DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses the circumstances under which a patient may deny a patient's request to have their PHI amended.
When May a Covered Entity Deny a Request to Amend PHI?
Under the HIPAA Privacy Rule, an individual has the right to have a covered entity amend protected health information or a record about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set ("Right to Amend PHI"). While certain requests to have the covered entity amend the PHI must be granted, the "Right to Amend PHI" rule allows covered entities to deny a request under specific circumstances.
Specifically, a covered entity may deny a patient's request to amend PHI, if the covered entity determines that the PHI or record that is the subject of the request:
1. Was not created by the covered entity, unless the individual requesting the amendment provides a reasonable basis to believe that the originator of PHI is no longer available to act on the requested amendment;
2. Is not part of the designated record set;
3. Would not be available for inspection under the HIPAA Privacy Rule right of access provision; or
4. Is accurate or complete.
What Must a Covered Entity Do if it Denies a Requested Amendment?
If a covered entity denies a requested amendment in whole or in part, the covered entity must provide the patient with a written denial, in plain language. The covered entity must inform the patient of its decision to deny the request within 60 days after the covered entity has received the request.
What Information Must be in the Written Denial?
The written denial must contain the following information:
1. The basis for the denial;
2. The individual's right to submit a written statement disagreeing with the denial ("statement of disagreement"), and how the individual may file the statement;
3. A statement that, if the individual does not submit a statement of disagreement, the individual may request that the covered entity provide the individual's request for amendment and the denial with any future disclosures of the PHI that is the subject of the amendment; and
4. A description of how the individual may complain to the covered entity, or the HHS Secretary. The description must include the name, or title, and telephone number of the contact person or office designated in § 164.530(a)(1)(ii).
What are the Statement of Disagreement and Rebuttal Statement?
The covered entity must permit the individual to submit to the covered entity a written statement disagreeing with the denial of all or part of a requested amendment and the basis of the disagreement. The covered entity can reasonably limit the length of a statement of disagreement.
When the covered entity receives the written statement of disagreement, the covered entity may prepare a written rebuttal to the individual's statement of disagreement. The covered entity must provide a copy of its written rebuttal to the individual who submitted the statement of disagreement.
What are the Covered Entity's Recordkeeping Obligations?
The covered entity must, as appropriate, identify the record or PHI in the designated record set that is the subject of the disputed amendment and append or otherwise link the individual's request for an amendment, the covered entity's denial of the request, the individual's statement of disagreement (if any), and the covered entity's rebuttal, if any, to the designated record set.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article