Compliance & Legal

How to handle a data subject access request (dsar) as Independent Clinic Owner-Operators

Compliance & LegalFor Independent Clinic Owner-Operators3 apps12 steps~24 min to set up

A patient emails asking for all their records and communication history under a state privacy law or HIPAA access right. Your front desk isn't sure if it counts as a formal DSAR, which form to send back, or how long you legally have to respond. The request sits in the general inbox next to appointment reminders and insurance EOBs. You find it ten days later. Your EHR (Jane, SimplePractice, Kareo) handles the clinical record export, but logging who requested what, when you acknowledged it, what you sent, and whether the 30-day clock is ticking — that's a spreadsheet someone started and never finished. For a three-provider clinic, one missed DSAR deadline is a complaint to the state board or HHS. You need a paper trail, not a prayer.

Build this on Starch → See the apps used

Compliance & LegalFor Independent Clinic Owner-Operators3 apps12 steps~24 min to set up

Outcome

What you'll set up

A dedicated DSAR intake tracker that logs every request with a timestamp, requester identity, request type, and 30-day deadline — visible at a glance from any browser.

An email workflow that auto-acknowledges the request within 24 hours, drafts the verification and records-request response for your one-click review, and sets a follow-up reminder if the clock is approaching.

A task queue that assigns the DSAR to the right person (you, your biller, or your front desk), tracks status from 'received' through 'fulfilled,' and flags anything overdue before it becomes a compliance problem.

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

Email Agent Task Manager Knowledge Management

Data sources & config

Starch connects directly to Gmail (scheduled sync — messages and labels read and sent on a schedule) to monitor for inbound DSAR requests and send acknowledgments. The Task Manager and Knowledge Management apps run natively in Starch with no additional connections required. If your clinic uses a web-based EHR portal like Jane App or SimplePractice, Starch can automate the records export request through your browser — no API needed.

Prompts to copy

Monitor my Gmail inbox for any email that mentions 'records request,' 'access to my information,' 'data request,' 'HIPAA request,' or 'privacy request.' When you find one, label it DSAR, draft an acknowledgment email saying we received the request and will respond within 30 days, and create a task called 'DSAR - [patient name] - due [date 30 days out]' with priority P1.

Build me a DSAR log. Every entry should have: date received, patient name, contact email, type of request (access, correction, deletion, portability), verification status, deadline date, assigned staff member, and fulfillment date. Let me add new entries by chat and update status from the task view.

Create a knowledge base article titled 'DSAR Response Procedure' that covers: how to verify the requester's identity, what our EHR export covers vs. what we pull manually, our standard 30-day response window, and what to do if we need a 30-day extension. Make it searchable so front desk staff can find the answer without asking me.

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Connect your Gmail (or Outlook) to Starch. Starch syncs your inbox on a schedule and the Email Agent begins monitoring for keywords associated with patient data requests: 'records,' 'access my information,' 'HIPAA,' 'privacy request,' 'delete my data.'

2 The Email Agent flags any matching message, labels it DSAR in Gmail, and drafts a plain-language acknowledgment reply: 'We received your request on [date]. We will respond within 30 days. Please reply to confirm your date of birth and the last four of your SSN so we can verify your identity.'

3 You review the draft in one click and send. The send timestamp becomes the official start of your 30-day clock. Starch logs the outbound confirmation date automatically.

4 A P1 task is created in Task Manager: 'DSAR — [Patient Name] — Deadline [date].' You assign it to whoever is handling records that week — yourself, your biller, or front desk.

5 The assigned person opens your DSAR log (the custom app you described to Starch) and enters the request type: full records access, correction of a note, deletion of non-clinical data, or portability export.

6 If the request is for a full records export, Starch walks you through the checklist stored in Knowledge Management: pull the clinical record from your EHR, include billing records, include any intake forms stored outside the EHR, and document what was sent and what was withheld (with reason).

7 If your EHR has a web-based patient portal for records export requests (Jane, SimplePractice, Kareo), Starch can automate that submission through your browser — no API required — and capture a screenshot of the confirmation as an attachment on the DSAR log entry.

8 Once the response packet is assembled, the Email Agent drafts the fulfillment email attaching or linking the records, with a plain-English cover note explaining what's included and the patient's right to request a correction if anything is inaccurate.

9 You send with one click. Starch marks the task fulfilled, timestamps the close date, and calculates days-to-close so you have an audit trail showing you met the 30-day window.

10 Seven days before any open DSAR deadline, the Email Agent sends you an internal reminder: 'DSAR for [Patient Name] is due in 7 days. Current status: [status]. Assigned to: [name].' If the deadline passes without a close date, it escalates to P0.

11 Monthly, you ask Starch to summarize DSAR volume: how many requests came in, average days to close, any that exceeded 30 days, and what types of requests were most common. This becomes your compliance log entry for the month.

12 Your Knowledge Management base holds the full procedure so any staff member can handle a DSAR without calling you — including what counts as a valid identity verification, what to do if the patient is hostile, and when to escalate to your healthcare attorney.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

February 2026 DSAR — Former Patient Records Request

Sample numbers from a real run

Date received	0
Feb 3, 2026 — Email flagged by Starch, acknowledgment sent within 2 hours	0
Feb 4 — Identity verification confirmed via reply email	0
Feb 10 — EHR export pulled (SimplePractice, 3 years of notes), billing records attached	0
Feb 12 — Records packet emailed to patient, task closed	0
Days to close: 9 of 30 allowed	0

On February 3rd, a former patient emailed your general inbox asking for 'all my records and anything you have about me.' The Email Agent caught it at 9:14 AM — the subject line said 'Question about my account' and your front desk would have filed it under 'deal with later.' Starch flagged it as a likely DSAR, drafted an acknowledgment with an identity verification request, and created a P1 task with a March 5th deadline. Your biller confirmed identity on the 4th. On the 10th, she pulled the SimplePractice export (three years of session notes, two intake forms, and the billing ledger showing a $340 outstanding balance from 2024 — noted separately as billing dispute, not included in the DSAR response per your procedure doc). Records went out on the 12th. Nine days, no board complaint, no scramble. The task closed automatically when the fulfillment email was sent, and the monthly summary on March 1st showed two DSARs in February, average 11 days to close, zero overdue.

Measurement

How you'll know it's working

Days to close each DSAR (target: under 30, ideally under 15)

Percentage of DSARs acknowledged within 24 hours of receipt

Number of open DSARs with fewer than 7 days remaining on the clock

Staff time spent per DSAR (target: under 2 hours for a standard full-records request)

Zero DSARs closed after the 30-day statutory deadline in any rolling 12-month period

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Spreadsheet (Google Sheets or Excel) + manual inbox monitoring

Free and familiar, but the request has to be noticed first — a spreadsheet doesn't watch your inbox, doesn't draft the acknowledgment, and doesn't nag you when day 28 arrives.

Practice management add-on (e.g., Kareo compliance module, Jane's document requests)

Handles records release within the EHR workflow, but doesn't catch requests that come in through your general email, contact form, or patient portal message — which is where most of them actually land.

General-purpose compliance SaaS (OneTrust, TrustArc)

Built for enterprise legal and compliance teams, priced accordingly — overkill for a three-provider clinic and requires implementation work your front desk won't have time for.

Healthcare attorney on retainer handling ad hoc

Right call for contested or legally complex requests, but using counsel to track a spreadsheet and send an acknowledgment email is expensive and slow for routine access requests.

On Starch RECOMMENDED

One platform — email agent, task manager, knowledge management all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

Does Starch touch my EHR or patient records directly?

No. Starch doesn't connect to Jane, SimplePractice, Kareo, or Dentrix as a scheduled-sync provider today. What it does: it monitors the email channel where DSAR requests arrive, manages the intake log and task queue, drafts and sends acknowledgment and fulfillment emails, and — if your EHR has a web-based portal — can automate navigation through your browser to initiate an export request. The actual clinical record export still happens inside your EHR. Starch manages the workflow around it.

What if the DSAR comes through our website contact form instead of email?

If your contact form sends submissions to your Gmail or Outlook inbox, Starch catches it the same way. If your form goes somewhere else — a separate inbox, a form tool — you can either forward those to the monitored inbox or describe the workflow to Starch and it will tell you what connection makes sense. For web-based form tools, browser automation is often the answer.

Is Starch SOC 2 certified? We handle PHI.

Starch is not SOC 2 Type II certified today. If your compliance framework or business associate requirements require SOC 2 certification from every vendor that touches patient-adjacent workflows, that's worth raising with your healthcare attorney before using Starch to process DSAR communications. Some clinics route the workflow through Starch for intake and tracking only, keeping the actual records packet assembled and sent outside the platform.

What's the 30-day rule and does Starch enforce it?

Under HIPAA and most state privacy laws, you have 30 days from receiving a valid access request to fulfill it, with one 30-day extension if you notify the patient in writing. Starch enforces this by timestamping the acknowledgment send date, calculating the deadline, setting a P1 task, and sending reminder alerts at the 7-day-remaining mark. It doesn't provide legal advice — your attorney sets the policy, Starch tracks the clock.

Can the front desk use this without training?

That's the point of the Knowledge Management piece. You describe your DSAR procedure once — what counts as a valid request, how to verify identity, what the EHR export includes, when to escalate — and Starch stores it in a searchable wiki. Your front desk types a question and gets the answer without calling you. The task assignment and email drafts do most of the judgment work; staff are reviewing and clicking, not figuring out compliance from scratch.

Does this work if we have two or three staff members who might handle DSARs?

Yes. The task created per DSAR includes an assignee field. You can set a default assignee (whoever handles records requests) or assign case by case. The task status and deadline are visible to everyone with Starch access, so if the assigned person is out, you can see exactly where each request stands and pick it up.