of records, right to (HIPAA)
Rule grants individuals a "right to amend" --
that is, to take exception to information in their records
with which they disagree, and request corrections. Covered
entities may choose to make requested changes; or the
information can be left unchanged if it is believed to be
correct, but with documentation in the record of the patient's
disagreement. (A right to amend exists, in varying forms,
under the laws of many states. HIPAA makes it national.)
a right to amend any element of protected
health information (PHI) in the designated
records set, for as long as that information is maintained
by the covered entity. Institutions are not obligated to amend
if they determine another institution was the creator of the
information at issue, unless the individual provides a "reasonable
basis to believe" that the originator is no longer available
to act on the request.
that is exempted from HIPAA's right
of access (under 45
CFR 164.524) is also exempted from the right of amendment.
must establish mechanisms to process requests for amendments
(usually it will be the same structure that supports the right
of access), and must act on requests no later than 60 days
after receipt of such requests. (An additional 30 days is
permitted, provided the individual is informed in writing
of the reasons for the delay and given a date for completion.)
"Acting" on such a request means either correcting
the record or providing the individual with a written denial.
require that amendment requests be in writing, and to include
reason(s) to support it, but only if it informs individuals
in advance in the Notice
of Privacy Practices.
If the amendment
is accepted, covered entities must also make "reasonable
efforts" to inform and provide the amendment within a
"reasonable time" to:
- persons identified
by the individual as having received health information
about the individual and needing the amendment; and
- persons, including
that the covered entity knows have the information that
is the subject of the amendment and that may have relied,
or could foreseeably rely, on it to the detriment of the
If the amendment
is denied, the written notice to the individual of that rejection
must include, in "plain language":
- the reasons
for the denial;
- the individuals
right to submit a "statement of disagreement"
with the denial (and how the individual may file such a
- notice that,
even if the individual does not submit a statement of disagreement,
he/she may still request that the covered entity provide
the individuals request for amendment and the denial
with any future disclosures of the information at issue;
- notice that
the individual may complain to the covered entity, or to
DHHS, and including the procedures for such complaints.
may respond to an individual's "statement of disagreement"
with a "rebuttal statement"; it must be included
in the health record and a copy provided to the individual.
All future disclosures
of PHI to which the disagreement relates must include at least
a summary of the individual's objection(s) and the institution's
response(s). If a standard transaction format is used which
does not permit the inclusion of such materials, it must be
that are informed of a correction by another covered entity
must amend their own records.
As with all the
other information rights granted by HIPAA, individuals must
designate a privacy
office/officer to handle amendment requests, and document
that designation in its records.