HIPAA Privacy Rule Right to Amend: Requirements and Timelines Explained

The HIPAA Privacy Rule gives individuals the right to request corrections to their protected health information (PHI). This guide explains what the right to amend covers, the exact timelines you must meet, when you may deny a request, and how to document and communicate your decisions to stay in full compliance.

Right to Amend Protected Health Information

What the right covers

Under the HIPAA Privacy Rule, an individual may request that you amend PHI maintained in a Designated Record Set if they believe it is inaccurate or incomplete. The right applies to information used to make decisions about the individual, whether stored on paper or electronically.

Designated Record Set: scope and limits

• Includes medical and billing records, enrollment and payment records, and other records you use to make decisions about the individual.
• Excludes psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
• If you did not create the PHI, you generally may deny the request unless the creator is no longer available to act.

How individuals request an amendment

• You may require requests in writing and that they include a reason supporting the change.
• Acknowledge receipt, verify identity/authority, and route the request to the record owner within your organization.

Embedding “Correction Principle Compliance” into workflow—clear forms, routing, and review criteria—helps you act consistently and reduces risk.

Timeframe for Responding to Amendment Requests

Amendment Request Timeframe

• You must act on the request within 60 days of receipt—by accepting the amendment or issuing a denial.
• You may take one 30-day extension if you provide the individual a written notice before day 60 that explains the reason for delay and sets a firm completion date.

If the amendment is accepted

• Amend the protected health information (PHI) in the Designated Record Set by adding or linking the corrective information; do not delete original entries.
• Notify the individual that the amendment is complete.
• Within a reasonable time, inform persons (including business associates) you know have the unamended PHI and could rely on it to the individual’s detriment; also notify any recipients the individual identifies.

Conditions for Denial of Amendment Requests

You may deny an amendment request only if one or more of these conditions apply:

• The PHI was not created by your organization, and the individual has not shown that the originator is no longer available to act.
• The PHI is not part of the Designated Record Set.
• The PHI would not be available for individual inspection (for example, psychotherapy notes or litigation-prepared information).
• The PHI is accurate and complete as it stands.

When denying, apply consistent criteria and document the evidence supporting your decision.

Notification Procedures for Denial

Written Denial Notice

Within the 60-day period (or the single 30-day extension), you must send the individual a written denial that includes:

• The specific basis for the denial, stated in clear, plain language.
• The individual’s right to submit a Statement of Disagreement and how to do so.
• The individual’s right to request that the original amendment request and your denial be included with future disclosures if they choose not to submit a disagreement.
• How to file a complaint with your organization and with the U.S. Department of Health and Human Services, including the name or title and telephone number of a contact person.

Retain a copy of the Written Denial Notice and the date sent for audit purposes.

Handling Statements of Disagreement

Receiving and appending

• If the individual submits a Statement of Disagreement, you must append or otherwise link the statement to the contested PHI in the Designated Record Set.
• You may reasonably limit the statement’s length, but you cannot refuse to include it.

Rebuttal and future disclosures

• You may prepare a written rebuttal; you must provide a copy to the individual.
• For any subsequent disclosure of the disputed PHI, include the amendment (if accepted) or, if denied, include the request, denial, Statement of Disagreement, and your rebuttal—or an accurate summary of these documents.

Role of Business Associates in Amendments

Business Associate Notification

• When you accept an amendment, notify relevant business associates so they can incorporate the change into any PHI they maintain for you.
• Business associates must make the amendment as directed by you and confirm incorporation in their systems and downstream processes.
• If a business associate identifies an amendment need, it must inform you; you remain responsible for acting on the individual’s request.

Your business associate agreements should expressly require timely amendment incorporation and onward transmission of corrections where applicable.

Recordkeeping and Compliance Requirements

Policies, tracking, and audits

• Maintain written procedures for intake, review, approval/denial, extensions, and notifications to recipients.
• Track each request with dates received, decisions, notices sent, and recipients notified, including business associates.
• Train workforce members who create or manage Designated Record Set content on amendment workflows and documentation standards.

Record Retention Requirements

• Retain all amendment-related documentation—including requests, acceptance logs, Written Denial Notices, Statements of Disagreement, rebuttals, and extension notices—for at least six years from the date of creation or last effective date, whichever is later.
• Keep evidence of updates made in source systems and the method used to append or link amendments.

Conclusion and key takeaways

• Act within 60 days (one 30-day extension allowed with notice).
• Amend or deny using clear, documented criteria tied to the Designated Record Set.
• Send a complete Written Denial Notice when applicable and manage Statements of Disagreement and rebuttals properly.
• Notify recipients and business associates to preserve accuracy across all locations of the PHI.
• Document everything and retain records to demonstrate Correction Principle Compliance.

FAQs.

What is the time limit for responding to a HIPAA amendment request?

You must act within 60 days of receiving the request. If necessary, you may take one additional 30-day period by sending a written extension notice before day 60 that explains the delay and sets a completion date.

When can a covered entity deny an amendment request?

You may deny if the PHI was not created by you (and the originator is available to act), is not part of the Designated Record Set, would not be available for inspection, or is already accurate and complete based on your records.

How must a covered entity notify an individual of a denial?

Provide a Written Denial Notice in plain language within the applicable timeframe. The notice must state the basis for denial, explain the right to submit a Statement of Disagreement or to have the request and denial included with future disclosures, and describe complaint options with a contact name or title and telephone number.

What are the responsibilities regarding business associates after an amendment?

When you accept an amendment, notify relevant business associates so they can incorporate the change into PHI they maintain for you and propagate corrections as needed. Your business associate agreements should require timely amendment incorporation and confirmation.