HIPAA Amendment Request: How to Correct Your Medical Records

Right to Request Amendment

You have the right to ask a Covered Entity to correct or add information in your medical or billing records when it is inaccurate or incomplete. This right applies to protected health information maintained in a Designated Record Set used to make decisions about you.

What is a Designated Record Set?

A Designated Record Set includes medical and billing records and any other records a provider or health plan uses to make decisions about you. It does not include psychotherapy notes, information compiled for legal proceedings, or records kept solely for quality assurance that are not used to make decisions about you.

Who is a Covered Entity?

Covered Entities include most health care providers, health plans, and health care clearinghouses that handle your information for standard transactions. Business associates that work for them (like billing vendors) must also follow the Record Correction Process set by the provider or plan.

Submitting a Request

Submit a Written Amendment Request to the provider or health plan’s privacy office. Clearly state what information you want amended, where it appears, and why it is inaccurate or incomplete. Keep a copy of everything you send.

Step-by-step record correction process

• Identify the exact record entry (date of service, provider, page or portal screen).
• Explain the correction you seek and provide a brief rationale supported by documents (test results, discharge papers, ID, or correspondence).
• Include your contact information and any deadlines that affect you (e.g., upcoming surgery or claim appeal).
• List people or organizations you want notified if your amendment is accepted (names, addresses, fax numbers, or secure emails).
• Send the request by a trackable method and note the date sent.

Response Timeframe

The Covered Entity must act on your request within 60 days. If it cannot do so, it may take one 30-day extension, but it must send you written notice explaining the reason and the new deadline. These Patient Notification Requirements apply whether the request is accepted or denied.

Acceptance of Amendment

If your request is accepted, the provider or plan must identify the affected records and append or otherwise link the amendment so future users see it. You will receive confirmation that your amendment was accepted and an opportunity to name third parties who should receive the correction.

The Covered Entity must make reasonable efforts to send the amendment to: (1) people you identify, and (2) others, including business associates, it knows hold the information and may rely on it to your detriment if not corrected. This ensures accurate information is available for care and payment decisions.

Denial of Amendment

Your request may be denied if the record was not created by the Covered Entity (and the original source is available), is not part of the Designated Record Set, is not subject to your right of access, or is accurate and complete. A denial does not end the process.

Your options after a denial

You may submit a Statement of Disagreement explaining why you object to the denial. The provider or plan may write a rebuttal and must give you a copy. The request, denial, your Statement of Disagreement, and any rebuttal must be linked to the disputed record so they accompany future disclosures or an accurate summary of them does.

Notification of Denial

A denial letter must state the specific reasons for denial, how to file a Statement of Disagreement, how you can require the request and denial to be included in future disclosures, and how to complain to the provider or plan and to the appropriate government authority. These Patient Notification Requirements ensure you know your next steps.

Informing Third Parties

When an amendment is accepted, Third-Party Disclosure is part of the process. The Covered Entity must send the correction to the people you list and to others it knows have the information and might rely on it. To help, provide accurate recipient details and any reference numbers those organizations use.

If an amendment is denied, the Covered Entity must include your request and denial—and, if submitted, your Statement of Disagreement and any rebuttal—with future disclosures of the disputed information or provide a clear summary. This ensures recipients understand the dispute and can weigh the information appropriately.

In short, use a clear Written Amendment Request, track the Response Timeframe, and, whether accepted or denied, rely on the built‑in Patient Notification Requirements to correct the record or preserve your disagreement for future uses and disclosures.

FAQs

What is the timeframe for a HIPAA amendment response?

The provider or health plan must act within 60 days. If more time is needed, it may take one additional 30 days, but it must send you written notice explaining the reason and the exact extended deadline.

How do I submit a HIPAA amendment request?

Send a Written Amendment Request to the privacy office of the Covered Entity. Identify the specific entry to change, state why it is inaccurate or incomplete, attach supporting documents, and list any third parties to notify if the amendment is accepted.

What happens if my HIPAA amendment request is denied?

You will receive a written denial with reasons and instructions for next steps. You can submit a Statement of Disagreement; the provider or plan may issue a rebuttal. Your request, the denial, your statement, and any rebuttal must be linked to the record and included with future disclosures or summarized accurately.

How are third parties informed of a HIPAA amendment?

If the amendment is accepted, the Covered Entity must make reasonable efforts to send the correction to people you name and to others it knows have the information and might rely on it, including business associates. If denied, future disclosures must include the request and denial (and any statements) or a clear summary of them.