This practice brief has been updated. See the latest version here. This version is made available for historical purposes only.
Editor’s note: This update supplants the 2011 practice brief “Patient Access and Amendment to Health Records.”
Before April 2003 a patient’s legal right to access and amend his or her health records was limited to those patients treated at healthcare organizations operated by the federal government or patients in states that had passed specific legislation affording them that right. Traditionally, the information contained within the health record belonged to the individual patient, and the paper it was printed on belonged to the healthcare facility.
The Health Information Portability and Accountability Act (HIPAA) and then the Health Information Technology for Economic and Clinical Health Act (HITECH) changed how covered entities approach a patient’s right to access and amend Protected Health Information (PHI). Generally, all consumers now have the ability to inspect, obtain a copy, and request to amend information collected and maintained about them.
This practice brief provides guidance regarding patient access and amendment rights granted under federal and state law. It describes patient access rights under 45 CFR 164.524 and amendment rights under 164.526. (This brief does not cover organizational requirements under the HIPAA security rule regarding roles-based access or HITECH requirements for an Access Report showing releases for Treatment, Payment, or Health Care Operations to PHI stored in an EHR.)
Patient Rights – Right to Access and Right to Request Amendment
The HIPAA privacy rule provides patients with specific rights to their health information. Regulations applied to covered entities (healthcare plans, healthcare clearinghouses, and healthcare providers who transmit specific transactions electronically), as well as the business associates of these organizations, established an individual’s right to access and amend their PHI in all but a limited number of situations. This includes PHI in any media (paper, electronic, or oral) that is maintained by a covered entity or its business associate. The Patients’ Right to Access must be granted within 30 days regardless of record location (onsite vs. offsite) and regardless of media type. One 30-day extension applies but must be communicated to the patient and documented. Any denial of access also needs to fit within this 30 day/60 day time frame.
HITECH provides the right for patients to receive their information as described in the designated record set (DRS) electronically. This may be via CD, thumb drive or through a patient portal if this is available.
If the form and format of the electronic information in the DRS are not readily producible or, if not in a readable electronic form and format, then the health information may be produced by the covered entity (CE) in the form and format agreed to by the individual.
The individual may also direct the CE to transmit an electronic copy of their information in the DRS to another entity or person. CE’s must ensure that reasonable safeguards are in place to protect the ePHI in transit.
This provision applies to any electronic designated record set documents not just those stored within the EHR.
- The patient can be charged for copying including any labor and supply costs.
- Postage can be charged if the patient is requesting it be mailed.
- A charge can be associated with the preparation of a summary of requested information provided the patient has agreed to a summary and any applicable fees ahead of time.
Exceptions to a Patient’s Right to Access
Individuals have the right to inspect and obtain copies of their PHI outlined within the organization’s designated record set, with a few exceptions1. Covered entities may deny patient access without providing the patient an opportunity to review the designated record set in the following circumstances:
- The information is contained in psychotherapy notes. [45 CFR §164.524 (a)(1)(i)]
- The information has been compiled in reasonable anticipation of or use in a civil, criminal, or administration action or proceeding. [45 CFR §164.524 (a)(1)(ii)]
- The information is subject to the Clinical Laboratory Improvements Amendments (CLIA) of 1988. (42 USC 263a) [45 CFR §164.524 (a)(1)(iii)(A)]; or its except from CLIA, pursuant to 42 CFR 493.3(a)(2) [45 CFR §164.524 (a)(1)(iii)(B)]
- The covered entity is a correctional institution or a healthcare provider acting under the direction of the correctional institution, and an inmate’s request to obtain a copy of protected health information would jeopardize the individual, other inmates, or the safety of any officer, employee, or other person at the correctional institution, or a person responsible for transporting the inmate. [45 CFR §164.524 (a)(2)(ii)]
- The individual agreed to the denial of access when consenting to participate in the research that includes treatment and the covered entity has informed the individual that the right to access information will be reinstated upon completion of the research. [45 CFR § 164.524 (a)(2)(iii)].
- The records are subject to the Privacy Act, 5 U.S.C. 552a, and the denial of access meets the requirements of that law. [45 CFR §164.524 (a)(2)(iv)]
- The PHI was obtained from someone other than a healthcare provider under a promise of confidentiality and access would likely reveal the source of the information. [45 CFR §164.524 (a)(2)(v)]
- A covered entity may also deny an individual access for other reasons, provided that the individual is given a right to have such denials reviewed under the following circumstances:
- A licensed healthcare provider has determined that the access is likely to endanger the life or physical safety of the individual or another person. [45 CFR §164.524 (a)(3)(i)]
- The PHI makes reference to another person who is not a healthcare provider, and a licensed healthcare professional has determined that the access requested is likely to cause substantial harm to that other person. [45 CFR §164.524 (a)(3)(ii)]
The request for access is made by the individual’s personal representative, and a licensed healthcare professional has determined that access is likely to cause substantial harm to the individual or another person. [45 CFR §164.524 (a)(3)(iii)]
A Patient’s Right to Amend PHI
The HIPAA privacy rule provides individuals with the right to request an amendment of their PHI within the designated record set. [45 CFR §164.526 (a)(1)] The rule specifies the processes covered entities must follow in responding to such a request. Appendix A of this brief features a sample policy on patient request for amendment. Appendix B contains a sample form for a request for amendment.
Covered entities may require individuals to make requests for amendment in writing and to provide a reason to support the amendment, provided that it informs individuals in advance of such requirements. [45 CFR §164.526 (b)(1)] A covered entity must document the titles of the persons or offices responsible for receiving and processing individual’s requests for amendments; and must act on the individual’s request no later than 60 days after receipt. The covered entity may have a one-time extension of up to 30 days for an amendment request if it gives the individual a written statement of the reason for the delay and the date by which the amendment will be processed. [45 CFR §164.526 (b)(2)]
The covered entity may deny the request if it determines that the PHI or record that is the subject of the request:
- Was not created by the covered entity (unless the originator is no longer available to act on the request; 45 CFR §164.526 (a)(2)(i)
- Is not part of the Designated Record Set; 45 CFR §164.526 (a)(2)(ii)
- Would not be available for inspection; 45 CFR §164.526 (a)(2)(iii)
- Is accurate and complete. 45 CFR §164.526 (a)(2)(iv)
If a patient’s request for amendment is granted in whole or in part, the covered entity must:
- Identifying the records that are affected by the amendment and appending or providing a link to the location of the amendment 45 CFR §164.526 (c)(1)
- Inform the individual that the amendment is accepted and obtain the individual’s agreement to have the covered entity notify the relevant persons with whom the amendment needs to be shared; 45 CFR §164.526 (c)(2)
- Within a reasonable time frame, make reasonable efforts to provide the amendment to persons identified by the individual and persons, including business associates, that the covered entity knows also hold the PHI that is the subject of the amendment and that may have relied on or could possibly rely on the information to the detriment of the individual. 45 CFR §164.526 (c)(3)
If the covered entity denies the requested amendment in whole or in part, it must provide the individual with a timely, written denial written in plain language that contains:
- The basis for the denial; 45 CFR §164.526 (d)(1)(i)
- The individual’s right to submit a written statement disagreeing with the denial and how the individual may file such a statement. The covered entity may reasonably limit the length of the statement of disagreement;45 CFR §164.526 (d)(1)(ii)
- A statement that if the individual does not submit a statement of disagreement, the individual may request that the covered entity provide the individual’s request for amendment and the denial with any future disclosures of PHI; 45 CFR §164.526 (d)(1)(iii)
- A description of how the individual may complain to the covered entity or the secretary of Health and Human Services; 45 CFR §164.526 (d)(1)(iv)
- The name (or title) and telephone number of the designated contact person who handles complaints for the covered entity. 45 CFR §164.526 (d)(1)(iv)
The covered entity may prepare a written rebuttal to the individual’s statement of disagreement. Whenever such a rebuttal is prepared, the covered entity must provide a copy to the individual who submitted the statement of disagreement. [45 CFR §164.526 (d)(3)]
If a statement of disagreement has been submitted by the individual, the covered entity must, as appropriate, identify the record or PHI in the designated record set that is the subject of the disputed amendment and append or link the individual’s request for amendment, the covered entity’s denial of the request, the individual’s statement of disagreement (if any), and the covered entity’s rebuttal (if any), to the designated record set. [45 CFR §164.526 (d)(4)]
For any future disclosures of PHI where a request for amendment has been denied in whole or in part the covered entity must do the following: When a subsequent disclosure is made using a standard transaction that does not permit the additional material to be included, the covered entity may separately transmit the material required. It is up to the organization to determine how many times a patient is permitted to disagree with a denial and the organization will rebuttal. One rebuttal from the patient and the covered entity is usually sufficient, but the final decision on how to manage this is up to the covered entity.
- If a statement of disagreement has been submitted, the covered entity must include the appended material, or an accurate summary; or [45 CFR §164.526 (d)(5)(i)]
- If the individual has not submitted a statement of disagreement and the individual has requested the denial be submitted with any subsequent disclosure, the covered entity must submit the request for amendment and its denial, or an accurate summary. [45 CFR §164.526 (d)(5)(ii)]
A covered entity that is notified by another covered entity of an amendment to an individual’s PHI must amend the designated record set. [45 CFR §164.526 (e)]
Additional Forms and Tools can be found in the Amendment Toolkit at: http://library.ahima.org/xpedio/groups/secure/documents/ahima/bok1_049731.pdf
Other issues that need to be addressed:
- State law(s) - Individual states may have laws or regulations that address how access and amendments to patient records should be processed.
- Access by a Covered Entity, Business Associate, or Subcontractor employee to their own PHI– These organizations need to create policies that address when and how employees may access their own PHI. Employees should be required to go through a formal process that is similar or identical to the process that other patients are required to follow, and under no circumstances should an employee ever be allowed to edit their own PHI.
Appendix A: Sample Amendment Policy and Procedure
A patient has the right to request an amendment to his or her health record per 45 CFR §164.526 of the HIPAA Privacy Rule, and it is the policy of this organization to respond to any amendment requests in accordance with this rule. The Health Information Management (HIM) Department, Privacy Officer or designee will be responsible for assisting patients and accepting patient requests for amendments. The organization’s Privacy Officer will be responsible for processing all individual requests for amendments.
General information regarding requests for amendment, forms relating to amendments and correspondence relating to denial or acceptance of requests to amend will be filed in the patient’s designated record set and appended to the protect health information (PHI) as required by the Privacy Rule.
- The patient will be directed to the HIM department to complete the Request for Amendment form according to HIPAA Privacy Rule. (Only written requests will be accepted.)
- The HIM department representative will forward the request to the Privacy Officer for review and processing.
- Upon receipt of the completed written request the Privacy Officer will contact the author to review and evaluate the requested amendment.
- If the amendment is accepted by the author, the PHI will be amended (according to HIPAA guidelines) and the patient will be informed within 60 days of the written request.
- If the amendment is denied by the author, the patient will be notified (according to HIPAA guidelines) in writing within 60 days of the written request.
- If the organization is unable to act on the request for amendment within 60 days, the organization will notify the individual in writing of the reasons for the delay prior to the end of the 60 day deadline. The organization will have an additional 30 days to process and respond to the individual’s request for amendment.
Acceptance of Request for Amendment
If the organization accepts the requested amendment, in whole or in part, the organization will take the following steps:
- The HIM department representative will place a copy of the amendment in the patient’s designated record set and link to the original documentation or a reference location of the amendment will be provided within the body of the medical record.
- The HIM department representative will ensure that the amended documents are placed in the patient’s designated record set, working with Information Services for those documents created, maintained, or stored electronically.
- The HIM department representative will notify the relevant persons or entities with whom the amendment needs to be shared, as identified by the patient on the original Amendment Request Form.
- If the individual is unsure as to who should receive the amended information, the HIM department should work with the individual to ensure that all parties are appropriately identified.
- The Privacy Officer will identify other persons, including Business Associates, that are known to have PHI and that may have relied on, or could possibly rely on, such information to the detriment of the patient.
- If no additional persons needing notification of the amendment are identified, the Privacy Officer will inform the patient in writing (according to HIPAA guidelines) that the amendment has been accepted.
Denial of Request for Amendment
If the organization determines that the request for amendment should be denied in whole or in part, the Privacy Officer will send the patient (according to HIPAA guidelines) an amendment denial letter.
The denial will be written in plain language and shall contain the following:
- The basis for denial.
- A statement that the patient has a right to submit a written statement disagreeing with the denial, and an explanation of how the patient may file such a statement.
- A statement that, if the patient does not submit a statement of disagreement, the patient may request that the organization include the patient’s request for amendment and the denial with any future disclosures of the PHI that is the subject of the amendment.
- Instructions as to how the patient may file a complaint with the organization or to the Secretary of the US Department of Health and Human Services. The instructions will include the name and/or title as well as the telephone number of the contact person who is responsible for accepting these complaints.
- If the patient submits a written statement of disagreement, the organization may prepare a written rebuttal to the statement. The organization will provide a copy of the written rebuttal to the patient who submitted the statement.
The following documentation must be appended or otherwise linked to the PHI that is the subject of the disputed amendment:
- The patient’s Request for Amendment Form
- The organization’s amendment denial letter
- The patient’s statement of disagreement, if any
- The organization’s written rebuttal, if any
Future Disclosures of PHI that is the Subject of the Disputed Amendment
If the patient submitted a statement of disagreement, the organization will disclose all information listed above or an accurate summary of such information with all future disclosures of PHI to which the disagreement relates.
If the patient did not submit a statement of disagreement, and if the patient has requested that the organization provide the Request for Amendment Form and the amendment denial letter with any future disclosures, the organization shall include these documents (or an accurate summary of the information) with all future disclosures of the PHI related to the disagreement.
Actions on Notices of Amendment to PHI from Other Covered Entities
If another covered entity notifies this organization of an amendment to PHI it maintains, the amendment will be made to this organization’s patient medical record.
Sample Patient Request for Amendment Form
Patient Request to Amend Protected Health Information
Patient Name: ___________________________________DOB:________________________
Home Phone: (_____) ___________________Work/Cell Phone: (_____) ________________
Reason for Request:
Specify the Amendment(s): Please be as specific as possible about date of note(s), document name, and author of note.
Signature: __________________________________________ Date: _________________
Ben Burton, JD, MBA, RHIA, CHP, CHC
Kathy Downing, MA, RHIA, CHP, PMP
Julie Dooling, RHIA
Jean Foster, RHIA
Elisa Gorton, RHIA, CHPS, MAHSM
Wendy Mangin, MS, RHIA
Kelly McLendon, RHIA, CHPS
Angela Rose, MHA, RHIA, CHPS
Peg Schmidt, RHIA, CHPS
Diana Warner, MS, RHIA, CHPS
Lou Ann Wiedemann, MS, RHIA, FAHIMA, CPEHR
Prepared by (2011 Update)
Patricia Cunningham, MS, RHIA
Acknowledgements (2011 Update)
Nancy Davis, MS, RHIA
Angela Dinh, MHA, RHIA, CHPS
Margaret Foley, PhD, RHIA, CCS
Laurie Lutz, MA, RHIS, CHPS
Peg Schmidt, RHIA
Diana Warner, MS, RHIA, CHPS
Lou Ann Wiedemann, MS, RHIA, FAHIMA, CPEHR
Prepared by (original)
Gwen Hughes, RHIA
Mary Brandt, MBA, RHIA, CHE
Jill Callahan Dennis, JD, RHIA
Simone Handler Hutchinson, Esq.
Cheryl M. Smith, BS, RHIT, CPHQ
American Health Information Management Association. “Preemption of the HIPAA Privacy Rule (Updated).” June 2010. Available online in the AHIMA Body of Knowledge at www.ahima.org.
Brandt, Mary. Release and Disclosure: Guidelines Regarding Maintenance and Disclosure of Health Information. Chicago: American Health Information Management Association, 1997.
Dennis, Jill Callahan. “What’s Next for the Privacy Rule? HIPAA for All, or Something Quite Like It.” Journal of AHIMA 79, no.4 (April 2008): 24-29.
Dimick, Chris. “The Empowered Patient: Preparing for a New Patient Interaction.” Journal of AHIMA 81, no.2 (February 2010): 26-31.
Florida State Statutes “Florida Patient’s Bill of Rights and Responsibilities.” http://www.leg.state.fl.us/STATUTES/index.cfm?App_mode=Display_Statute&Search_String=&URL=0300-0399/0381/Sections/0381.026.html
US Department of Health and Human Services. “Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act; Proposed Rule.” Federal Register 75, no. 134 (July 14, 2010). Available online at http://edocket.access.gpo.gov/2010/pdf/2010-16718.pdf.
US Department of Health and Human Services. “Standards for the Privacy of Individually Identifiable Health Information; Final Rule.” 45 CFR Parts 160 through 164. Federal Register 65, no. 250 (December 28, 2000). Available online at www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/prdecember2000all8parts.pdf.
US Department of Health and Human Services. “Summary of the HIPAA Privacy Rule.” Available online at www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html.
US Department of Health and Human Services. “Summary of the HIPAA Security Rule.” Available online at www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html.
Woloszyn, William. “Reaffirming Your HIPAA Compliance Efforts.” Journal of AHIMA 76, no.4 (April 2005): 52-53,65.
US Department of Health and Human Services. ‘Health Information Privacy for Covered Entities and Business Associates” http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html
Electronic Code of Federal Regulations TITLE 45--Public Welfare
SUBTITLE A--DEPARTMENT OF HEALTH AND HUMAN SERVICES
SUBCHAPTER C--ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS
AHIMA. "Patient Access and Amendment to Health Records (2013 update)." Journal of AHIMA 84, no.10 (October 2013): expanded web version.