45 CFR 164.526 Explained: HIPAA's Right to Amend Your Medical Records

Under 45 CFR 164.526, you have the right to request a Protected Health Information Amendment when information in your medical or billing records is inaccurate or incomplete. This rule sets clear Medical Record Correction Procedures and defines Covered Entity Responsibilities for handling your request from start to finish.

The amendment right applies to information a covered entity keeps in your Designated Record Set, and it works alongside the HIPAA Access Rules that govern your right to inspect or obtain copies. Below, you’ll find what the right includes, when Denial of Amendment Requests is permitted, how to file, and what happens next.

Right to Amend Protected Health Information

What the right includes

You may ask a covered entity—your health plan, most healthcare providers, or a healthcare clearinghouse—to amend Protected Health Information (PHI) it maintains about you. If the entity agrees, it must add or link an amendment so future users can see the correction, not erase the original entry.

What counts as a Designated Record Set

A Designated Record Set includes medical and billing records a provider keeps about you, as well as records a health plan uses to make decisions about benefits or eligibility. It generally does not include administrative or quality-improvement files that are not used to make decisions about you.

Timing and format

The entity must act on your request within 60 days of receiving it. If it needs more time once, it may take a single 30-day extension, but only if it sends you a written notice explaining the delay and a new completion date.

Relationship to HIPAA Access Rules

The HIPAA Access Rules (45 CFR 164.524) and the amendment right go hand in hand. If information is not available for access under those rules, it is also not subject to amendment (for example, psychotherapy notes or information compiled for use in legal proceedings).

Grounds for Denial of Amendment Requests

Permissible reasons to deny

• The covered entity did not create the information, and the original source is still available to amend it.
• The information is not part of your Designated Record Set.
• The information is not available for access under the HIPAA Access Rules (such as psychotherapy notes or information prepared for litigation).
• The information is already accurate and complete.

Notes on professional judgment

Amendments target factual inaccuracies or omissions. You may disagree with a provider’s clinical judgment, but the entity can deny the request if it determines the entry is accurate and complete as documented.

Procedures for Requesting Amendments

Step-by-step Medical Record Correction Procedures

1. Obtain and review your records under the HIPAA Access Rules so you can pinpoint what needs correction.
2. Prepare a written request to the covered entity’s privacy office identifying the specific entries to amend and why they are inaccurate or incomplete.
3. Include supporting details or documents (for example, lab results, discharge summaries, or correspondence) that substantiate your request.
4. Submit the request using the entity’s form if required. Keep copies of everything you send.
5. Respond promptly to any follow-up questions so the entity can decide within the required timeframe.

What a valid request should include

• Your identifying information and how to contact you.
• Exact location of the information (date of service, provider name, section of the record, claim number).
• The proposed amendment and the reason it is needed.
• Any persons or organizations you want notified if the amendment is accepted.

Covered Entity Responsibilities when a request is accepted

• Make the amendment by appending or linking it to the affected PHI within the Designated Record Set.
• Inform you that the amendment was accepted and ask you to identify third parties who should receive it.
• Make reasonable efforts to notify those parties—and others the entity knows have the PHI and may have relied or could foreseeably rely on it—so they can update their records.
• Ensure business associates incorporate the amendment as needed.

Requirements for Denial Notifications

What must be in a denial

• A clear, written explanation of the basis for the denial.
• Notice of your right to submit a Statement of Disagreement.
• Instructions for filing a complaint with the covered entity and with the U.S. Department of Health and Human Services.
• Notice of your right to ask the entity to include your original request and the denial with future disclosures of the disputed PHI.

The denial must be provided within 60 days of your request unless the entity properly issues a single 30-day extension notice.

Handling Statements of Disagreement

How to submit your Statement of Disagreement

If your request is denied, you may send a written Statement of Disagreement explaining why you contest the decision. Keep it focused on the specific entry and facts. The covered entity must add or link your statement to the disputed PHI in the Designated Record Set.

Rebuttal and future disclosures

The covered entity may prepare a written rebuttal and must give you a copy. For any subsequent disclosure of the disputed PHI, the entity must include your Statement of Disagreement (or an accurate summary) with the disclosure. If you do not submit a statement, you may still request that your original amendment request and the denial accompany future disclosures.

Obligations to Inform Third Parties

Who must be notified after an accepted amendment

When an amendment is accepted, the entity must make reasonable efforts, within a reasonable time, to inform:

• Anyone you identify in writing as having received the erroneous information and needing the amendment.
• Others the entity knows hold the PHI and may have relied, or could foreseeably rely, on it to your detriment, including business associates.

How updates propagate

Notifications may occur through secure electronic updates to connected systems, amended claims or billing notations, or direct written notices—whatever ensures recipients can apply the correction accurately.

Impact on Healthcare Accuracy and Outcomes

Why amendments matter

Accurate records improve clinical decision-making, reduce duplicate testing, and help prevent medication errors. They also streamline benefits decisions and claims, strengthen care coordination, and build trust between you and your providers.

Practical tips

• Be precise: cite dates, departments, and document names when requesting an amendment.
• Attach supporting evidence and keep a timeline of your submissions and responses.
• If 60 days pass without action, look for an extension letter; if none arrives, follow up with the privacy office.
• After an accepted amendment, confirm that key third parties were notified.

Conclusion

45 CFR 164.526 gives you a clear path to fix inaccuracies through a Protected Health Information Amendment. By following the Medical Record Correction Procedures and understanding Covered Entity Responsibilities, you can ensure that future decisions about your care and coverage rest on complete, reliable information.

FAQs

What qualifies as a valid amendment request under 45 CFR 164.526?

A valid request is a written submission to a covered entity that identifies specific entries in your Designated Record Set, explains why they are inaccurate or incomplete, and proposes the correction. The request should focus on verifiable facts or missing information rather than seeking to erase a documented clinical opinion.

How long does a covered entity have to respond to an amendment request?

The entity must act within 60 days of receiving your request. If it cannot complete its review in time, it may take one 30-day extension by sending you a written notice that explains the reason for the delay and sets a new completion date.

What happens if my request for amendment is denied?

You will receive a written denial explaining the basis for the decision and describing your options. You may submit a Statement of Disagreement, ask that your original request and the denial accompany future disclosures, and file a complaint with the covered entity and with the U.S. Department of Health and Human Services. These safeguards ensure that future users of your record see the context of the Denial of Amendment Requests.

Can I add a statement of disagreement to my medical records?

Yes. You can submit a Statement of Disagreement if your amendment is denied. The covered entity may write a rebuttal, must provide you a copy, and must append or link your statement (and any rebuttal) to the disputed PHI. For later disclosures of that information, the entity must include your statement or an accurate summary; if you do not submit a statement, you can request that your original amendment request and the denial be included with future disclosures.