P6
Related Practice Areas
- The Markle Common Framework: Overview and Principles
- P1: The Architecture for Privacy in a Networked Health Environment
- P2: Model Privacy Policies and Procedures for Health Information Exchange
- P5: Authentication of System Users
- P9: A Common Framework for Networked Personal Health Information
- CT2: Authentication of Consumers
Additional Resources
- Policies in Practice: Individual Access
- Policies in Practice: The Download Capability
- Policies in Practice: Key Laws and Regulations
- Frequently Asked Questions
- Acknowledgements
Download P6: Patients' Access to Their Own Health Information
The HIPAA Privacy Rule: Amending Protected Health Information
The Privacy Rule recognizes the importance of allowing patients the right to amend inaccurate or incomplete medical records. Under the law, after an individual has reviewed his or her medical records, he or she may request that the covered entity amend the protected health information in the designated record set.19 However, in order to protect both the integrity of the record and the patient, the individual does not have the right to request that the covered entity delete any information from the record.20 Instead, information is added to the record, identifying and amending the pertinent information.
The Privacy Rule allows covered entities to require that individuals make amendment requests in writing and also provide a reason for the request, as long as individuals are notified in advance of any requirements. Within 60 days of receiving the request, the covered entity must either make the requested amendment or deny it.21 However, just as with the other access provisions, the law does allow the covered entity one extension (of no more than 30 days), provided that it sends the individual a written statement explaining the delay and listing the expected completion date.22
If the covered entity decides to accept the amendment request, the Privacy Rule requires that at a minimum, it must identify the records that are affected by the amendment and either attach the amendment or provide a link to the location of the amendment. The law also requires the covered entity to notify the individual that the record has been amended in a timely manner and to secure the individual’s agreement allowing the covered entity to inform other relevant persons. Also in a timely manner, the covered entity must make reasonable efforts to notify and provide the amendment to anyone that the individual designates as having received PHI needing amendment. The covered entity must also notify others, including business associates, which have the information and may have relied or could rely on the un-amended information to the detriment of the individual.23
If a covered entity decides to deny the amendment request, it must still abide by several related requirements, such as using plain language and within 60 days, the covered entity must provide the individual with a written denial that details both the basis for the denial and the individual’s right, as well as how to exercise this right, to submit a written statement disagreeing with the denial. If the individual submits a statement of disagreement, the statement, the original request, the covered entity’s denial, and any rebuttal must be appended to the designated record set and included in any future disclosures.24 Even if the individual does not submit a statement of disagreement, he or she may request—and the covered entity must comply—that the covered entity include the request for amendment and the denial with any future disclosures of pertinent sections of the designated record set.25 In addition, the covered entity is required to append or link to the appropriate section of the designated record set, as a recordkeeping function, the individual’s amendment request, the denial of request, the statement of disagreement, and any rebuttal statement.26