HIPAA Amendment of PHI: Your Rights and How to Request Corrections

Right to Request Amendment

You have the right to ask a covered entity—such as your doctor, hospital, or health plan—to amend Protected Health Information (PHI) it maintains about you. This right applies to records in the Designated Record Set, which includes medical and billing records (for providers) and enrollment, payment, claims, and case management records (for health plans) that are used to make decisions about you.

The goal is to meet PHI Accuracy Standards. An amendment can correct errors, add clarifying details, or update outdated facts. It does not require a provider to erase a professional opinion, but it allows you to add context or correct factual mistakes so decisions about your care or coverage are based on accurate, complete information.

Amendment Request Procedures

• Identify the specific entry you believe is inaccurate or incomplete and explain why.
• Submit your request in writing to the covered entity’s Privacy Officer or Health Information Management department.
• Include any supporting documents (for example, lab results or discharge summaries) and name anyone who should be notified if the amendment is accepted.
• Keep a copy of what you sent and note the date to help track the HIPAA Compliance Timeline.

Covered Entity Responsibilities

• Verify your identity and ensure the request targets information in the Designated Record Set.
• Review the request fairly, without imposing unreasonable barriers, and decide to grant or deny it within the required timeframe.
• Document all actions taken so the organization can demonstrate compliance.

Timeframe for Response

Under the HIPAA Compliance Timeline, the covered entity must act on your amendment request within 60 days. If it cannot complete the review in that window, it may take one 30-day extension, but it must send you a written notice before day 60 explaining the reason for delay and the date by which it will finish.

“Acting” on a request means granting the amendment and making the change, or issuing a written denial with required details. Silence or partial updates do not satisfy the rule.

Granting an Amendment

If your request is granted, the covered entity must amend the record and inform you promptly. It should also ask you to identify persons (and organizations) who should be told about the correction and obtain your agreement to notify them.

What Happens After Approval

• Incorporation: The correction or addendum is linked or appended to the PHI in the Designated Record Set and any relevant systems (for example, the EHR and billing).
• Notifications: The entity must make reasonable efforts to notify those you name—and others it knows may rely on the information—so they can also correct their copies. Business associates are included in these notifications.
• Confirmation: You receive written confirmation that the amendment was made and, when applicable, that notifications were sent.

Denying an Amendment

An amendment may be denied only for specific reasons. Common bases include:

• The information is not part of the Designated Record Set.
• The record was not created by the covered entity (and the original source is available to act on your request).
• The information is not subject to your right of access (for example, certain psychotherapy notes or litigation materials).
• The information is accurate and complete as it stands, consistent with PHI Accuracy Standards.

Written Denial Requirements

• Clear basis for the denial, tied to one of the permitted reasons.
• Instructions on your right to submit a Patient Statement of Disagreement and how to do so.
• Notice that you may request the amendment request and denial be included with future disclosures if you do not submit a disagreement statement.
• How to file a complaint with the covered entity and with the Secretary of Health and Human Services, including a contact name or office and phone number.

Statement of Disagreement

If your request is denied, you may submit a Patient Statement of Disagreement explaining why you believe the PHI is inaccurate or incomplete. Keep it focused on facts: identify the exact entry, state the correction you seek, and cite supporting evidence. The covered entity may prepare a written rebuttal, and you must receive a copy if it does.

Once a disagreement exists, the covered entity must append or otherwise link your statement (and its rebuttal, if any) to the disputed PHI so both travel together in future uses and disclosures.

Documentation of Requests

Covered entities must keep documentation of Amendment Request Procedures, decisions, statements of disagreement, rebuttals, and notifications. HIPAA generally requires these records to be retained for six years from the date created or last in effect, whichever is later.

Good recordkeeping supports accountability: it shows who reviewed the request, what evidence was considered, when actions were taken under the HIPAA Compliance Timeline, and who was notified of accepted amendments.

Handling of Denied Amendments

When an amendment is denied, the covered entity must ensure the dispute is visible and follows the PHI. If you submit a Patient Statement of Disagreement, that statement—and any rebuttal—must be included (or accurately summarized) with any subsequent disclosure of the disputed information.

If you choose not to file a disagreement statement, you may still require the entity to include your original amendment request and the written denial with future disclosures of the contested PHI. Internally, the entity should flag or link the record so staff do not miss the dispute during treatment, payment, or operations.

Conclusion

Your right to request correction of PHI ensures decisions about your care and coverage rely on accurate, complete records. Make specific, well-supported requests, track the HIPAA timelines, and use the disagreement process when needed. Covered Entity Responsibilities include timely review, clear communication, and thorough documentation at every step.

FAQs.

How do I request an amendment to my PHI?

Write to the covered entity’s Privacy Officer or Health Information Management department identifying the exact entry you want corrected, why it is inaccurate or incomplete, and what the amendment should say. Attach supporting documents and list anyone you want notified if the amendment is granted. Keep a dated copy to track the HIPAA Compliance Timeline.

What is the timeframe for a covered entity to respond to an amendment request?

The entity must act within 60 days. If more time is needed, it may take one 30-day extension, but it must send you a written notice before day 60 explaining the reason for the delay and the date it will complete the review.

What reasons may lead to denial of an amendment request?

Permitted reasons include: the information is not in the Designated Record Set; the record was not created by the entity (and the source is available); the information is not subject to access; or the record is already accurate and complete under PHI Accuracy Standards.

What are my options if my amendment request is denied?

You may submit a Patient Statement of Disagreement, require the entity to include your request and the denial with future disclosures, and file a complaint with the covered entity and with the Secretary of Health and Human Services. The denial letter must explain these rights and the steps to exercise them, consistent with Written Denial Requirements.