How to Amend Your Medical Records Under HIPAA (Step-by-Step Guide)

Patient’s Right to Amend Records

What the right covers

HIPAA gives you the right to request corrections to protected health information kept in a designated record set—typically your medical and billing records and any other records a provider or health plan uses to make decisions about you. The goal is record accuracy, not rewriting history. Providers generally add an addendum explaining the change rather than deleting the original entry.

Scope and limits

This right applies to covered entities (providers, health plans) and, through contracts, to many business associates. It does not usually cover psychotherapy notes, litigation materials, or records not used to make decisions about you. You may still ask, but these categories often fall outside the designated record set.

Who can request

You or your personal representative may submit a written amendment request. If another organization created the information (for example, a prior provider), your current provider can consider your request but may deny it if it did not create the record and the originator is available to amend it.

Requesting an Amendment

Step-by-step process

• Identify the keeper of the record. Request the amendment from the provider or health plan that maintains the specific record entry you want corrected.
• Prepare a written amendment request. Specify the exact entry (date, section, page, or screen), what is inaccurate or incomplete, and why. Attach supporting documents (test results, letters, discharge summary) to reinforce record accuracy.
• Submit to the Privacy Officer or Medical Records department. Many organizations have a standard form; use it if available, but your own letter is valid if it includes the required details and your signature.
• Keep copies. Retain your submission, exhibits, and proof of delivery. These will matter if timing or content is disputed later.

What to include

• Your identifiers (full name, date of birth, medical record/account numbers).
• A precise description of the requested change and where it appears in the designated record set.
• Your reason for the change, stated factually (for example, “MRI on 03/14/2025 showed no fracture; note dated 03/12/2025 states ‘distal radius fracture’”).
• Authorization to notify others who rely on the information, if the amendment is accepted.

Provider’s Response Timeframe

Provider response deadline

The covered entity must act on your request within 60 days. If it cannot complete its review in that window, it may take one 30‑day extension by sending you a written notice before day 60 that explains the reason for delay and sets a firm completion date. “Acting” means granting the amendment or issuing a written denial—not just acknowledging receipt.

If you hear nothing

Follow up with the Privacy Officer and provide your submission date and delivery proof. If deadlines lapse without action, you may file an internal complaint and, if needed, an Office for Civil Rights Complaint describing the missed provider response deadline.

Denial of Amendment Requests

Amendment denial criteria

• The information was not created by the provider (and the originator is available to amend).
• The information is not part of the designated record set.
• The information is not available for inspection under HIPAA (for example, certain legal records or psychotherapy notes).
• The information is accurate and complete as it stands.

What a denial must include

A written notice that states the specific basis for denial, explains your right to submit a statement of disagreement and how to do so, describes how to request that your original request and the denial accompany future disclosures, and explains how to file an Office for Civil Rights Complaint.

Your options after denial

• Submit a statement of disagreement (see below).
• Ask the provider to include your request and the denial with any future disclosures of the disputed information.
• Escalate concerns through the provider’s complaint process or by filing an Office for Civil Rights Complaint. Retaliation for exercising HIPAA rights is prohibited.

Documentation of Amendments

How accepted amendments are handled

When a request is granted, the provider adds the amendment as an addendum, identifies the affected entries, and links or appends the amendment so readers see both the original and the correction. The original record remains intact, but the amendment becomes part of the designated record set.

Required recordkeeping

Providers must maintain documentation of the written amendment request, the decision (approval or denial), any notices sent, and any rebuttals or statements tied to the request. HIPAA requires retention of such documentation for at least six years, supporting accountability and ongoing record accuracy.

Notification of Amendments

Patient notification

If your amendment is accepted, you receive written patient notification confirming what was changed and where the amendment appears. The notice should also confirm your opportunity to identify people or organizations that should be informed.

Who else gets notified

The provider must make reasonable efforts to notify persons you identify and others known to rely on the information (including applicable business associates). In electronic health record environments, this often means updating internal systems and sending correction notices so downstream users do not continue relying on outdated information.

Statement of Disagreement

How to submit

If your request is denied, you may file a concise statement of disagreement explaining why you believe the information is inaccurate or incomplete. Keep it factual and focused on the disputed entry. The provider may write a rebuttal but must give you a copy.

How it is used

For later disclosures of the disputed information, the provider must include the amendment (if any), your statement of disagreement, and any rebuttal—or a summary—so recipients understand the context. Even if you choose not to submit a statement, you may require the provider to include your original written amendment request and the denial with future disclosures.

Key takeaway

Successful amendments start with a precise, evidence‑based written amendment request, awareness of the provider response deadline, and a clear plan for next steps if denied. Use HIPAA’s tools—notification, documentation, and the statement of disagreement—to protect record accuracy and ensure that others who rely on your information receive the corrected version.

FAQs

How do I request an amendment to my medical records under HIPAA?

Send a written amendment request to the provider or health plan that maintains the record. Identify the exact entry you want corrected, explain why it is inaccurate or incomplete, attach supporting documents, authorize notifying others who rely on the information, and keep copies of everything you submit.

What is the timeframe for a provider to respond to an amendment request?

The provider must act within 60 days by approving the amendment or issuing a written denial. If more time is needed, it may take one 30‑day extension with a written notice that explains the reason and sets a new completion date.

Can I challenge a denial of my amendment request?

Yes. You can submit a statement of disagreement, ask the provider to include your request and the denial with future disclosures, use the provider’s complaint process, and file an Office for Civil Rights Complaint if you believe HIPAA was not followed.

How are amendments documented in medical records?

Approved changes are added as an addendum that links to the original entry, preserving the original while correcting the record. The provider documents your request, the decision, notifications sent, and any statements or rebuttals, and retains these materials as required by HIPAA.