In this inaugural edition of Compliance Corner, Practice Mechanic Rick Garofolo dives into HIPAA compliance rules and proper protocol for sending patient records.

I sat down today with the intention of writing a beautiful and articulate piece on patient communications and HIPAA consent with lots of information.

In the time that my Word program was opening, I got tagged in three posts on Facebook office manager groups. All three asked about patient records. I then bore witness to over 100 office managers from across the country providing what may be the worst, and most illegal, advice that I have heard on the topic.

To be clear: I don’t blame any of the people offering advice.

I blame the federal government for having so many rules.

I blame state governments for writing rules that contradict the federal ones, thus causing mass amounts of confusion.

And I blame the people who think things like compliance are so unimportant that not one minute of CE should be spent on it.

Suffice to say, these posts changed my mood and, indirectly, the topic that I felt compelled to write about this evening.

Three Compliance Questions That Keep Popping Up

So, let’s talk about patient records. Here are the posted questions that brought us to this topic:

  1. “Why do patient’s [sic] think it is OK to not pay for x-rays and then request that they be sent to another office? There is no way I am sending those x-rays until the patient pays for them. Crazy patients!”
  2. “A patient called the office today and requested her records via email. I sent them to her and she called back and said she wanted more than x-rays. She wants the doctor’s chart notes and copies of all the treatment plans we presented to her since she has been a patient. What am I obligated to send? The chart notes belong to the doctor, not to the patient and so do the treatment plans, right?”
  3. “I saw that HIPAA has a new rule limiting what we can charge a patient for records to $6.50 per patient. Our state says we can charge $1 per page plus a $20 search fee. Which one do I follow?”

So, let’s tackle these in order.

HIPAA Compliance Question No. 1

The responses to No. 1 ranged from “Do not send the x-rays” to “Tell her the records were accidentally deleted from your database and can’t be located.”

Then there were the 50 others telling her not to send the x-rays until the patient pays for them.

This is disheartening.

As a professional, I expect more from others. Part of that is knowing the rules that we have to operate within.

HIPAA requires that you release the records, whether paid for or not.

You can certainly turn them over to collections, and I certainly would, but you cannot hold the records because of payment. You can charge a records fee, but that will have to be in accordance with the answer to question No. 3. But again, you cannot hold the records until that fee is paid either.

Release the requested records, send them off, and be glad to be done with that patient. Let the collection agency worry about it.

Believe me, when they need to get a car loan or buy a house, that little ding on their credit report will have them running back to pay it and have it removed from their credit report.

grow your dental practice ad

HIPAA Compliance Question No. 2

Question No. 2 also boggled my mind.

Why do dental professionals believe that the x-rays make up a patient’s complete medical record?

If you asked for your records to be transferred from your primary care physician (PCP) to another, and all they sent was a copy of an x-ray from two years ago, would you be okay with that? And would the new PCP be able to do anything with those?

They don’t help. They don’t tell the story of you. And they don’t tell the new PCP anything about you other than you had a sprained pinky two years ago.

What about blood pressure history? How about lab records? Or prescriptions that you have received?

These are all things we would consider important to know. However, some dental professionals believe that a set of bitewings from 2015 will help the new doc.

Or, even worse, won’t help the new doc. Because why on earth would we want to help a fellow dental provider?

The patient’s complete records include any recorded information, presented information, and anything that is used in the decision-making process for your patients.

These things include all perio charts, chart notes (yes, these have to be released), x-rays, financial records (even including EOBs used to enter payments on patients’ ledgers), the ledgers, and all treatment presented — whether accepted or not.

Think of a complete record and you’ll be fine.

Now, bear in mind that you only have to send what is requested. So if another office only requests x-rays, then just send the x-rays. However, if they request complete records, then you must send complete records.

online visibility guide ad OVG

HIPAA Compliance Question No. 3

Last, but certainly not least, let’s address the fee you can charge for records.

HIPAA introduced a new rule requiring that offices can charge the actual cost of copying and mailing. This uses a breakdown of to-the-minute time spent on the actual copying of the records, supplies (paper, USB memory sticks, etc.), and actual cost of postage.

If you do not want to do these calculations, you are now obligated to charge the patient a flat rate of $6.50 per patient.

Keep in mind, this is not per item, per page, or anything else.

Flat rate means flat rate.

The expectation is with electronic records. As their use continues to grow, the fee for time spent (your payroll) will diminish.

It should take less than five minutes to prepare and email a patient’s record. And, honestly, at five minutes, it just doesn’t make sense to charge.

HIPAA states on their website that this rule overrides any and all state laws on what can be charged for records. So, please, don’t think that your state gave you an out by saying you can charge $1 per page.

You cannot.

With that said, I never charge any patient a records fee. We should make it easy to come back if the patient isn’t happy with their new office.

Do you think they’ll come back if you hit them with a fee for sending their records? I wouldn’t.

I hope that you have learned something from this post, and I look forward to sharing my experiences and compliance rules with you each month.

Please be sure to visit often and be sure to watch out for our Compliance Corner post each month. Next month, I promise you the beautiful and articulate post that I intended on writing tonight.


Learn more about how RevenueWell improves case acceptance and creates more close-knit relationships between dentists and their patients.

By Rick Garofolo
Working as a practice management and OSHA/HIPAA compliance consultant for dentists, Rick develops site specific plans and business systems for dental offices around the country, including state specific plans. As the President and CEO of The Practice Mechanic, Rick has contributed to the business of dentistry through proper accounting techniques, recall and follow up system creation, proper treatment plan presentation, and more than 20 other systems.