The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule gives individuals the right to request amendments to their protected health information (PHI) maintained in a designated record set. According to 45 CFR 164.526(a)(1), "An individual has the right to have a covered entity amend protected health information or a record about the individual in a designated record set for as long as the protected health information is maintained in the designated record set." This right shows that medical records can contain errors, and patients should have a say in ensuring their health information is accurate and complete.

A study conducted at the University of Michigan Health System and published in the Journal of the American Medical Informatics Association found that errors in medical records are more common than many people realize. The research paper analyzed patient-initiated amendment requests over a seven-year period and discovered that nearly half of all amendment requests were approved by clinicians. This shows that patients can identify inaccuracies in their records.

A designated record set includes medical records, billing records, and any other records used by a healthcare provider or health plan to make decisions about individuals. This includes everything from doctor's notes and lab results to insurance claims and treatment plans. The right to amend applies to these records as long as the covered entity maintains them.

Learn more: Why are designated record sets important to PHI?

​

Why the right to amend matters

Inaccurate information can have consequences, including inappropriate treatment decisions, denied insurance claims, or misdiagnosis. An error as simple as listing the wrong medication allergy or incorrectly documenting a family history of disease could impact a patient's care.

The research paper noted that nearly a quarter of errors found in medical records are deemed potentially important to patient care. Furthermore, the most common types of amendment requests involved medical and surgical information, followed by social history, psychiatric conditions, and documentation of in-clinic behavior.

Besides clinical implications, incorrect medical records can affect a patient's ability to obtain life insurance, disability benefits, or even employment in certain fields. They can also cause unnecessary stress and confusion when different providers access conflicting information.

​

How to request an amendment

To request an amendment, a patient must submit a written request to the healthcare provider or health plan that maintains the record. 45 CFR 164.526(b)(1) states that "The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs individuals in advance of such requirements." Many covered entities provide specific forms to streamline this process.

Rather than simply stating that something is wrong, explain what the error is, what the correct information should be, and why the change matters. Supporting documentation can strengthen your case, whether that's medical records from another provider, test results, or other evidence supporting your position.

According to the research paper, the majority of patient amendment requests, approximately 78%, were made to rectify incorrect information, while about 16% addressed missing information. However, only 6.6% sought to remove valid but sensitive information from records, though these requests were least likely to be approved, with only about 28% succeeding.

​

When can requests be denied?

Healthcare providers and health plans have the right to deny amendment requests under certain circumstances. According to 45 CFR 164.526(a)(2), a covered entity may deny your request if the information:

(i) Was not created by the covered entity, unless the individual provides a reasonable basis to believe that the originator of protected health information is no longer available to act on the requested amendment;

(ii) Is not part of the designated record set;

(iii) Would not be available for inspection under § 164.524;

(iv) Is accurate and complete

If a primary care doctor's records contain a specialist's report, a primary care doctor might not be able to amend the specialist's original documentation unless the patient can demonstrate that the specialist is no longer available to make the change themselves.

​

What happens after a denial?

Under 45 CFR 164.526(d)(1), the covered entity must provide a timely, written denial that uses "plain language" and contains:

(i) The basis for the denial;

(ii) The individual's right to submit a written statement disagreeing with the denial and how the individual may file such a statement

(iii)A statement that, if the individual does not submit a statement of disagreement, the individual may request that the covered entity provide the individual's request for amendment and the denial with any future disclosures of the protected health information that is the subject of the amendment; and

(iv) A description of how the individual may complain to the covered entity pursuant to the complaint procedures established in § 164.530(d) or to the Secretary pursuant to the procedures established in § 160.306. The description must include the name, or title, and telephone number of the contact person or office designated in § 164.530(a)(1)(ii).

However, Section 45 CFR 164.526(d)(2) specifies that "The covered entity may reasonably limit the length of a statement of disagreement." This statement must be included with the disputed record whenever it is disclosed in the future.

Even when an amendment is denied, this process creates a paper trail that alerts future healthcare providers to the disputed information. While not as ideal as having the record corrected, it ensures that the disagreement is documented and considered in future care decisions.

​

When amendments are approved

If an amendment request is approved, the healthcare provider or health plan must take specific actions as outlined in 45 CFR 164.526(c)(3). The covered entity must "make reasonable efforts to inform and provide the amendment within a reasonable time to:

(i) Persons identified by the individual as having received protected health information about the individual and needing the amendment; and

(ii) Persons, including business associates, that the covered entity knows have the protected health information that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of the individual.

This means the patient plays an active role in identifying who should be notified about the correction. The covered entity will work with the patient to ensure that other healthcare providers involved and relevant business associates receive the amended information.

The amendment must be appended to or otherwise linked with the original record, creating an audit trail. The corrected information should then be used for future disclosures of that particular record set.

​

Timeframes and requirements

HIPAA establishes deadlines for processing amendment requests. According to 45 CFR 164.526(b)(2)(i), "The covered entity must act on the individual's request for an amendment no later than 60 days after receipt of such a request."

If additional time is needed, 45 CFR 164.526(b)(2)(ii) permits the covered entity to "extend the time for such action by no more than 30 days" provided they give written notice explaining the reason for the delay and when they will complete their review.

While a patient has the right to request amendments, there is no deadline to make such requests. Patients can request changes to records from years ago, though older records may present challenges in terms of gathering supporting evidence or locating the original creators.

Read also: HIPAA Compliant Email: The Definitive Guide

​

FAQs

Can patients request amendments to electronic health records and patient portal data?

Yes, the HIPAA right to amend applies equally to electronic and paper records as long as they are part of a designated record set.

Does the right to amend apply to records held by health apps or wearable device companies?

Only entities that qualify as HIPAA covered entities or business associates are required to honor amendment requests.

Can a patient request an amendment on behalf of a minor or incapacitated adult?

Yes, a personal representative may exercise the right to amend if they are legally authorized under HIPAA and state law.

Does HIPAA require providers to delete incorrect information entirely?

No, HIPAA generally requires amendments to be appended or linked to the original record rather than deleting it.

​