A key part of the HIPAA Privacy Rule is your patients’ right to amend their own medical records. This allows them to correct errors and improve the accuracy of their health data. Let’s look at an overview of your main responsibilities when a patient asks to amend their protected health information (PHI).
What rights do patients have to amend their PHI?
As long as your organization maintains a patient’s information, the patient has the right to request that you make changes to (or amend) their information in a designated record set. Your organization is responsible for responding to the amendment request.
You may require patients to make their requests in writing and provide a reason for the amendment. If you do, make sure your patients know this requirement.
How do you amend a patient’s records?
When you agree to an amendment request, first notify the patient that you accepted and have them identify and agree to have you notify other parties that need to be informed of the amendment.
After you amend the information in a designated record set, also identify other records that are affected by the change and update or link the data as needed.
Then you must notify any business associates who may rely on the data, letting them know you made the change. You must also make a timely and reasonable effort to let others in the network know about the amendment, as the patient identifies them, because those covered entities must also make the amendment.
What timeframe do you have to amend a patient’s records?
Your organization must act on requests no later than 60 days after receiving them. If you’re unable to act on the request within that time frame, you can give yourself a 30-day extension. If you take the extension, make sure you send a letter to the patient explaining the delay and the date that you will complete the request.
When can you deny a patient the ability to amend their PHI?
You may deny an amendment request only in the following circumstances:
- The record was not created by your organization.
- The record is not part of the designated record set (your organization doesn’t have the records).
- The record would not be available for inspection (see Right of Access).
- Your organization has determined that the record is complete and accurate.
If you deny an amendment, you must promptly notify the patient in writing. This statement must include:
- Your reason for denying the amendment
- The patient’s right to submit a statement disagreeing with the denial and how they can submit it
- A statement that explains that, if the patient does not submit a statement of disagreement, they may still request that your organization provide their requested amendment and the denial with any future disclosures of PHI that is subject to the amendment
- An explanation of how the patient may file a complaint to your organization
The patient may provide a statement disagreeing with the denial of the amendment. You then have the option to provide a rebuttal statement to the patient’s statement of disagreement.
Make sure you keep a copy of the process. This will include identifying the disputed record and attaching to it the patient’s amendment request, your denial of the amendment, the patient’s statement of disagreement, your rebuttal, and any other communications.
How does a denial impact future disclosures?
If the patient submitted a statement of disagreement following a denial, your organization must include all related materials or a summary of the dispute with any future disclosures of PHI related to the disputed record.
If the patient did not submit a statement of disagreement, they may still ask that you include their request for amendment and your organization’s denial (or a summary of the dispute) with all future disclosures of the PHI.
Having complete and accurate records benefits both your organization and your patients. That’s why HIPAA grants patients the right to ask their providers to change information in their records. Make sure you and your staff know how to respond appropriately to these requests.