What are California dental records and confidentiality rules?

High-yield California rules for this topic

Confidentiality baseline

Patient records are confidential by default. A dentist may release them only with a valid patient authorization, under a treatment-payment-operations exception, or pursuant to a lawful mandate such as a court order, a subpoena that meets statutory notice rules, or a specific reporting statute. The disclosure must be no broader than the purpose requires.^{1 2} Under California's Confidentiality of Medical Information Act (CMIA, Civil Code §56.11), authorizations must meet strict formatting rules that go beyond HIPAA. An authorization must be handwritten or in typeface no smaller than 14-point type, and it must be clearly separate from other language on the same page.¹ Since AB 1697 took effect on January 1, 2024, §56.11 also expressly validates electronic signatures: an authorization is valid if it is "signed, including with an electronic or handwritten signature," so a wet-ink signature is never required.¹

Furthermore, the authorization must contain an expiration date or event, specify the types of information to be disclosed, list who may disclose and receive the information, state the specific uses, and include the patient's signature for no purpose other than executing the authorization. The patient must also receive a copy of this signed authorization.¹ Whenever there is a conflict between state and federal law, HIPAA serves as the federal floor, but never the California ceiling. When California law grants the patient stronger timing or notice protections than HIPAA, the stricter California rule absolutely controls the exam answer.^{1 2 3}

Memorize it: "Federal Floor, State Ceiling" — HIPAA sets the minimum, California controls when stricter; CMIA demands 14-point type and a separate signature — electronic or handwritten, either one counts.

California access timelines

A patient may inspect their record within 5 working days of a written request, and the provider must transmit copies within 15 days of a written request.⁴ If the provider elects the summary route under HSC §123130 instead of providing full copies, the summary is due within 10 working days. This summary deadline can only be extended up to 30 days in narrow statutory circumstances, such as when the record is of extraordinary length or the patient was recently discharged from a licensed health facility.⁵ A provider can also satisfy a radiograph request by transmitting the original X-rays directly to another health-care provider named in the written request within 15 days, rather than handing the patient the only copy.⁴

Additionally, one relevant copy of the record must be provided at no charge when the written request supports specified public-benefit or immigration-relief claims, provided the statutory proof requirements are met. This specific free-copy request carries a 30-day timeline for compliance.⁴ Outside that free public-benefit pathway, a provider may charge a reasonable, cost-based fee for patient-requested copies — limited to the cost of labor, supplies, postage, and preparing an agreed summary — and under HSC §123110(j), as amended by SB 815 effective January 1, 2024, the fee cannot exceed $0.25 per page for paper copies or $0.50 per page for records copied from microfilm.⁴ Crucially, an unpaid account balance never justifies withholding records, summaries, or radiographs from a patient. The state explicitly bans this practice, meaning no "hostage rule" exists in California under any circumstances.⁴

Memorize it: "5-15-10-30" — 5 working days to inspect, 15 days for copies, 10 working days for a summary, 30 days for the free public-benefit copy; paid copies cap at 25 cents a page (50 cents from microfilm).

Chart integrity

Errors and disagreements regarding clinical documentation are corrected using a transparent, dated addendum. Providers must never resort to deletion, overwriting, or backdating the record, as quietly editing a chart after the fact transforms a simple clinical error into a severe unprofessional-conduct violation under BPC §1680.⁶ Altering a patient's record with the intent to deceive is one of the most strictly penalized actions a licensee can take.

An adult patient has the statutory right to attach their own addendum to the chart if they believe the record is incomplete or incorrect. The patient may add up to 250 words per disputed item.⁵ The provider must attach this addendum to the patient's records and ensure that it travels with any future disclosures of the allegedly incomplete or incorrect portion of the chart to third parties. Importantly, the inclusion of the patient's addendum does not subject the provider to liability for any defamatory or unlawful language the patient might use within it.⁵

Memorize it: "The 250 Club" — 250-word patient addendum limit per disputed item; never delete, only append.

Closure and disposal retention

When a dental facility ceases operation, statutory minimums dictate how long records must be preserved. For adult patients, the records must be maintained safely for at least 7 years following the patient's discharge or last date of service.⁷ Simply locking the doors and walking away constitutes patient abandonment and a massive violation of the Dental Practice Act.

For unemancipated minors, the rules extend the timeline to protect the patient into adulthood. Minor records must be kept for at least 1 year after the patient reaches the age of 18, and in absolutely no case can the total retention period be less than 7 years.⁷ These timelines are statutory floors; malpractice insurance carriers and specific clinical situations often dictate retaining records for significantly longer periods to ensure comprehensive liability protection.

Providers who treat Medi-Cal (Denti-Cal) beneficiaries face a longer statutory floor for those patients. Welfare & Institutions Code §14124.1 requires Medi-Cal patient records to be retained for a minimum of 10 years — measured from the date of service, the completion of an audit, or the end of the provider's contract, whichever is later.⁸ Because this 10-year minimum exceeds the generic 7-year closure floor under HSC §123145, it overrides the 7-year rule for every Medi-Cal patient's chart.

Memorize it: "7-after-discharge / 1-after-18 / 10-for-Medi-Cal" — adults: 7 years from last visit; minors: 1 year past age 18, never under 7 years total; Medi-Cal (Denti-Cal) patients: 10 years.

Breach notification (updated for 2026)

A massive legislative update via SB 446 completely restructured California's data breach notification timelines. For breaches discovered on or after January 1, 2026, Civil Code §1798.82 requires that notice to affected California residents must be issued no later than 30 calendar days after the discovery of the breach.^{3 1} The old standard of notifying patients "without unreasonable delay" has been eliminated and is a stale-prep trap for candidates. If a breach impacts more than 500 California residents, the entity must also submit a sample notification to the Attorney General within 15 calendar days of notifying the affected individuals.³

In contrast, the federal HIPAA breach notification rule under 45 CFR §164.404 still requires notification to affected individuals "without unreasonable delay and in no case later than 60 calendar days" after discovery. Because California's 30-day clock provides stronger consumer protection, it is the stricter law and completely controls the exam answer for California residents. A delay in the 30-day notification is only permitted if a law enforcement agency determines that the notice will impede an active criminal investigation.²

Memorize it: "30 in CA, 60 in DC" — 30 calendar days for patient notice under California SB 446 (and 15 days for the AG), compared to 60 days under federal HIPAA.

Footnotes

1. B1 California Confidentiality of Medical Information Act (CMIA), Civil Code §56 et seq.; valid-authorization requirements; state breach law overlay. https://leginfo.legislature.ca.gov/faces/codesTOCSelected.xhtml?tocCode=CIV ↩ ↩² ↩³ ↩⁴ ↩⁵ ↩⁶

2. B2 HIPAA Privacy, Security, and Breach Notification Rules — 45 CFR Parts 160–164 (federal floor only; California controls when stricter). https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164 ↩ ↩² ↩³

3. A48 SB 446 amending California Civil Code §1798.82 — 30-calendar-day breach-notice deadline effective 1/1/2026. https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB446 ↩ ↩² ↩³

4. A9 California Health & Safety Code §123110 — patient inspection, copies, form/format, fees, and unpaid-balance rule. https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=HSC&sectionNum=123110. ↩ ↩² ↩³ ↩⁴ ↩⁵

5. A26 California Health & Safety Code §§123111 and 123130 — patient addendums (250 words) and provider's HSC §123130 record-summary option. https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=HSC&sectionNum=123111. ↩ ↩² ↩³

6. A15 California Business & Professions Code §§1680, 1684.1, 1684.5 — unprofessional conduct, Board records demands, daily civil penalties. https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=BPC&sectionNum=1680. ↩

7. A10 California Health & Safety Code §123145 — record preservation on facility closure (7 years adults; 1 year past age 18 for minors, never under 7). https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=HSC&sectionNum=123145. ↩ ↩²

8. A67 California Welfare & Institutions Code §14124.1 — 10-year minimum record retention for Medi-Cal (Denti-Cal) providers. https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=WIC&sectionNum=14124.1. ↩