HIPAA Amendment Process: How to Request Changes to Your Medical Records, Step by Step

Patient's Right to Amend Medical Records

Under HIPAA, you have the right to request an amendment to your Protected Health Information when it appears inaccurate or incomplete. This right applies to information kept in a provider’s Designated Record Set—the medical and billing records a covered entity uses to make decisions about you.

The amendment right is a right to ask, not a guarantee that the provider must change the record. HIPAA balances patient access with Medical Record Integrity, so providers typically add an explanatory addendum rather than erase or rewrite original entries. The goal is a clear, accurate history of care.

Some records are excluded. Psychotherapy notes and material compiled for legal proceedings are not subject to HIPAA Inspection Rights and, in turn, are outside the amendment process. You can still raise concerns with your provider, but HIPAA does not require an amendment path for those categories.

When you request an amendment, you may also identify other individuals or organizations that should be notified if the change is accepted. This ensures updated information follows your care across systems and avoids repeated errors.

Procedure for Requesting an Amendment

Most providers accept a Written Amendment Request using their form or a signed letter. The essential steps below help you submit a clear, complete request the first time.

• Identify the specific entries you believe are wrong or incomplete. Include dates of service, departments, and the names of clinicians involved to locate the exact record.
• Write a concise explanation of what is incorrect or incomplete and how it should read. Attach supporting documents, such as test results, referral letters, or discharge summaries.
• Submit a Written Amendment Request to the provider’s medical records department or privacy officer. Provide your full name, date of birth, contact information, and a legible signature.
• State whether you want the provider to notify other parties if the amendment is approved. List care team members, health plans, or facilities that rely on the information.
• Keep copies of everything you send. If you use an online portal, save confirmation screens or message transcripts for your records.
• Be prepared to verify your identity. Providers must safeguard PHI and may require photo identification or portal authentication before processing the request.

Clear, focused requests speed review and reduce follow-up questions. If your provider’s policy allows email or portal submission, ask whether a mailed or in-person delivery is still required for signature purposes.

Provider's Response Timeframe

HIPAA sets a 60-Day Response Period. Within 60 days of receiving your request, the provider must either act on it or send you a written notice explaining why more time is needed and the date by which they will complete the review.

Providers may take one 30-day extension when they cannot meet the initial deadline. The extension notice must state the reason for the delay and the new completion date. Whether approving or denying, the provider must communicate the outcome in writing and explain next steps.

Possible Outcomes of Amendment Requests

Your request can result in one of several outcomes, all designed to keep the record accurate while preserving Medical Record Integrity.

• Approved: The provider accepts your request and prepares an addendum or correction that is appended or otherwise linked to the original entry.
• Partially Approved: Some items are amended while others are not, with written explanations for each decision.
• Denied: The provider sends a denial notice explaining the grounds for denial and how to submit a Statement of Disagreement.
• Statement of Disagreement: If denied, you may submit a written statement explaining why you disagree. The provider may write a rebuttal, and both documents become part of your record and accompany future disclosures as required.

If you believe HIPAA was not followed in handling your request, you can file a complaint with the provider or with the appropriate oversight authorities. Doing so does not affect your care and may help resolve process issues.

Implementation of Approved Amendments

When an amendment is approved, the provider must integrate it into the Designated Record Set. This typically means appending a dated, signed addendum or correcting metadata while retaining the original entry to preserve an audit trail.

The provider must also take reasonable steps to ensure that future uses and disclosures of the affected PHI include the amended information. Internal systems should flag the corrected entry so clinicians and billing teams see the current, complete version during care or claims processing.

Documentation is key. The provider keeps records of the request, the decision, and the changes made so that the amendment process itself is traceable and compliant.

Notification to Other Parties

Upon approval, the provider must make reasonable efforts to notify parties you identify and others the provider knows rely on the information—such as referring clinicians, hospitals, or health plans. The notice should include the substance of the amendment so recipients can update their systems.

You can help by listing specific contacts and recent points of care. Accurate routing reduces the risk of old information resurfacing and aligns your care team around the corrected record.

Limitations on Amendment Requests

HIPAA allows providers to deny an amendment when specific conditions apply. Common reasons include the following:

• The information is not part of the Designated Record Set used to make decisions about you.
• The record was not created by the provider receiving your request, and the original source is available to respond.
• The information is not subject to HIPAA Inspection Rights, such as psychotherapy notes or documents prepared for litigation.
• The record is accurate and complete as it stands, even if you disagree with a clinical opinion or diagnosis.

Remember, the objective is Medical Record Integrity. Approved changes are usually handled as addenda that clarify or correct entries without deleting the original text. This preserves the historical record while making sure current and future users see accurate context.

In summary, you can request an amendment to PHI in the Designated Record Set by submitting a clear, Written Amendment Request. Providers must respond within the 60-Day Response Period (with one possible 30-day extension), implement approved changes, and notify appropriate parties, while denials trigger your right to submit a Statement of Disagreement. Understanding these steps helps you keep your record accurate for safer, better-coordinated care.

FAQs

What is the timeframe for a provider to respond to an amendment request?

The provider must act within a 60-Day Response Period from receipt of your request. If more time is needed, the provider may take one 30-day extension, but must send you a written notice explaining the reason and specifying a new completion date.

How can a patient submit a statement of disagreement?

If your request is denied, follow the instructions in the denial letter to submit a Statement of Disagreement. Keep it concise, explain why you believe the entry is incorrect or incomplete, and reference the specific record. Your statement becomes part of the record and will accompany future disclosures as required.

When can a provider deny an amendment request?

Denials are permitted when the information is outside the Designated Record Set, was not created by the provider and the original source is available, is not subject to HIPAA Inspection Rights, or is deemed accurate and complete. The denial notice must explain the reason and how to file a Statement of Disagreement.

What happens after an amendment is approved?

The provider appends or links the amendment to the original entry to maintain Medical Record Integrity, updates the Designated Record Set, and takes reasonable steps to ensure future uses and disclosures reflect the corrected information. The provider also notifies parties you identify and others known to rely on the affected PHI.