A key part of the HIPAA Privacy Rule is your patients’ right to amend their own medical records. This allows them to correct errors and improve the accuracy of their health data. Let’s look at an overview of your main responsibilities when a patient asks to amend their protected health information (PHI).
As long as your organization maintains a patient’s information, the patient has the right to request that you make changes to (or amend) their information in a designated record set. Your organization is responsible for responding to the amendment request.
You may require patients to make their requests in writing and provide a reason for the amendment. If you do, make sure your patients know this requirement.
When you agree to an amendment request, first notify the patient that you accepted and have them identify and agree to have you notify other parties that need to be informed of the amendment.
After you amend the information in a designated record set, also identify other records that are affected by the change and update or link the data as needed.
Then you must notify any business associates who may rely on the data, letting them know you made the change. You must also make a timely and reasonable effort to let others in the network know about the amendment, as the patient identifies them, because those covered entities must also make the amendment.
Your organization must act on requests no later than 60 days after receiving them. If you’re unable to act on the request within that time frame, you can give yourself a 30-day extension. If you take the extension, make sure you send a letter to the patient explaining the delay and the date that you will complete the request.
You may deny an amendment request only in the following circumstances:
If you deny an amendment, you must promptly notify the patient in writing. This statement must include:
The patient may provide a statement disagreeing with the denial of the amendment. You then have the option to provide a rebuttal statement to the patient’s statement of disagreement.
Make sure you keep a copy of the process. This will include identifying the disputed record and attaching to it the patient’s amendment request, your denial of the amendment, the patient’s statement of disagreement, your rebuttal, and any other communications.
If the patient submitted a statement of disagreement following a denial, your organization must include all related materials or a summary of the dispute with any future disclosures of PHI related to the disputed record.
If the patient did not submit a statement of disagreement, they may still ask that you include their request for amendment and your organization’s denial (or a summary of the dispute) with all future disclosures of the PHI.
Having complete and accurate records benefits both your organization and your patients. That’s why HIPAA grants patients the right to ask their providers to change information in their records. Make sure you and your staff know how to respond appropriately to these requests.
Check out our cheat sheet for staying up to date with changing regulations!