HIPAA Patient Right to Amend Medical Records: How to Request Changes and What to Expect

Right to Request Amendment

Under HIPAA, you have the right to ask a covered entity—such as your doctor, hospital, or health plan—to amend Protected Health Information (PHI) about you in its Designated Record Set. This is the collection of records used to make decisions about your care, such as medical records and billing records.

An amendment adds or clarifies information; it does not usually delete original entries. You can request changes when something is inaccurate or incomplete, including demographics, medication lists, allergies, problem lists, test results, or billing codes tied to your treatment.

• Included: medical and billing records, enrollment and payment records, and other PHI used to make decisions about you.
• Excluded: psychotherapy notes and information compiled for legal proceedings, which are not part of the Designated Record Set.

You or your personal representative may submit a request. Providers may require the request to be in writing and to include a reason, but they cannot require you to use a specific form if you provide the necessary elements.

Submission Process

Amendment Request Procedure

Start by contacting the provider’s Privacy Officer or the medical records department. Ask whether the organization has a preferred form or portal, and request instructions for where to send your materials.

What to include

• Your identifying details: full name, date of birth, medical record or member number, and contact information.
• A precise description of the entry(ies) to amend: date, author (if known), location in the record, and why the information is inaccurate or incomplete.
• The correction you propose: the exact text or data you want added, along with supporting documentation (e.g., lab reports, prescriptions, discharge summaries).
• Your signature and date, acknowledging that the information is correct to the best of your knowledge.

How to submit

• Deliver via patient portal upload, secure email, mail, or in person as directed by the provider.
• Keep copies of everything you send and note the submission date for your records.

Clear, specific requests help the provider conduct Record Accuracy Verification faster and reduce back-and-forth.

Provider's Response Time

The Response Timeframe under HIPAA is 60 days from receipt of your request. If the provider needs more time, it may take a single 30-day extension, but must send you written notice explaining the delay and the expected decision date.

The provider must either accept the amendment in whole or in part, or deny it, and must communicate the decision to you in writing. You can ask for status updates if the timeframe is approaching.

Possible Outcomes

If your amendment is accepted

• The provider identifies the specific records affected and appends or otherwise links your amendment to those records in the Designated Record Set.
• The original note remains, but the record clearly displays the new information so future readers see the correction.
• With your permission, the provider will send the amendment to third parties who received and rely on the information, as described under Third-Party Notification.

If your amendment is partially accepted

The provider may agree with some portions and not others. You will receive written notification explaining what was changed and what was not, along with your options if you disagree with the partial denial.

Record Accuracy Verification

Before deciding, providers may verify sources (e.g., consulting the original author, reviewing labs, or checking prescribing data). This verification ensures the record reflects an accurate, complete clinical picture while preserving the integrity of contemporaneous notes.

Denial of Request

Your request can be denied for specific reasons, which must be explained to you in writing. Common grounds include:

• The information was not created by the provider (and the original author is available to act on your request).
• The information is not part of the Designated Record Set.
• The information is not available for access under HIPAA (for example, psychotherapy notes or information compiled for litigation).
• The record is accurate and complete as it stands.

The denial letter must explain the basis for denial, how to file a complaint with the provider, that you may complain to the U.S. Department of Health and Human Services, and how to submit a Statement of Disagreement.

Patient's Right to Disagree

Statement of Disagreement

If denied, you may submit a Statement of Disagreement explaining why you believe the record is inaccurate or incomplete. Providers may set a reasonable length limit; keep your statement focused on facts and the specific entries you contest.

Provider rebuttal and future disclosures

The provider may create a written rebuttal and must give you a copy. After that, the provider must append or link the request, denial, Statement of Disagreement, and any rebuttal to the disputed entry and include them (or a summary) with future disclosures of that part of your record.

If you choose not to file a statement

You can ask the provider to include your original amendment request and the denial with any future disclosures of the disputed information. This ensures downstream recipients are aware of your challenge.

Notification of Third Parties

When an amendment is accepted, the provider must make reasonable efforts to send the amendment to persons you identify and agree to notify, as well as to others the provider knows have the relevant PHI and may rely on it. This Third-Party Notification helps keep your information accurate wherever it is used.

• You can list current care team members, health plans, downstream providers, and other recipients who should receive the amendment.
• For coordinated care, the provider or health plan may share the amendment across systems so it appears in connected records.

Bottom line: Use the Amendment Request Procedure to target specific entries, include evidence, and track the Response Timeframe. If denied, a concise Statement of Disagreement keeps your perspective attached to future disclosures, and accepted amendments trigger appropriate third-party updates.

FAQs.

How do patients request an amendment to their medical records?

Submit a written request to the provider’s Privacy Officer or records department identifying the exact entries to amend, why they are inaccurate or incomplete, and the correction you propose. Include supporting documents, your contact information, and your signature. Ask whether the organization has a preferred form or portal to streamline processing.

What reasons can lead to the denial of an amendment request?

Typical reasons are that the information was not created by the provider (and the originator is available), is not part of the Designated Record Set, is not accessible under HIPAA (e.g., psychotherapy notes), or is already accurate and complete after Record Accuracy Verification.

What are the provider's responsibilities after accepting an amendment?

The provider must identify the affected records, append or link your amendment in the Designated Record Set, inform you of the change, and—with your agreement—send the amendment to those you name and others known to rely on the information. Future disclosures must include the corrected information.

How can patients respond if their amendment request is denied?

You may submit a Statement of Disagreement for the record. The provider may write a rebuttal and must give you a copy. Even if you choose not to file a statement, you can request that your original amendment request and the denial accompany future disclosures of the disputed information, and you may file a complaint with the provider or with federal authorities.