Your HIPAA Right to Amend Your Medical Records: How to Request a Correction

Right to Request Amendments

The HIPAA Privacy Rule gives you the right to request corrections to Protected Health Information in your Designated Record Set. This set includes medical and billing records that providers and health plans use to make decisions about you. If something is inaccurate or incomplete, you can ask the provider to amend it.

Amendments typically add an explanatory addendum rather than deleting information. The goal is to accurately reflect what happened, when it happened, and any clinical context, while preserving an auditable history.

Some information is not subject to amendment under HIPAA, such as psychotherapy notes and data compiled for legal proceedings. Requests targeting records not used to make decisions about you, or records held solely for quality assurance, may also fall outside the Designated Record Set.

Amendment Request Process

Prepare a clear, focused request

• Identify the specific entry (date, author, section) that is inaccurate or incomplete.
• State precisely what is wrong and what the correction or addendum should say.
• Provide supporting materials (e.g., test results, encounter summaries, correspondence).

Submit in writing to the right contact

Send your request to the provider’s privacy officer or medical records department. Providers may require a written request and a reason for the amendment; many offer a standard form, but a clear letter works if it contains all required details.

Track your filing

• Keep a copy of your request and proof of delivery; label these as your Amendment Request Documentation.
• List people or organizations that received the erroneous information so the provider can notify amendment recipients if your request is accepted.

Provider Response Requirements

Provider Response Timeframes

The provider must act on your request within 60 days. If more time is needed, they may take one 30-day extension, but they must inform you in writing before the original deadline with the reason for delay and a date by which they will complete the action.

If the amendment is accepted

• The provider amends the record by adding or linking the correction within the Designated Record Set.
• You are notified of the acceptance and asked to confirm who should be informed of the amendment.
• The provider makes reasonable efforts to notify relevant parties that rely on the information.

If the amendment is denied

The provider must send a Written Denial Notice explaining the basis for denial, your right to submit a Statement of Disagreement, and how to file a complaint with the provider and the U.S. Department of Health and Human Services.

Denial of Amendment Requests

Common grounds for denial

• The information is accurate and complete as is.
• The information was not created by the provider (and the original source is available to amend).
• The information is not part of the Designated Record Set.
• The information is not available to you for inspection under HIPAA (for example, psychotherapy notes or information compiled for legal proceedings).

What a Written Denial Notice includes

• The specific reason(s) for denial in plain language.
• Instructions on how to submit a Statement of Disagreement.
• Your option to require that the original request and denial accompany future disclosures if you choose not to submit a disagreement statement.
• How to file a complaint with the provider and with HHS, including a contact person.

Notification and Documentation

Notification of Amendment Recipients

When an amendment is accepted, providers must make reasonable efforts to notify people and organizations you identify, as well as others they know have the information and may rely on it. This can include referring clinicians, health plans, pharmacies, and business associates.

Documentation and retention

• Providers must maintain Amendment Request Documentation, acceptance or denial notices, any Statement of Disagreement, and any rebuttal.
• These materials must be retained and appended or linked to the affected records so they accompany future disclosures as required by the HIPAA Privacy Rule.

Handling Accepted Amendments

Updating the record

• Identify each affected entry and add a dated addendum or link that clearly states the corrected facts.
• Ensure the amendment is accessible wherever the Designated Record Set resides (EHR, paper chart, billing system).

Downstream communication

• Send the amendment to amendment recipients you designate.
• Make reasonable efforts to reach other parties known to rely on the information, so decisions about your care or coverage reflect the correction.

Rights to Statement of Disagreement

If your request is denied, you may submit a Statement of Disagreement explaining why you believe the denial is incorrect. The provider may prepare a rebuttal and must give you a copy.

For future disclosures of the disputed information, the provider must include the request, denial, and your Statement of Disagreement (or a summary), along with any rebuttal. If you choose not to submit a statement, you can still require the provider to include your original request and the denial with future disclosures.

Conclusion

Your HIPAA Right to Amend Your Medical Records empowers you to correct inaccurate or incomplete information in your Designated Record Set. Submit a focused written request, track Provider Response Timeframes, and use your Statement of Disagreement rights if needed. Proper Notification of Amendment Recipients and thorough documentation help ensure your corrected information follows your care and coverage.

FAQs

What qualifies as a valid amendment request under HIPAA?

A valid request identifies the specific record entry to change, explains why it is inaccurate or incomplete, states the exact correction you propose, and includes any supporting evidence. It must be in writing if the provider requires written requests, and it should target information in the Designated Record Set used to make decisions about you.

How long do providers have to respond to an amendment request?

Providers must act within 60 days. If they cannot complete the action in that time, they may take a single 30-day extension, but they must notify you in writing before the 60th day with the reason for delay and the expected completion date.

What reasons can a provider use to deny an amendment request?

Common reasons include finding the record accurate and complete; the record was not created by the provider and the source is available to amend; the information is not part of the Designated Record Set; or the information is not subject to amendment (for example, psychotherapy notes or data compiled for legal proceedings).

What are the next steps if an amendment request is denied?

You can submit a Statement of Disagreement for inclusion with the record. The provider may issue a rebuttal and must give you a copy. Even without a statement, you may require the provider to include your original request and the Written Denial Notice with future disclosures. You also have the right to file a privacy complaint with the provider and with HHS.