Amendment of Medical Records Under HIPAA: Your Rights and How to Request Changes

Right to Request Amendment

Under HIPAA, you have the right to request an amendment to protected health information maintained in a covered entity’s Designated Record Set. The Designated Record Set generally includes the medical and billing records a provider or health plan uses to make decisions about you, as well as enrollment, payment, claims adjudication, and case or medical management records.

This right does not guarantee deletion or rewriting of history. For HIPAA Compliance, covered entities typically append or link your correction to the original entry so that the record shows both the prior information and the amendment. This preserves clinical integrity while ensuring your perspective and evidence are part of the medical record.

Certain materials are excluded. The Psychotherapy Notes Exclusion means you cannot use HIPAA’s amendment right to change psychotherapy notes kept separately by a mental health professional. Information compiled in anticipation of legal action is also excluded, as are records not used to make decisions about you.

Process for Requesting Amendment

Start by identifying the provider’s or health plan’s Privacy Officer or the contact listed in their Notice of Privacy Practices. Most covered entities accept requests by mail, secure portal, or in person; many offer a standard form. They may require that your request be in writing and include a reason supporting the change.

• Specify exactly what entry you want amended (date, author, location in the chart) and the precise correction you seek.
• Explain why the information is inaccurate or incomplete and provide supporting documentation (for example, test results or discharge summaries).
• List any third parties who should be notified if the amendment is accepted (for example, a treating specialist or insurer).
• Submit the request as directed and keep copies for your records.

Covered entities must maintain policies, procedures, and records of requests and outcomes under HIPAA’s Documentation Retention Requirements. While those obligations apply to the entity, it is wise for you to keep your submission and all responses for future reference.

Timeframe for Response

The covered entity must act on your amendment request within 60 calendar days. If more time is needed, it may take one 30‑day extension, but it must notify you in writing before the initial 60 days expire, explain the reason for delay, and specify a new completion date.

“Acting” means either accepting the amendment (and implementing it) or issuing a written denial. If accepted, the entity must promptly add or link the amendment in the Designated Record Set and make reasonable efforts to notify persons and organizations that may rely on the corrected information.

Denial of Amendment

An Amendment Request Denial is permitted only for specific reasons. A covered entity may deny if: (1) it did not create the information and the originator is available to amend it; (2) the information is not part of the Designated Record Set; (3) the information is not subject to your right of access (for example, psychotherapy notes or information compiled for litigation); or (4) the record is already accurate and complete.

Denials can be full or partial. If only part of your request is denied, the entity should amend the accepted portions and clearly explain the basis for any portions it denies.

Notification of Denial

If your request is denied, you must receive a timely written notice in plain language. The notice explains the basis for denial, how to submit a Statement of Disagreement, and how to request that your original amendment request and the denial be included with any future Medical Record Disclosure of the disputed information.

The notice also describes how to file a complaint with the covered entity and with the U.S. Department of Health and Human Services. The entity must retain this documentation to meet HIPAA Compliance and Documentation Retention Requirements.

Right to Statement of Disagreement

If you disagree with a denial, you may submit a written Statement of Disagreement. Keep it focused on facts, identify the specific entries at issue, and explain why the information is inaccurate or incomplete. The covered entity may prepare a written rebuttal and must provide you a copy of that rebuttal.

Whether or not you file a Statement of Disagreement, you may request that your original amendment request and the denial accompany any future Medical Record Disclosure of the information in dispute. If you do submit a statement, the entity must append or link your statement (and any rebuttal) to the record and include it in future relevant uses and disclosures.

Impact of Amendment on Future Disclosures

When an amendment is accepted, the covered entity must make reasonable efforts to notify persons and organizations you identify, as well as others known to have relied—or who may rely—on the information, including applicable business associates. The amendment is incorporated into the Designated Record Set so future disclosures reflect the corrected data.

If your request is denied and you submit a Statement of Disagreement, the entity must append or link your statement (and any rebuttal) to the disputed information and include it with future uses or disclosures where the dispute is relevant. If you choose not to submit a statement, you can still require the entity to include your original request and the denial with future disclosures of that information.

In short, your amendment rights ensure that decision‑making records are accurate and that downstream recipients receive corrected or contextualized information, strengthening data quality and HIPAA Compliance across the lifecycle of Medical Record Disclosure.

FAQs

What is the process to request an amendment under HIPAA?

Identify the provider’s or plan’s Privacy Officer, submit a written request that pinpoints the exact entry to change, explain why it is inaccurate or incomplete, attach supporting documentation, and list third parties to notify if accepted. The entity must act within 60 days (with one possible 30‑day extension) by either amending the record or issuing a written denial.

What reasons can lead to denial of an amendment request?

Denials are permitted if the information was not created by the entity (and the originator is available), is not part of the Designated Record Set, is not subject to access (such as psychotherapy notes or information prepared for litigation), or is already accurate and complete.

Can I amend psychotherapy notes in my medical record?

No. The Psychotherapy Notes Exclusion means HIPAA’s right to access and amend does not apply to psychotherapy notes kept separately by a mental health professional. However, underlying information such as diagnoses, medications, and treatment plans that reside outside psychotherapy notes may be subject to access and amendment if they are part of the Designated Record Set.

What happens after my amendment request is approved or denied?

If approved, the entity appends or links the amendment in the Designated Record Set and makes reasonable efforts to notify relevant recipients and business associates. If denied, you receive a written explanation and can submit a Statement of Disagreement or request that your original request and the denial accompany any future Medical Record Disclosure of the disputed information.