When Can a Covered Entity Deny a Request to Amend PHI

The HIPAA Privacy Rule permits patients to request that PHI contained in their medical records, be amended. The right is not unlimited, however, and a covered entity may deny a request to amend PHI under several circumstances.

What is the HIPAA Privacy Rule Right to Amend PHI?

Under the HIPAA Privacy Rule, covered entities must honor certain patient requests to amend protected health information (PHI). Generally, a patient has the right to amend PHI or a record about the individual in a designated record set, for as long as the PHI is in a designated record set.

A “designated record set” is defined as a group of records maintained by or for a covered entity that comprises of:

  • Medical records and billing records about individuals maintained by or for a covered healthcare provider;
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. 

A “record” in a designated set includes any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity. Records include items such as medical records, lab results, and medical images (such as X-rays).

When May a Covered Entity Deny a Request to Amend PHI?

If a patient makes a PHI amendment request, the covered entity must grant the request unless a specific HIPAA Privacy Rule provision allows for denial of the request.

Under the HIPAA Privacy Rule, a covered entity may deny a patient’s request to amend PHI, if the covered entity determines that the protected health information or record that is the subject of the request:

If the covered entity denies the requested amendment, in whole or in part, the covered entity must provide the patient with a timely, written denial, in plain language. The covered entity must inform the patient of its decision to deny the request within 60 days after the covered entity has received the request.

The denial must contain the following information:

  • The basis for the denial;
  • The individual‘s right to submit a written statement disagreeing with the denial, and how the individual may file such a statement;
  • A statement that, if the individual does not submit a statement of disagreement, the individual may request that the covered entity provide the individual‘s request for amendment and the denial with any future disclosures of the protected health information that is the subject of the amendment; and
  • A description of how the individual may complain to the covered entity.
    • The HIPAA Privacy Rule requires that covered entities must provide a process for individuals to make complaints concerning the covered entity‘s policies and procedures under the Privacy Rule. 
    • A description of how the patient may complain to the Secretary of Health and Human Services

What is a Statement of Disagreement?

If the covered entity denies all or part of a requested amendment, the covered entity must permit the individual to submit to the covered entity a written statement disagreeing with the denial of all or part of a requested amendment . The patient may state the basis of the disagreement in the written statement. The covered entity is permitted to reasonably limit the length of a statement of disagreement.

If an individual submits a written statement, the covered entity is entitled to prepare a written rebuttal to the individual‘s statement of disagreement. The covered entity must provide a copy of the rebuttal to the patient who submitted the statement of disagreement.