Do Patients Have the Right to Request Amendment of Their PHI?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.  

What is the HIPAA Privacy Rule Right to Request Amendment of PHI?

Under the HIPAA Privacy Rule, covered entities must honor certain patient requests to amend protected health information (PHI). Generally, a patient has the right to amend PHI or a record about the individual in a designated record set, for as long as the PHI is in a designated record set.

A “designated record set” is defined as a group of records maintained by or for a covered entity that comprises:

• Medical records and billing records about individuals maintained by or for a covered health care provider;
• Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
• Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. 
  • NOTE: These records include records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.

A “record” in a designated set includes any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.

Examples of records include:

• Medical records 
• Clinical laboratory test results
• Medical images (such as X-rays)
• Wellness and disease management program files
• Clinical case notes.

How Must Covered Entities Respond to a Request to Amend PHI?
The covered entity must permit an individual to request that the covered entity amend the protected health information maintained in the designated record set. 

The covered entity may require patients to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs patients in advance of these requirements.

If a patient makes a request to amend PHI, the covered entity must grant the request unless a specific HIPAA Privacy Rule provision allows for denial of the request. The covered entity must inform the patient of its decision to either grant or deny the request within 60 days after the covered entity has received the request.

If the covered entity grants the request, the covered entity must then make the appropriate amendment to the PHI or record that is the subject of the amendment request by, at a minimum

• Identifying the records in the data set that are affected by the records; and

• Appending or otherwise providing a link to the location of the amendment

In addition, if the covered entity agrees to make the amendment, the covered entity must timely inform the patient that the amendment is accepted. 

The covered entity must make reasonable efforts to inform and provide the amendment within a reasonable time to:

(i) Persons identified by the individual as having received protected health information about the individual and needing the amendment; and

(ii) Persons, including business associates, that the covered entity knows have the protected health information that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of the individual.