Your HIPAA Privacy Rule Amendment Right: How to Request Changes to Your Medical Records

Your HIPAA Privacy Rule amendment right gives you a clear, standardized path to correct or clarify inaccurate or incomplete information in your medical records. When you exercise this right, a covered entity must review your request and act within specific HIPAA compliance timelines.

This right applies to protected health information (PHI) that a covered entity maintains in a designated record set. Understanding what’s covered, how to submit an effective request, and what happens next will help you navigate any medical record correction policy with confidence.

Right to Request Amendment

You may request an amendment to PHI maintained by a covered entity (such as a health care provider or health plan) if you believe it is incorrect or incomplete. The request must target information in the designated record set—the records used to make decisions about you.

• Designated record set typically includes medical and billing records held by providers, and enrollment, claims, and case management records held by health plans.
• An amendment does not erase the original entry; instead, the covered entity appends or links your correction so future users see both the original and the update.
• Covered entity obligations include having a medical record correction policy, accepting requests, and acting on them within required timelines.

Procedure for Requesting Amendment

What to include in your request

• Your identifying details (name, date of birth, contact information) and how to reach you securely.
• Exact record(s) to amend: date(s) of service, provider name, location, and the specific entry that is inaccurate or incomplete.
• The precise change you seek and why it is warranted, with supporting materials (e.g., lab reports, consult notes, discharge summaries).
• Names or organizations you want notified if the amendment is accepted (e.g., another provider or insurer who may rely on the record).

How and where to submit

• Send your written request to the covered entity’s Privacy Officer or follow the instructions in the Notice of Privacy Practices. Many organizations provide a portal or form, but they may also accept a letter.
• Keep copies of everything you submit, note the date sent, and request written acknowledgment or a confirmation number.
• If the disputed entry was created by another organization, the covered entity may direct you there—unless the original source is no longer available to act, in which case your request should still be considered.

Covered Entity's Response Time

Under HIPAA compliance timelines, the covered entity must act on your amendment request within 60 days of receipt. If more time is needed, it may take a single 30-day extension but must send you a written notice before day 60 explaining the delay and providing a firm completion date.

• If accepted: You receive written confirmation describing the amendment and next steps, including notifications to others you identified and to parties the entity knows rely (or may rely) on the information.
• If denied: You receive a timely written denial stating the reasons and explaining your rights, including how to submit a statement of disagreement.

Possible Denial of Amendment

Amendment request denial criteria are narrow. A covered entity may deny your request if it determines that the PHI at issue:

• Was not created by the covered entity (unless the original source is no longer available to act on the request).
• Is not part of the designated record set.
• Would not be available for your inspection and access (for example, certain categories restricted by law).
• Is accurate and complete as it stands.

Even when a denial occurs, you retain important rights to have your perspective reflected in the record and carried forward in future disclosures.

Statement of Disagreement

If denied, you may submit a written statement of disagreement explaining why you believe the decision was incorrect. The covered entity may reasonably limit the length, but it must add your statement to the designated record set alongside your original request and the denial.

The covered entity may prepare a written rebuttal and must provide you a copy. For any future disclosure of the disputed PHI, the entity must include the amendment packet—or a concise summary—so recipients understand the disagreement.

Notification of Amendment

When an amendment is accepted, the covered entity must identify the affected records and append or link the amendment so users see it whenever they access the information. You will receive confirmation of the change.

• The entity must make reasonable efforts to notify persons you designate and others it knows have relied or may rely on the information, including relevant business associates.
• This ensures downstream corrections so decisions about your care, coverage, or benefits reflect the updated record.

Retention of Amendment Requests

Covered entity obligations include documenting amendment requests, denials, statements of disagreement, rebuttals, and notifications. HIPAA requires retention of this documentation for at least six years, supporting accountability and consistent medical record correction policy.

For your records, keep copies of all submissions and responses. In summary, you have a right to request amendment of protected health information in the designated record set, the entity must act within strict HIPAA compliance timelines, and—whether accepted or denied—your voice follows the record through required notices and dispute documentation.

FAQs

What is the process to request an amendment under HIPAA?

Write to the covered entity’s Privacy Officer identifying the specific record entry, what is wrong or incomplete, and the exact amendment you seek. Include reasons and supporting documents, and list anyone you want notified if the amendment is accepted. Keep copies and request written acknowledgment.

How long does a covered entity have to respond to an amendment request?

The entity must act within 60 days of receiving your request. It may take one 30-day extension if it sends you a written notice before day 60 explaining the reason for delay and giving a definite completion date.

When can an amendment request be denied under HIPAA?

Denial is permitted only if the information was not created by the entity (and the originator can still act), is not in the designated record set, would not be available for access under the Privacy Rule, or is already accurate and complete.

What happens if my amendment request is denied?

You can submit a statement of disagreement, which the entity must add to your record and include with future disclosures of the disputed information. The entity may write a rebuttal but must give you a copy. You may also ask that your original request and the denial accompany future disclosures, and you can pursue internal or regulatory complaints if warranted.