It seems hard to imagine this now, but three decades ago, before HIPAA was signed into law, a patient’s legal right to amend or correct a mistake in his or her records was severely limited. Only patients who were treated at healthcare organizations operated by the federal government, and patients who resided in states that had passed legislation granting patients this specific right, had the legal right to amend their protected health information (PHI) in their medical records. Upon passage of the HIPAA Privacy Rule, ALL patients were given the legal right to amend their PHI. The scope of the HIPAA patient right to amend PHI is discussed below.
What is the HIPAA Privacy Rule Right to Amend PHI?
Under the HIPAA Privacy Rule, covered entities must honor certain patient requests to amend protected health information (PHI). Generally, a patient has the right to amend PHI or a record about the individual in a designated record set, for as long as the PHI is in a designated record set.
A “designated record set” is defined as a group of records maintained by or for a covered entity that comprises the:
- Medical records and billing records about individuals maintained by or for a covered health care provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.
- These records include records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.
A “record” in a designated set includes any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.
Examples of records include:
- Medical records
- Clinical laboratory test results
- Medical images (such as X-rays)
- Wellness and disease management program files
- Clinical case notes.
How Must Covered Entities Respond to a Request to Amend PHI?
The covered entity must permit an individual to request that the covered entity amend the protected health information maintained in the designated record set.
The covered entity may require patients to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs patients in advance advance of these requirements.
If a patient makes a request to amend PHI, the covered entity must must grant the request unless a specific HIPAA Privacy Rule provision allows for denial of the request. The covered entity must inform the patient of its decision to either grant or deny the request within 60 days after the covered entity has received the request.
If the covered entity grants the request, the covered entity must then make the appropriate amendment to the PHI or record that is the subject of the amendment request by, at a minimum
- Identifying the records in the data set that are affected by the records; and
- Appending or otherwise providing a link to the location of the amendment
In addition, if the covered entity agrees to make the amendment, the covered entity must timely inform the patient that the amendment is accepted. The covered entity must then obtain the individual’s identification of, and agreement to have, the covered entity notify the relevant persons with which the amendment needs to be shared.
Finally, the covered entity must make reasonable efforts to inform and provide the amendment within a reasonable time to:
- Persons identified by the individual as having received protected health information about the individual and needing the amendment; and
- Persons, including business associates, that the covered entity:
- Knows have the protected health information that is the subject of the amendment; and
- That may have relied, or could foreseeably rely, on such information to the detriment of the individual.