What are California patient-access and Dental Board records deadlines?

Purpose

Patient chart rules in California dictate strict confidentiality, structured access timelines, and precise breach notifications. This block covers the state's comprehensive framework for record handling, from documentation integrity and public benefit requests to facility closure retention and Dental Board audits. Because California's numerical deadlines consistently preempt federal HIPAA shortcuts, mastering these state-specific statutes is critical for the exam.

Exam Areas Covered

Task block 1A — Patient Information. Knowledge statements K1011–K1054, including HIPAA criteria (K1017), sharing patient information with guardians, financially responsible parties, collection agencies, audits, and subpoenas (K1011–K1016), prescription documentation and chart alteration (K1021–K1022), records storage on closure and security of stored records (K1031–K1032), unauthorized-access notification duties (K1041–K1042), and the legal grounds, timelines, and methods for sharing records on request (K1051–K1054).

High-Yield Rules

Confidentiality baseline

Patient records are confidential by default. A dentist may release them only with a valid patient authorization, under a treatment-payment-operations exception, or pursuant to a lawful mandate such as a court order, a subpoena that meets statutory notice rules, or a specific reporting statute. The disclosure must be no broader than the purpose requires.^{1 2} Under California's Confidentiality of Medical Information Act (CMIA, Civil Code §56.11), authorizations must meet strict formatting rules that go beyond HIPAA. An authorization must be handwritten or in typeface no smaller than 14-point type, and it must be clearly separate from other language on the same page.¹

Furthermore, the authorization must contain an expiration date or event, specify the types of information to be disclosed, list who may disclose and receive the information, state the specific uses, and include the patient's signature for no purpose other than executing the authorization. The patient must also receive a copy of this signed authorization.¹ Whenever there is a conflict between state and federal law, HIPAA serves as the federal floor, but never the California ceiling. When California law grants the patient stronger timing or notice protections than HIPAA, the stricter California rule absolutely controls the exam answer.^{1 2 3}

Memorize it: "Federal Floor, State Ceiling" — HIPAA sets the minimum, California controls when stricter; CMIA demands 14-point type and a separate signature.

California access timelines

A patient may inspect their record within 5 working days of a written request, and the provider must transmit copies within 15 days of a written request.⁴ If the provider elects the summary route under HSC §123130 instead of providing full copies, the summary is due within 10 working days. This summary deadline can only be extended up to 30 days in narrow statutory circumstances, such as when the record is of extraordinary length or the patient was recently discharged from a licensed health facility.⁵ A provider can also satisfy a radiograph request by transmitting the original X-rays directly to another health-care provider named in the written request within 15 days, rather than handing the patient the only copy.⁴

Additionally, one relevant copy of the record must be provided at no charge when the written request supports specified public-benefit or immigration-relief claims, provided the statutory proof requirements are met. This specific free-copy request carries a 30-day timeline for compliance.⁴ Crucially, an unpaid account balance never justifies withholding records, summaries, or radiographs from a patient. The state explicitly bans this practice, meaning no "hostage rule" exists in California under any circumstances.⁴

Memorize it: "5-15-10-30" — 5 working days to inspect, 15 days for copies, 10 working days for a summary, 30 days for the free public-benefit copy.

Chart integrity

Errors and disagreements regarding clinical documentation are corrected using a transparent, dated addendum. Providers must never resort to deletion, overwriting, or backdating the record, as quietly editing a chart after the fact transforms a simple clinical error into a severe unprofessional-conduct violation under BPC §1680.⁶ Altering a patient's record with the intent to deceive is one of the most strictly penalized actions a licensee can take.

An adult patient has the statutory right to attach their own addendum to the chart if they believe the record is incomplete or incorrect. The patient may add up to 250 words per disputed item.⁵ The provider must attach this addendum to the patient's records and ensure that it travels with any future disclosures of the allegedly incomplete or incorrect portion of the chart to third parties. Importantly, the inclusion of the patient's addendum does not subject the provider to liability for any defamatory or unlawful language the patient might use within it.⁵

Memorize it: "The 250 Club" — 250-word patient addendum limit per disputed item; never delete, only append.

Closure and disposal retention

When a dental facility ceases operation, statutory minimums dictate how long records must be preserved. For adult patients, the records must be maintained safely for at least 7 years following the patient's discharge or last date of service.⁷ Simply locking the doors and walking away constitutes patient abandonment and a massive violation of the Dental Practice Act.

For unemancipated minors, the rules extend the timeline to protect the patient into adulthood. Minor records must be kept for at least 1 year after the patient reaches the age of 18, and in absolutely no case can the total retention period be less than 7 years.⁷ These timelines are statutory floors; malpractice insurance carriers and specific clinical situations often dictate retaining records for significantly longer periods to ensure comprehensive liability protection.

Memorize it: "7-after-discharge / 1-after-18" — adults: 7 years from last visit; minors: 1 year past age 18, never under 7 years total.

Breach notification (updated for 2026)

A massive legislative update via SB 446 completely restructured California's data breach notification timelines. For breaches discovered on or after January 1, 2026, Civil Code §1798.82 requires that notice to affected California residents must be issued no later than 30 calendar days after the discovery of the breach.^{3 1} The old standard of notifying patients "without unreasonable delay" has been eliminated and is a stale-prep trap for candidates. If a breach impacts more than 500 California residents, the entity must also submit a sample notification to the Attorney General within 15 calendar days of notifying the affected individuals.³

In contrast, the federal HIPAA breach notification rule under 45 CFR §164.404 still requires notification to affected individuals "without unreasonable delay and in no case later than 60 calendar days" after discovery. Because California's 30-day clock provides stronger consumer protection, it is the stricter law and completely controls the exam answer for California residents. A delay in the 30-day notification is only permitted if a law enforcement agency determines that the notice will impede an active criminal investigation.²

Memorize it: "30 in CA, 60 in DC" — 30 calendar days for patient notice under California SB 446 (and 15 days for the AG), compared to 60 days under federal HIPAA.

Who may receive records

The lanes for legal access to a patient's chart are narrow and strict. Adult patients, minors who are lawfully authorized to consent to their own medical or dental care (under Family Code §6920 et seq.), and designated personal representatives are the only individuals who possess an absolute right to access the record.⁴ A personal representative must be a legally recognized agent, such as a guardian or a health care proxy, rather than merely any family member who demands access.

Parents do not automatically receive access to every minor's record. If a minor lawfully consented to the care personally—for example, a 15-year-old who is living apart from their parents and managing their own finances under FAM §6922, or a 12-year-old consenting to substance abuse treatment—the minor holds the access rights to those specific records.⁴ In these distinct cases, a parent cannot override the minor's confidentiality protections without explicit authorization or a superseding legal mandate.

Memorize it: "Adult, lawful minor, or legal representative" — three strict lanes of access, with no informal family substitutes allowed.

Board requests and penalties

When the Dental Board of California serves a request for records accompanied by a patient's valid authorization, the standard patient-access timelines do not apply. Instead, a licensed dentist has 15 days to comply with the Board's demand. If the demand is served on a health care facility, the facility has 30 days to comply.⁶ Commercial study materials have historically misrepresented the penalties for non-compliance. BPC §1684.1 imposes pre-court civil penalties of $250 per day against a licensee who fails to respond after the 15th day, up to a maximum cap of $5,000.⁶

It is critical not to confuse a basic Board records request with a formal court order enforcing a subpoena. If a licensee defies a court order mandating the release of records to the Board, the penalty immediately jumps to $1,000 per day, and the violation is elevated to a misdemeanor punishable by an additional fine of up to $5,000.⁶ Failing to comply with a Board request or court order also constitutes unprofessional conduct and serves as grounds for license suspension or revocation.

Memorize it: "15 days / $250-cap-$5k" — 15 days for a licensee to answer the Board, scaling to a $250 daily penalty up to $5,000 (with $1,000 daily penalties strictly for defying a court order).

Common Traps

• Treating HIPAA as if it erases California's strict 5-working-day inspection and 15-day copy deadlines.
• Thinking the provider may unilaterally downgrade every request for full copies into a 10-working-day summary of records.
• Using an unpaid patient balance as a legally valid reason to stall or refuse the release of a chart.
• Quietly editing or deleting a chart entry instead of making a transparent, dated 250-word maximum addendum.
• Repeating the old "without unreasonable delay" breach phrasing instead of applying SB 446's strict 30-calendar-day deadline effective January 1, 2026.
• Mixing up the pre-court $250/day penalty for ignoring a Board request with the $1,000/day penalty for defying a formal court order (a widespread study guide myth).
• Treating a free public-benefit copy as if it must be provided instantly, rather than acknowledging its 30-day statutory timeline.
• Giving the original radiograph to the patient when the lawful and easier move is direct transmittal to a new provider within 15 days.
• Assuming a parent is the automatic decision-maker on a minor's record when the minor was legally authorized to consent to the care alone.

Scenario Implications

When an exam stem describes a patient aggressively demanding their records during a heated billing dispute, the correct action is always to release the records within the 15-day window and pursue debt collection separately. You must never withhold the chart or radiographs to leverage payment. If a scenario hides the trigger inside a "we prefer to provide a summary" narrative, you must ask whether the provider explicitly elected the summary route under HSC §123130, which grants them 10 working days, or whether the patient insisted on full copies. The patient's right to receive full copies is generally honored unless the provider actively executes the statutory summary option.

When a data breach or misdirected disclosure surfaces after January 1, 2026, the scenario answer must apply California's strict 30-calendar-day state notice deadline. If the breach affects more than 500 California residents, the entity must also notify the Attorney General within 15 calendar days of notifying the patients. When an office is closing or a dentist is retiring, you must switch out of malpractice-carrier folklore and strictly apply the HSC §123145 closure-retention floors: 7 years for adults, and 1 year past age 18 for minors.

When the Dental Board serves a records demand during an investigation, you must slow down and identify the exact stage of the demand. If it is a standard request with patient authorization, the licensee faces a 15-day deadline and a $250 daily penalty (capped at $5,000) for non-compliance. If the stem specifies a formal court order enforcing a subpoena, the penalty instantly escalates to $1,000 per day. Finally, when a grandparent or distant relative shows up asking for a child's record, the question relies on legal authority rather than family role; without a formal Caregiver's Authorization Affidavit or legal guardianship documentation, access must be denied to protect minor confidentiality.

Footnotes

Footnotes

1. B1 California Confidentiality of Medical Information Act (CMIA), Civil Code §56 et seq.; valid-authorization requirements; state breach law overlay. https://leginfo.legislature.ca.gov/faces/codesTOCSelected.xhtml?tocCode=CIV ↩ ↩² ↩³ ↩⁴ ↩⁵

2. B2 HIPAA Privacy, Security, and Breach Notification Rules — 45 CFR Parts 160–164 (federal floor only; California controls when stricter). https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164 ↩ ↩² ↩³

3. A48 SB 446 amending California Civil Code §1798.82 — 30-calendar-day breach-notice deadline effective 1/1/2026. https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB446 ↩ ↩² ↩³

4. A9 California Health & Safety Code §123110 — patient inspection, copies, form/format, fees, and unpaid-balance rule. https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=HSC&sectionNum=123110. ↩ ↩² ↩³ ↩⁴ ↩⁵ ↩⁶

5. A26 California Health & Safety Code §§123111 and 123130 — patient addendums (250 words) and provider's HSC §123130 record-summary option. https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=HSC&sectionNum=123111. ↩ ↩² ↩³

6. A15 California Business & Professions Code §§1680, 1684.1, 1684.5 — unprofessional conduct, Board records demands, daily civil penalties. https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=BPC&sectionNum=1680. ↩ ↩² ↩³ ↩⁴

7. A10 California Health & Safety Code §123145 — record preservation on facility closure (7 years adults; 1 year past age 18 for minors, never under 7). https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=HSC&sectionNum=123145. ↩ ↩²