HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Handling medical record corrections and amendments under HIPAA

Written by Liyanda Tembani | Nov 19, 2024 2:39:08 AM

Healthcare providers should handle medical record amendments by accepting written requests from patients, securely documenting each request, and reviewing it within HIPAA’s 60-day timeframe. If the amendment is approved, providers should append the correction without erasing the original entry, notify the patient in writing, and, if requested, securely inform any relevant third parties (e.g., other providers or insurers). Denied requests require a written explanation and information on the patient’s right to file a statement of disagreement. Always use HIPAA compliant communication methods to maintain privacy and document each step for compliance.

 

Understanding patients’ rights to amend medical records

Under the HIPAA Privacy Rule, patients have the right to request amendments to their medical records if they believe the information is incomplete or inaccurate. This right applies to information in thedesignated record set,which includes medical, billing, and other health records used to make decisions about individuals. The HHS states that "If a covered entity accepts an amendment request, it must make reasonable efforts to provide the amendment to persons that the individual has identified as needing it, and to persons that the covered entity knows might rely on the information to the individual's detriment."

Related: What is the HIPAA right to amend?

 

The process for handling amendment requests

Receiving and documenting requests

HIPAA requires healthcare providers to accept written amendment requests, allowing patients to submit them securely. Organizations should use HIPAA compliant forms, like Paubox, that patients can access online. For requests made in person, verify the patient’s identity and right to make the request to protect protected health information (PHI). Documenting the request helps with tracking and maintaining compliance.

 

Reviewing and responding to requests

After receiving a request, covered entities must respond within 60 days. If more time is needed, an additional 30 days is allowed, with written notice provided to the patient. In reviewing the request, healthcare providers determine if the existing information is indeed inaccurate or incomplete. If the provider deems the information correct or if it wasn’t created by the provider (unless the original creator is unavailable), they may deny the request. Documentation during this step provides a clear record of actions taken and reasons for decisions.

 

Communicating the decision to patients

When an amendment is approved, notify the patient in writing, make the necessary update in the record, and obtain the patient’s permission to share the amended information with specified third parties, such as other providers or insurance companies. If a request is denied, send the patient a formal letter explaining the denial and inform them of their right to submit a written statement of disagreement. The patient also has the right to file a complaint with the organization or the US Department of Health and Human Services (HHS).

 

Implementing amendments in the medical record

When an amendment is approved, it should be added to the record without altering or erasing the original entry. The correction should be linked to the initial entry to maintain historical accuracy. Additionally, log the date, time, and personnel involved in the amendment for the HIPAA Security Rule audit requirements.

 

Notification to other parties of record amendments

If the patient requests, notify any third parties who received the original, uncorrected information. This might include other healthcare providers, insurers, or anyone involved in the patient’s care who would benefit from the updated information. Notifications must be sent through HIPAA compliant communication channels to ensure security and privacy.

 

Acceptable communication methods under HIPAA

  • Encrypted email: If email is used, it must be encrypted to prevent unauthorized access. Both the request and any amendment updates should follow encryption protocols.
  • In-person or mailed communication: In-person or mailed notifications are acceptable for patients who do not use digital methods. Mailed letters should be markedconfidentialto safeguard patient privacy.
  • HIPAA compliant messaging systems: HIPAA compliant text messaging systems like Paubox, designed for secure healthcare communication can be used for sharing real-time updates while protecting PHI.

Recordkeeping and documentation requirements

HIPAA requires covered entities to document each amendment request, response, and any supporting records. Retain copies of all communications and notifications regarding the amendment. These records should be stored securely as part of the patient’s health record and maintained according to the HIPAA Privacy and Security Rules.

 

FAQs

What if a patient requests an amendment verbally?

Verbal requests should be documented, but to process the amendment formally, request that the patient submits it in writing as HIPAA requires.

 

Are healthcare providers required to agree with every amendment request?

No, providers can deny requests if they believe the current information is accurate, wasn’t created by them, or doesn’t fall within the patient’s designated record set.

 

Do patients have the right to see who accessed their medical records?

Under HIPAA, patients can request an accounting of disclosures, which shows certain non-routine access to their PHI, including disclosures for purposes other than treatment, payment, or healthcare operations.

Read more: Understanding HIPAA's accounting of disclosures requirement