Your Right to Amend Your Medical Records Under the HIPAA Privacy Rule

Your Right to Amend Your Medical Records Under the HIPAA Privacy Rule gives you a clear path to correct or clarify information about you. This right applies to the protected health information in a covered entity’s designated record set, not every scrap of data the organization holds. Understanding where this right applies, how to use it, and how covered entity compliance works helps you act confidently.

Amendment is different from medical records access. Access lets you see or obtain copies; amendment lets you ask for corrections or add clarifying information. The HIPAA privacy rule obligations set timelines and procedures that covered entities must follow when you make an amendment request.

Right to Request Amendment

You may request an amendment to protected health information maintained by a covered health care provider, health plan, or clearinghouse. The request can seek to fix inaccuracies, fill in missing context, or add a patient statement to explain your perspective. Your request should target the specific entries you believe are incomplete or incorrect.

HIPAA limits this right to the designated record set. That set typically includes medical and billing records used to make decisions about you, such as histories, test results, diagnoses, treatment plans, and claims. Data outside this set—like quality assurance files not used to make decisions about you—generally falls beyond the amendment right.

• How to file: Most covered entities require a written request stating what you want changed and why. Use their form if they have one, or submit a signed letter through a portal, by mail, or in person.
• Be specific: Identify the document name, date, page or section, and the exact language to add, correct, or clarify.
• Support your request: Include records, test results, or other documentation that back up the change you seek.
• Keep copies: Retain your submission, confirmations, and any correspondence to track the amendment request timeline.

Covered Entities' Obligations

Covered entities must follow defined HIPAA privacy rule obligations when you ask for an amendment. The core requirement is timeliness and a fair review of your request, followed by appropriate documentation and notice.

• Timely action: They must act within 60 days of receiving your request. A single 30‑day extension is allowed if they send you written notice explaining the delay and a date by which they will complete the review.
• If accepted: They must amend the record by appending or otherwise linking the correction, identify the affected entries, and make reasonable efforts to notify persons and business associates who need the updated information.
• Who gets notified: People you identify and others the entity knows rely, or may rely, on the information for your care or payment decisions should receive the amendment.
• Process transparency: Entities may require written requests with reasons, but they must disclose these requirements in advance and apply them consistently for covered entity compliance.
• No erasing history: Amendments typically add to the record rather than delete entries, preserving a complete audit trail.

Grounds for Denial

Your amendment request can be denied for specific reasons. A written denial must explain the basis and describe your further rights, including how to submit a statement of disagreement.

• Not created by the covered entity, unless the originator is no longer available to act on the amendment.
• Not part of the designated record set that is used to make decisions about you.
• Not subject to medical records access under HIPAA (for example, psychotherapy notes or information compiled for legal proceedings).
• The existing record is accurate and complete as written.

Statement of Disagreement

If denied, you may submit a statement of disagreement explaining why you believe the information is incorrect or incomplete. Covered entities may set a reasonable length limit, so be concise and factual. Stick to the specific entries at issue and include supporting points.

The covered entity may prepare a written rebuttal. If it does, it must give you a copy. Going forward, your request, the denial, your statement of disagreement, and any rebuttal become part of the record set that travels with the disputed information when it is disclosed, in full or as an accurate summary, as HIPAA allows.

Documentation of Disagreement

When an amendment is denied, the covered entity must append or link the request, denial, statement of disagreement, and any rebuttal to the disputed portion of the designated record set. This documentation ensures future users of the information see your position and the entity’s response.

For subsequent disclosures involving the contested information, the entity must include the amendment materials or an accurate summary when required. This process supports covered entity compliance and helps prevent future decisions from relying on information you have challenged without context.

Psychotherapy Notes Exclusion

Psychotherapy notes are a narrow category: the personal notes of a mental health professional documenting or analyzing session contents, kept separate from the medical record. They are excluded from HIPAA medical records access and, by extension, from the amendment right.

However, most mental health information outside psychotherapy notes—such as diagnoses, medications, session dates and times, treatment plans, test results, and progress summaries—resides in the designated record set. Those items remain subject to both access and amendment under HIPAA.

Charges for Copies

There is no fee simply to submit an amendment request or for the covered entity to process it. If you ask for copies of your records—whether original, amended, or a summary—HIPAA allows only a reasonable, cost‑based fee for labor, supplies, and postage. Retrieval or “data access” fees are not permitted.

To manage costs, consider requesting an electronic copy of the amended portion and the amendment documentation. You can also ask the entity to send amendment notices to identified recipients; this notification duty stems from HIPAA and should not carry a separate fee.

In short, use your amendment right when entries are wrong or incomplete, aim your request at the designated record set, and track the amendment request timeline. If denied, your statement of disagreement ensures your voice accompanies the record, promoting accuracy and transparency across future uses and disclosures.

FAQs.

What is the process to request an amendment to my medical records?

Submit a written request to the covered entity that maintains your records, identify the specific entries to change, explain why they are inaccurate or incomplete, and attach supporting documentation. Ask for confirmation of receipt, keep copies, and specify any people or organizations you want notified if the amendment is accepted.

How long do covered entities have to respond to amendment requests?

They must act within 60 days of receiving your request. If they need more time, they may take a single 30‑day extension, but only if they send you a written notice before day 60 explaining the reason for delay and the date by which they will finish.

Can my amendment request be denied and why?

Yes. Common reasons include that the record is accurate and complete, the information was not created by the entity and the originator is available, the information is not in the designated record set, or the information is not subject to HIPAA access—such as psychotherapy notes or data compiled for litigation.

What happens if my amendment request is denied?

You can submit a statement of disagreement for the record. The covered entity may write a rebuttal and must give you a copy. Your request, the denial, your statement, and any rebuttal are appended or linked to the disputed entry and must accompany future disclosures of that information as required, ensuring your perspective is visible.