It seems hard to imagine this now, but three decades ago, before HIPAA was signed into law, a patient’s legal right to amend or correct a mistake in his or her records was severely limited. Only patients who were treated at healthcare organizations operated by the federal government, and patients who resided in states that had passed legislation granting patients this specific right, had the legal right to amend their protected health information (PHI) in their medical records. Upon passage of the HIPAA Privacy Rule, ALL patients were given the legal right to amend their PHI. The scope of the HIPAA patient right to amend PHI is discussed below.
Under the HIPAA Privacy Rule, covered entities must honor certain patient requests to amend protected health information (PHI). Generally, a patient has the right to amend PHI or a record about the individual in a designated record set, for as long as the PHI is in a designated record set .
A “designated record set” is defined as a group of records maintained by or for a covered entity that comprises the:
A “record” in a designated set includes any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.
Examples of records include:
The covered entity must permit an individual to request that the covered entity amend the protected health information maintained in the designated record set .
The covered entity may require patients to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs patients in advance advance of these requirements.
If a patient makes a request to amend PHI, the covered entity must must grant the request unless a specific HIPAA Privacy Rule provision allows for denial of the request. The covered entity must inform the patient of its decision to either grant or deny the request within 60 days after the covered entity has received the request.
If the covered entity grants the request, the covered entity must then make the appropriate amendment to the PHI or record that is the subject of the amendment request by, at a minimum
In addition, if the covered entity agrees to make the amendment, the covered entity must timely inform the patient that the amendment is accepted. The covered entity must then obtain the individual’s identification of, and agreement to have, the covered entity notify the relevant persons with which the amendment needs to be shared.
Finally, the covered entity must make reasonable efforts to inform and provide the amendment within a reasonable time to: