiding the Landmine of Record Requests

Summer 2019 - Dental Insights

Dental InsightsFrom Dental Insights, Summer 2019

By Wasif A Khan, Esq., HeplerBroom, LLC


At times, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) can be one of the most annoying (yes, that is a legal term) regulations to deal with from a compliance perspective—there are specific definitions, time periods, rules, authorizations, verifications and a myriad of other things to keep in mind. 

As attorneys, we run across simple HIPAA issues (oops, my office does not have individual login information for each staff) to more complicated matters (we lost a laptop with patient information on it…and we don’t know where we lost it). As a practitioner, a majority of your encounters with HIPAA will generally involve your patient, whether it be having them sign a HIPAA acknowledgement form, fill out an authorization or simple record requests.

Patient’s Right to Request Records

General Right to Access

Generally[1], a patient or their authorized representative has the right to access their protected health information (PHI) in their designated record set[2] (defined generally as, a group of records maintained by/for a covered entity that are medical and billing records about individuals or are used by the covered entity to make healthcare decisions), including the right to inspect the records and obtain copies of the medical/dental record.

As a provider, you also have the right to negotiate what exactly is being disclosed per the request; if it is easier for you to provide a summary of the patient’s file or encounter notes rather than the entire chart, you can try to get the patient to agree. Practically speaking, it may be easier for you to disclose the entire PHI. In many instances, patients will verbally request access to/copies of their PHI or request access/copies while they have an outstanding balance for your professional services. In such instances, always make sure patients complete written requests for access and never condition the release of records on the payment of outstanding balances.  


Once a patient request has been received, a provider is expected to provide access to such PHI within 30 days of the request. If you can’t provide access within the 30-day period—for example, your records are stored/archived offsite and not readily accessible—you can extend the time to respond by informing the patient in writing within the 30-day period.[3] This will get you a one-time, 30-day extension.

Keep in mind however, that any time spent negotiating with the patient on what you want to disclose, or how it will be disclosed, eats away at the 30-day period. Accordingly, try to use your time judiciously without getting bogged down by the desire to over-negotiate or challenge reasonable requests. Remember—they are your patients, you will likely see them again.

Copying Charges

HIPAA allows you to charge patients for access to a copy of their PHI. These charges are limited only to certain labor, supplies and postage.[4] Alternatively, for electronic copies of PHI, you can charge a flat fee of $6.50 if you don’t want to spend the time calculating the actual costs/expenses incurred. Please keep in mind that “labor charges” do not include time spent in compiling (searching, retrieving or otherwise preparing the information for copying—you are expected to have/maintain the records and patients should not be penalized for lack of organization).

State laws also place restrictions on what you can charge patients for copies of their health records[5]. Please make sure that you are complying with the law that is most restrictive on you. For example, if your state says you have to give a patient at least one (1) copy of their health record free per year, then you cannot charge your patients for a copy of their medical record provided under HIPAA if this is their first copy of their record.

Lastly, keep in mind that the Office of Civil Rights (the agency enforcing HIPAA), as a policy position, strongly suggests that patients be provided access to their PHI without charges, and the OCR has no problem stepping in if they believe charges and fees are being used in a manner to chill or minimize patients’ right to access.

Review of Records

It is a good practice to have doctors review the patient file to ensure all records are there and that the records are accurate. A doctor review of records prior to their disclosure/release allows the practice to clarify (by way of a separately dated note or comment) any misinformation or errors discovered in the records. Never, I repeat NEVER, alter or modify existing charts; you may have disclosed the records previously (and now there may be two versions of an altered chart) or such modifications may be recorded in the metadata of your EMR system (such information can be, and often is, a part of discovery in a lawsuit).

HIPAA in Action

There is no better way to understand HIPAA than to “see it in action.” The following example shows how/why patient requests can be frustrating and also expose a practitioner to unwanted liability and expenses:

A medical practice specializing in pain management contacted my office because it received an audit request from the Office of Civil Rights pertaining to a patient. They mentioned that their office had received a records request from a difficult patient and the patient “ratted” (their word choice, not mine) to the OCR because the practice did not send information over right away. I thought, not a big deal, usually the OCR sends a reminder letter to comply with the rules and asks for a response confirming information was sent to the patient. I asked the practice to send me the letter they receive.

Two days later, I got an email with the OCR correspondence attached—it was not a letter, but a formal request for a response i.e., an audit request. The audit response request was approximately 30 questions long and asked for, amongst other things, (i) copies of the practice’s HIPAA policy and manual, (ii) all record requests it had received in the last year, and (iii) responses provided pursuant to those record requests. The audit request also had a response deadline less than two days away! After a short call with the client to discuss the severity of what they sent me, the anticipated costs, and the potential consequences—I spent the next day and a half drafting a HIPAA manual, providing an emergency training session to the client’s staff, and producing the response to the audit.

You may be wondering what prompted this? It turns out the patient had left the practice and really was not that difficult. The patient had actually been asking for his records for well over 6 months—the office did not respond to the patient’s first two requests and they didn’t jump to action when the OCR sent them a reminder.

By not responding to a simple request on time, the practice incurred unnecessary legal costs and expenses not only for the audit response, but in bringing their HIPAA documents up to par so that we could use them in the audit response.  

HIPAA Policies and Procedures

It is mandatory (and in your best interest) to maintain up-to-date HIPAA policies and procedures, to conduct annual trainings for staff, and to conduct annual risk assessments (a self-assessment of HIPAA compliance, deficiencies and areas of improvement). At a minimum, maintaining updated policies and conducting annual trainings and risk assessments shows an active commitment to compliance—this will go a long way in mitigating the consequences of any potential violations.

The American Dental Association (ADA) and other dental supply houses/consultants provide HIPAA compliance guides or manuals. They can function as a good starting point for HIPAA compliance efforts.However, keep in mind that standardized forms that do not reflect the practices at your office can be a detriment if they set benchmarks or standards that cannot be met. HIPAA is meant to be flexible and reasonable, and what is reasonable for a large dental practice may not be reasonable for a small one.   

Although HIPAA compliance is mundane and can be extremely boring, you have to think of what it can save you from rather than what it adds to your practice. In many respects, it’s akin to an athlete that develops muscle memory—the more you do it, the better you will be at it. For standard HIPAA matters such as records requests, continually work with your staff to develop a routine/process for handling them in a timely manner that is compliant with HIPAA, but also practical for your office environment.

[1] A covered entity may decline to produce records if, e.g., the requested records: (1) are not part of the patient’s “designated record set”; (2) are psychotherapy notes as defined by HIPAA; (3) were compiled in reasonable anticipation of litigation; (4) were obtained from a third party under the promise of confidentiality and disclosure would reveal the source of the information; or (5) disclosure would result in substantial harm to the patient or others. (See 45 CFR § 164.524(a)).

[2] 45 CFR § 164.524(a).

[3] See OCR FAQ, available at

[4] Id. (Labor charges are limited only to the tasks requested by the patient, supply charges are limited only to the supplies used in responding to the patient’s request, and postage (if patient requests that such items be mailed).

[5] State laws vary drastically on this. Please confirm acceptable charges specifically for the state where you practice.

Wasif A. Khan, Esq., is a healthcare and corporate attorney at HeplerBroom, LLC, who focuses his practice on the corporate and regulatory needs of healthcare professionals, medical and dental practices, healthcare entities, small to midsize businesses and nonprofit organizations. In addition to handling routine business contracts and agreement, practice sales and acquisitions, and routine employment issues, he provides regulatory guidance on HIPAA, Stark Law, the Anti-Kickback Statute, and other state and federal healthcare regulations.