HIPAA & Compliance
How to Handle a Patient Records Request at a Dental Practice (2026)
By Dolev Arama · Updated June 2026
The HIPAA right of access is a patient's legal right to see and get a copy of their own health information, including their dental records, from the practice that holds it.
When a patient asks for their records, you generally have 30 calendar days to provide them, plus one 30-day extension if you send written notice first. You can charge a reasonable, cost-based fee for copies, but not when a bill is unpaid, and not for records sent through a patient portal.
Get the timing or the fee wrong, and it is the kind of mistake the government has been fining dental practices for. In October 2024, the HHS Office for Civil Rights fined a solo Maryland dental practice, Gums Dental Care, $70,000. The reason was not a data breach. A patient had asked, by email, for copies of her and her children's dental records. The practice replied the same day but never sent the records, and kept refusing for almost three years. When the dentist contested the penalty all the way to a federal appeals board, the board sided with the government. It was the 50th time OCR has imposed a penalty for a records-access failure since 2019.
Why a records request is the HIPAA gap most likely to cost you
The right of access has become OCR's most active enforcement priority under the Privacy Rule. Since the agency launched its Right of Access Initiative in 2019, it has imposed more than 50 penalties under it, reaching its 53rd in 2025. Dental practices keep showing up on that list. On a single day, in September 2022, OCR settled three separate cases against dental practices for the same failure: not giving patients their records on time.
Reading through the dental cases OCR has published, the trigger is almost always mundane: an improper fee, or a request that sat unanswered for months. The expensive part was never the records. It was ignoring the request.
What makes this different from most HIPAA risks is who triggers it. A breach usually starts with an attacker. A right-of-access violation starts with your own patient, who only has to file a short complaint with OCR when they cannot get their records. That complaint is also one of the most common ways an OCR investigation into a practice begins in the first place. And the penalties are not reserved for large groups. Gums Dental Care is a solo office. The 2022 settlements ran from $25,000 to $80,000 and hit practices in Illinois, Georgia, and Nevada.
Most solo practices carry two or three HIPAA gaps they can't see. The free HIPAA Risk Scorecard checks the 10 areas that come up most often in OCR investigations, including whether your records-request process would hold up, then sends you a short written review and an introduction to a vetted specialist. It takes about three minutes. Check my practice →
What the right of access actually covers
Under 45 CFR 164.524, a patient can inspect and get a copy of the protected health information you keep about them in what HIPAA calls the designated record set. For a dental practice, that is broader than most people assume. It includes the clinical chart and treatment notes, your imaging (panoramic, bitewing, CBCT), and the billing records you use to make decisions about that patient.
A few things sit outside the right of access. Psychotherapy notes kept separate from the rest of the record are excluded, as is information compiled in reasonable anticipation of a lawsuit. Almost nothing else in a typical dental file qualifies. If a patient asks for everything, the safe assumption is that you owe them their full chart, including images and billing.
The 30-day clock, and the one extension you get
You must act on a records request within 30 calendar days of receiving it. That is an outer limit, not a target. OCR's own guidance encourages practices to respond sooner, and a portal can make it near-instant. You may take one extension of up to 30 more days, but only if, inside the first 30 days, you give the patient a written statement explaining the delay and the date you will deliver. You get that extension once per request. There is no second one.
| Stage | What HIPAA requires |
|---|---|
| Day 0 | Patient submits a request. The clock starts the day you receive it. |
| By Day 30 | Provide the records, or send a written denial on a permitted ground, or send written notice of a one-time extension. |
| Extension | Up to 30 additional days. Only one. The written notice must go out within the first 30 days and name a completion date. |
| By Day 60 | If you took the extension, the records (or a written denial) are due. |
One trap inside the clock: handing over part of the record on time does not count as meeting the deadline. In the 2022 cases, Chicago's Family Dental Care produced only portions of a patient's records and did not deliver the complete file until months later. That partial response was treated as a failure, and the practice paid $30,000.
What you can charge, and what you can't
You are allowed to charge a reasonable, cost-based fee when a patient asks for copies. The fee can include only the labor to copy the records, the cost of supplies such as a CD or USB drive, and postage if the patient wants them mailed. You may also charge to prepare a summary, but only if the patient agrees to one in advance.
| You CAN charge for | You CANNOT charge for |
|---|---|
| Labor to copy the records (paper or electronic) | Searching for or retrieving the records |
| Supplies (CD, USB) if the patient wants portable media | The cost of maintaining your records system or software |
| Postage, if the records are mailed | A fee on records the patient receives through a portal |
| A summary, only if the patient agrees to one | Anything, as a condition of an unpaid treatment bill |
This is where two of the dental cases turned. A Georgia practice, Great Expressions Dental Center of Georgia, told a patient she had to pay a $170 copying fee and would not release her records until she did. OCR found the fee was not reasonable and the delay was unlawful, and the practice paid $80,000. Gums Dental Care charged a $25 fee for records the patient had asked to receive by email. Because there is no real copying or supply cost for an emailed record, OCR found even that small fee improper. And you cannot hold records hostage over an unpaid dental bill. A patient's right to their record does not depend on whether they have settled their account.
The form and format the patient asks for
If a patient asks for their records in a specific form, you have to provide them that way when it is readily producible. If they want an electronic copy and you keep the chart electronically, you generally owe them an electronic copy. If you cannot produce the exact format requested, you provide a readable alternative you both can agree on.
Saying you have no secure way to send it is not a way out. Gums Dental Care argued it had no secure website and therefore could not email the records. OCR rejected that: the practice still had to provide the records in some other form and format, and offering nothing at all was the violation. If your email is not set up to carry patient information securely, the answer is a different delivery method, not silence.
Your state law can require more
Everything above is the federal floor. HIPAA sets a minimum, and a state law that gives patients more protection, including faster access or a lower fee, is not overridden by it. When both apply, you follow whichever rule is more protective of the patient. That is settled under HIPAA's preemption rule (45 CFR 160.203), and HHS has confirmed that a state law giving patients more timely access is the one that governs.
In practice this usually means a shorter clock or a tighter fee cap. The deadline alone can run well under the federal default:
| Jurisdiction | Deadline to provide records |
|---|---|
| Federal (HIPAA floor) | 30 calendar days, plus one 30-day extension |
| Texas | 15 business days |
| California | 15 days for copies; 5 business days to inspect |
So before you rely on the 30-day window or set a copying fee, check what your state requires.
When you can actually say no
The grounds for denying a records request are narrow and specific, and they are listed at 45 CFR 164.524(a)(2)-(3). A few denials are reviewable, meaning a licensed professional who was not involved in the original decision can be asked to look again, for example a determination that releasing the record is reasonably likely to endanger someone's life or safety. Most of the everyday reasons a practice might want to say no are not on the list at all.
Suspecting that a patient will misuse the records is not a permitted reason. In the Gums case, the dentist argued the patient might use the records to commit insurance fraud. OCR was explicit that this is not a lawful basis to deny access. Neither is an unpaid bill, a dispute with the patient, or simple inconvenience. When you do deny any part of a request, the denial has to be in writing, in plain language, sent within the same 30-day or 60-day window, and it must tell the patient how to seek a review if one applies and how to complain to you or to OCR. Any part of the record you do not have a ground to withhold still has to be released.
Who else can ask for the records
The right of access belongs to the patient, but a personal representative steps into the patient's shoes. For an adult, that is usually someone with legal authority such as a healthcare power of attorney. For a child, a parent or guardian is generally the personal representative, though state law carves out exceptions that matter in practice. Requests involving minors and parents raise enough of their own questions that they deserve separate treatment, which we will cover on its own.
Patients can also direct you to send their records straight to a third party, such as a new dentist or an attorney. A 2020 federal court decision, Ciox Health v. Azar, narrowed this. In plain terms: when a patient gets their own copy, the cost-based fee limit still applies; when they direct records to a third party, that specific fee cap no longer governs. Verify a third-party request the same way you would any other, and make sure the instruction to send is clear and in writing.
How to fulfill a records request, step by step
Write down who asked, what they asked for, the date, and how they want to receive it. The 30-day clock starts on that date, so the date is the single most important thing you record. You may require the request in writing or on your own form, as long as you have told patients that and it does not become a barrier or a delay.
Confirm the requester is the patient or an authorized personal representative. Reasonable verification is required, but it cannot become a stalling tactic. Do not add hurdles beyond what you would use to confirm anyone's identity.
Chart, treatment notes, all imaging, and billing. Partial is not compliant. If part of it is genuinely excluded, set only that part aside and prepare the rest.
If they asked for an electronic copy and you can produce one, send it electronically. If you cannot send it the requested way safely, offer a clear alternative rather than nothing.
Charge only the permitted copying costs. Charge nothing for a portal copy. Never condition release on an unpaid bill. If you do charge, you can require prepayment of that permitted amount.
If you need more time, the written extension notice has to go out before day 30 and name a completion date. You get one extension, not two.
Save what you sent, when, and to whom. If a complaint ever lands, your dated log is the difference between a quick close and a penalty.
Where solo practices slip
The practices that get fined are rarely the ones acting in bad faith. They are the ones without a written procedure, where a records request lands on whoever happens to open the mail, gets set aside during a busy week, and quietly blows past day 30. By the time the patient is frustrated enough to file with OCR, the only documentation is a vague memory of we were getting to it. The gap is almost never knowledge of the rule. It is the absence of a simple, owned, dated process that survives a busy front desk.
One change worth watching: OCR has a proposed rule, still in proposed form as of 2026 with a federal consultation step held in February 2026, that would shorten the standard response time from 30 days to 15. It is not final, and the 30-day rule remains the federal law today. But the direction is toward less time, not more, and in several states the deadline is already shorter, which is one more reason to fix the process now rather than rely on the back half of a 30-day window.
A records request is one of the few HIPAA gaps a single patient can report with one click. The free HIPAA Risk Scorecard flags the ones OCR looks at first in about three minutes, then points you to the fix. Check my practice →
This is general information about HIPAA's right of access, not legal advice. Your own situation, and any stricter rules in your state, decide what applies to your specific practice.
About the author
Dolev Arama is Hipsana's founder. He's the one behind the Scorecard and the short risk reviews it produces. He is not an attorney, and Hipsana is a publisher and referral service, not a law firm or a healthcare provider. The writing here starts where the rules actually live, at HHS, OCR, and NIST, and gets checked against their current text before it goes up. If a line can't be sourced, it doesn't run. More about Hipsana →
Sources
- HHS Office for Civil Rights, civil monetary penalty against Gums Dental Care, LLC (October 2024).
- HHS Office for Civil Rights, September 2022 Right of Access Initiative settlements, including Family Dental Care and Great Expressions Dental Center of Georgia (September 2022).
- HHS Office for Civil Rights, individuals’ right of access under HIPAA guidance (accessed June 2026).
- HHS Office for Civil Rights, FAQ 403, “How do I know if a state law is more stringent than the HIPAA Privacy Rule?” (accessed June 2026).
- Ciox Health, LLC v. Azar (D.D.C. 2020) (fee limits on patient-directed transmissions to third parties).
- 45 CFR § 164.524 (right of access, including fees and the grounds for denial); § 160.203 (preemption) (eCFR, current).
- Federal Register, proposed modifications to the HIPAA Privacy Rule to support and remove barriers to coordinated care, January 21, 2021.
Frequently asked questions
How long does a dental practice have to provide records?
Thirty calendar days from receiving the request, under 45 CFR 164.524. You can take one extension of up to 30 more days, but only if you send the patient written notice of the delay and a completion date within the first 30 days. Some states require faster turnaround.
Can I charge a patient for a copy of their dental records?
Yes, a reasonable, cost-based fee covering labor to copy, supplies, and postage. You cannot charge for searching or retrieving records, you cannot charge for a copy delivered through a patient portal, and you cannot condition release on an unpaid bill.
Can I refuse to release records if the patient owes us money?
No. An unpaid bill is not a permitted reason to deny a patient access to their record. The two are separate matters.
What if a patient asks for records by email and we don't have secure email?
You still have to provide the records. If you cannot send them by email safely, offer another form or format. Sending nothing is the violation, as OCR made clear in the Gums Dental Care case.
Does a parent automatically get a copy of their child's dental records?
Usually, because a parent is generally the child's personal representative under HIPAA. State law creates exceptions, so this is one to handle carefully. We cover parental access to a minor's records on its own.
Does my state have different rules than HIPAA?
It might, and if it does, the stricter rule wins. HIPAA is a federal floor. Some states require faster turnaround, such as Texas at 15 business days, and some cap copying fees, such as California at 25 cents per page. Check your state's medical-records law alongside HIPAA and follow whichever is more protective of the patient.