amendment of records, right to (HIPAA)

HIPAA's Privacy Rule grants individuals a "right to amend" -- that is, to take exception to information in their records with which they disagree, and request corrections. Covered entities may choose to make requested changes; or the information can be left unchanged if it is believed to be correct, but with documentation in the record of the patient's disagreement. (A right to amend exists, in varying forms, under the laws of many states. HIPAA makes it national.)

Individuals have a right to amend any element of protected health information (PHI) in the designated records set, for as long as that information is maintained by the covered entity. Institutions are not obligated to amend if they determine another institution was the creator of the information at issue, unless the individual provides a "reasonable basis to believe" that the originator is no longer available to act on the request.

PHI that is exempted from HIPAA's right of access (under 45 CFR 164.524) is also exempted from the right of amendment.

Covered entities must establish mechanisms to process requests for amendments (usually it will be the same structure that supports the right of access), and must act on requests no later than 60 days after receipt of such requests. (An additional 30 days is permitted, provided the individual is informed in writing of the reasons for the delay and given a date for completion.) "Acting" on such a request means either correcting the record or providing the individual with a written denial.

Institutions may require that amendment requests be in writing, and to include reason(s) to support it, but only if it informs individuals in advance in the Notice of Privacy Practices.

If the amendment is accepted, covered entities must also make "reasonable efforts" to inform and provide the amendment within a "reasonable time" to:

  • persons identified by the individual as having received health information about the individual and needing the amendment; and
  • persons, including business associates, that the covered entity knows have the information that is the subject of the amendment and that may have relied, or could foreseeably rely, on it to the detriment of the individual.

If the amendment is denied, the written notice to the individual of that rejection must include, in "plain language":

  • the reasons for the denial;
  • the individual’s right to submit a "statement of disagreement" with the denial (and how the individual may file such a statement);
  • notice that, even if the individual does not submit a statement of disagreement, he/she may still request that the covered entity provide the individual’s request for amendment and the denial with any future disclosures of the information at issue; and
  • notice that the individual may complain to the covered entity, or to DHHS, and including the procedures for such complaints.

Covered entities may respond to an individual's "statement of disagreement" with a "rebuttal statement"; it must be included in the health record and a copy provided to the individual.

All future disclosures of PHI to which the disagreement relates must include at least a summary of the individual's objection(s) and the institution's response(s). If a standard transaction format is used which does not permit the inclusion of such materials, it must be sent separately.

Covered entities that are informed of a correction by another covered entity must amend their own records.

As with all the other information rights granted by HIPAA, individuals must designate a privacy office/officer to handle amendment requests, and document that designation in its records.

See also:


   © 2002-2006 Contributing authors and University of Miami School of Medicine