Business associates do not have the authority to grant individuals the opportunity to amend their PHI. Patients must submit amendment requests to the covered entities that maintain their records.
Understanding the roles of covered entities and business associates
Under HIPAA, covered entities include healthcare providers, health plans, and healthcare clearinghouses that handle PHI. Business associates are individuals or entities that perform services on behalf of covered entities that involve the use or disclosure of PHI. Examples include billing companies, data analysts, and cloud storage services.
While business associates can manage PHI, they must comply with the Business Associates Agreement made with covered entities. These agreements outline the specific functions they can perform and the protections they must implement to ensure the confidentiality and integrity of PHI. However, when it comes to patients' rights to amend their information, business associates do not have the same responsibilities as covered entities.
The right to amend PHI
HIPAA grants individuals the right to request amendments to their PHI. According to HIPAA regulations, if a patient believes their PHI is inaccurate or incomplete, they can request an amendment to the covered entity that maintains their records. Covered entities are required to respond to these requests, either by agreeing to the amendment or providing a justification for their denial.
The right to amend PHI ensures that patients maintain accurate and up-to-date records. However, only “covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting,” says the HHS.
See also: What are patient rights under HIPAA?
Business associates and amendment requests
Business associates handle PHI based on the instructions provided by covered entities. When a patient requests an amendment to their PHI, the covered entity is responsible for processing that request. While business associates may have access to the PHI and may even maintain electronic health records, they are not authorized to make amendments independently.
Instead, the covered entity will evaluate the request and determine whether it should be granted. If the request is approved, the covered entity must ensure the business associate updates their records accordingly. This process demonstrates the importance of collaboration between covered entities and business associates in maintaining accurate health information.
See also: HIPAA Compliant Email: The Definitive Guide
FAQs
Can business associates make changes to PHI on their own?
No, business associates cannot independently amend PHI. They must operate under the direction of the covered entity and cannot make changes unless authorized by the covered entity following an approved amendment request.
Why is it important for patients to have the right to amend their PHI?
Allowing patients to amend their PHI ensures their health records are accurate and complete. This is vital for effective treatment, accurate billing, and overall healthcare delivery. Accurate PHI also helps prevent medical errors.
What should an individual do if their request to amend PHI is denied?
If an amendment request is denied, the individual has the right to request a written statement explaining the denial. They may also submit a statement of disagreement, which must be included in their medical record.