Healthcare providers should handle medical record amendments by accepting written requests from patients, securely documenting each request, and reviewing it within HIPAA’s 60-day timeframe. If the amendment is approved, providers should append the correction without erasing the original entry, notify the patient in writing, and, if requested, securely inform any relevant third parties (e.g., other providers or insurers). Denied requests require a written explanation and information on the patient’s right to file a statement of disagreement. Always use HIPAA compliant communication methods to maintain privacy and document each step for compliance.
Under the HIPAA Privacy Rule, patients have the right to request amendments to their medical records if they believe the information is incomplete or inaccurate. This right applies to information in the “designated record set,” which includes medical, billing, and other health records used to make decisions about individuals. The HHS states that "If a covered entity accepts an amendment request, it must make reasonable efforts to provide the amendment to persons that the individual has identified as needing it, and to persons that the covered entity knows might rely on the information to the individual's detriment."
Related: What is the HIPAA right to amend?
HIPAA requires healthcare providers to accept written amendment requests, allowing patients to submit them securely. Organizations should use HIPAA compliant forms, like Paubox, that patients can access online. For requests made in person, verify the patient’s identity and right to make the request to protect protected health information (PHI). Documenting the request helps with tracking and maintaining compliance.
After receiving a request, covered entities must respond within 60 days. If more time is needed, an additional 30 days is allowed, with written notice provided to the patient. In reviewing the request, healthcare providers determine if the existing information is indeed inaccurate or incomplete. If the provider deems the information correct or if it wasn’t created by the provider (unless the original creator is unavailable), they may deny the request. Documentation during this step provides a clear record of actions taken and reasons for decisions.
When an amendment is approved, notify the patient in writing, make the necessary update in the record, and obtain the patient’s permission to share the amended information with specified third parties, such as other providers or insurance companies. If a request is denied, send the patient a formal letter explaining the denial and inform them of their right to submit a written statement of disagreement. The patient also has the right to file a complaint with the organization or the US Department of Health and Human Services (HHS).
When an amendment is approved, it should be added to the record without altering or erasing the original entry. The correction should be linked to the initial entry to maintain historical accuracy. Additionally, log the date, time, and personnel involved in the amendment for the HIPAA Security Rule audit requirements.
If the patient requests, notify any third parties who received the original, uncorrected information. This might include other healthcare providers, insurers, or anyone involved in the patient’s care who would benefit from the updated information. Notifications must be sent through HIPAA compliant communication channels to ensure security and privacy.
HIPAA requires covered entities to document each amendment request, response, and any supporting records. Retain copies of all communications and notifications regarding the amendment. These records should be stored securely as part of the patient’s health record and maintained according to the HIPAA Privacy and Security Rules.
Verbal requests should be documented, but to process the amendment formally, request that the patient submits it in writing as HIPAA requires.
No, providers can deny requests if they believe the current information is accurate, wasn’t created by them, or doesn’t fall within the patient’s designated record set.
Under HIPAA, patients can request an accounting of disclosures, which shows certain non-routine access to their PHI, including disclosures for purposes other than treatment, payment, or healthcare operations.
Read more: Understanding HIPAA's accounting of disclosures requirement