Amendment of PHI under HIPAA: Your Right to Correct Medical Records, Timelines, and Denial Appeals

Under HIPAA, you can request an amendment of Protected Health Information (PHI) if you believe your medical or billing record is inaccurate or incomplete. This right applies to information in a provider’s or health plan’s Designated Record Set—records used to make decisions about you. Knowing the process, deadlines, and appeal options helps you make a precise, effective Amendment Request.

Right to Amend PHI

You may ask a Covered Entity—such as your doctor, hospital, or health plan—to amend PHI it maintains about you in its Designated Record Set. You can file on your own or through a personal representative. The entity may require your request in writing and ask for a reason supporting the change.

What to include in an Amendment Request

• Exactly what entry you want corrected or added, including dates and locations in the record.
• Why the information is inaccurate or incomplete, supported by notes, lab results, or other evidence.
• Names of third parties you want notified if the amendment is accepted.

Ask where to submit the request—typically the privacy office or health information management/medical records department—and keep copies for your own Record Retention.

Timeliness of Response

The Covered Entity must act on your request within 60 calendar days. If it cannot do so, it may take one 30-day extension, but must send you a written notice explaining the delay and giving a new completion date.

“Acting” means accepting the amendment and making the change, or denying the request in writing. You should receive the decision within the 60-day window or the permitted 30-day extension.

Grounds for Denial

Your request can be denied if the entity determines any of the following:

• The PHI was not created by the entity (unless the originator is no longer available to act on the amendment).
• The information is not part of the Designated Record Set.
• The information is not subject to your right of access (for example, psychotherapy notes or information compiled for litigation).
• The record is accurate and complete as is.

Denials should address the specific entries you challenged and the reasons the entity believes those entries should stand.

Denial Notification

If denied, you will receive a written notice that explains the basis for denial in plain language. The notice must tell you how to submit a Statement of Disagreement, and that if you choose not to submit one, you can still ask the entity to include your original request and the denial with any future disclosures of the disputed PHI.

The notice must also explain how to file a complaint with the entity and with the federal government, and provide contact information for doing so.

Statement of Disagreement

If you disagree with the denial, you may submit a written Statement of Disagreement. The entity may set a reasonable length limit, so keep your statement concise and focused on facts, citations to specific pages, and supporting evidence.

The Covered Entity may prepare a written rebuttal; if it does, it must provide you a copy. The entity must then append or link your request, the denial, your Statement of Disagreement, and any rebuttal to the disputed PHI. For future disclosures of that PHI, it must include this dispute packet or a summary, as applicable.

Documentation of Dispute

Good Dispute Documentation protects you and helps ensure accurate future disclosures. The entity should maintain: your Amendment Request; acceptance or denial notice; your Statement of Disagreement; any rebuttal; evidence of how the dispute was linked to the record; and a list of third parties notified.

Under HIPAA’s documentation rules, entities generally must retain required records for at least six years from the date of creation or last effective date. Ask the privacy office how long your amendment and dispute materials will be kept under its Record Retention policy.

Notification of Amendment

If your amendment is accepted, the entity must identify the affected records and append or otherwise clearly link the amendment in the Designated Record Set. You will be informed of the update and how it appears (e.g., addendum or corrected entry with date and author).

The entity must make reasonable efforts, within a reasonable time, to notify persons you identify as well as other persons (including business associates) known to have the disputed PHI and who may rely—or could foreseeably rely—on it to your detriment. Provide accurate names and contact details to streamline these notifications.

Conclusion

To use your Amendment of PHI under HIPAA effectively: file a precise written request, track the 60-day deadline (plus one possible 30-day extension), understand the four grounds for denial, and be ready to submit a focused Statement of Disagreement. Keep thorough copies for Dispute Documentation and ask that relevant third parties be notified when your amendment is accepted.

FAQs.

What is the timeframe for a covered entity to respond to a PHI amendment request?

The entity must act within 60 calendar days. If more time is needed, it may take one 30-day extension, but it must send you a written notice explaining the delay and stating when it will complete the action.

How can individuals submit a statement of disagreement if an amendment is denied?

Send a concise written Statement of Disagreement to the entity’s privacy office or medical records department, referencing the specific entries and explaining why they are inaccurate or incomplete. The entity may set a reasonable length limit and must give you a copy of any rebuttal it prepares.

What are the common grounds for denial of a PHI amendment request?

Typical reasons include: the PHI was not created by the entity (and the originator is available), the information is not part of the Designated Record Set, the information is not subject to access (e.g., psychotherapy notes or litigation materials), or the record is accurate and complete.

Can a covered entity notify third parties when an amendment to PHI is accepted?

Yes. When an amendment is accepted, the entity must make reasonable efforts to inform people you identify and others it knows hold the affected PHI and may rely on it, including business associates. Providing names and contact details helps ensure timely notification.