Practice Brief: Patient Access
and Amendment to Health Records (Updated)
This practice brief was reviewed following the publication of the August 2002 amendments to the HIPAA privacy rule. The content remains accurate.
Background
Generally, consumers should be able
to view, copy, and amend information collected and maintained about them.
Until recently, however, the legal right to access and amend health records
was afforded only to patients at healthcare organizations operated by
the federal government or patients in states that had passed specific
legislation affording them that right.
The Privacy Act of 1974
The Privacy Act of 1974 was designed
to give citizens some control over the information collected about them
by the federal government. It grants people the right to find out what
information has been collected about them, to see and have a copy of that
information, and to correct or amend the information. Healthcare organizations
operated by the federal government, such as Veteran Administration and
Indian Health Services, are bound by the act’s provision.
Standards for Privacy of Individually
Identifiable Health Information
More recently, the standards for privacy
of individually identifiable health information (also known as the HIPAA
privacy rule), which applies to healthcare plans, healthcare clearinghouses,
and healthcare providers who transmit specific transactions electronically,
established an individual’s right to access and amend their information
in all but a limited number of situations. Essentially, these regulations
state that:
An individual has the right to inspect
and obtain a copy of the individual’s protected health information in
a designated record set except for:1
- psychotherapy notes
- information compiled in anticipation
or use in a civil, criminal, or administration action or proceeding
- protected health information subject
to the Clinical Laboratory Improvements Amendments (CLIA) of 1988. CLIA,
42 USC 263a, is the federal law that spells out the requirements for
the certification of clinical laboratories
- protected health information exempt
from CLIA, pursuant to 42 CFR 493.3(a)(2). In other words, protected
health information generated by:
- facilities or facility
components that perform testing for forensic purposes
- research laboratories that
test human specimens but do not report patient-specific results
for diagnosis, prevention, treatment, or the assessment of the health
of individual patients
- laboratories certified by the
National Institutes on Drug Abuse (NIDA) in which drug testing is
performed that meets NIDA guidelines and regulations. However, other
testing conducted by a
NIDA-certified laboratory is not exempt
In the cases above, the covered entity
may deny the individual access without providing an opportunity for review.
A covered entity may also deny an
individual access without providing an opportunity for review when:
- the covered entity is a correctional
institution or a healthcare provider acting under the direction of the
correctional institution and an inmate’s request to obtain a copy of
protected health information would jeopardize the individual, other
inmates, or the safety of any officer, employee, or other person at
the correctional institution, or a person responsible for transporting
the inmate
- the individual agreed to temporary
denial of access when consenting to participate in research that includes
treatment, and the research is not yet complete
- the records are subject to the
Privacy Act of 1974 and the denial of access meets the requirements
of that law
- the protected health information
was obtained from someone other than a healthcare provider under a promise
of confidentiality and access would likely reveal the source of the
information
A covered entity may also deny an
individual access for other reasons, provided that the individual is given
a right to have such denials reviewed under the following circumstances:
- a licensed healthcare provider
has determined that the access is likely to endanger the life or physical
safety of the individual or another person
- the protected health information
makes reference to another person who is not a healthcare provider,
and a licensed healthcare professional has determined that the access
requested is likely to cause substantial harm to such other person
- the request for access is made
by the individual’s personal representative and a licensed healthcare
professional has determined that access is likely to cause substantial
harm to the individual or another person
Detailed requirements for denial review
are outlined in section 45 CFR, section 164.524.
An individual has the right to request
a covered entity amend his or her health information. Covered entities
may require individuals to make such requests in writing and to provide
a reason to support the amendment, provided that it informs individuals
in advance of such requirements.
The covered entity may deny the request
if the health information that is the subject of the request:
- was not created by the covered
entity, unless the originator is no longer available to act on the request
- is not part of the individual’s
health record
- would not be accessible to the
individual for the reasons stated above
- is accurate and complete
The covered entity must act on the
individual’s request for amendment no later than 60 days after receipt
of the amendment. Provided the covered entity gives the individual a written
statement of the reason for the delay, and the date by which the amendment
will be processed, the covered entity may have a one-time extension of
up to 30 days for an amendment request.
If the request is granted, the covered
entity must:
- insert the amendment or provide
a link to the amendment at the site of the information that is the subject
of the request for amendment
- inform the individual that the
amendment is accepted
- obtain the individual’s identification
of and agreement to have the covered entity notify the relevant persons
with whom the amendment needs to be shared
- within a reasonable time frame,
make reasonable efforts to provide the amendment to persons identified
by the individual, and persons, including business associates, that
the covered entity knows have the protected health information that
is the subject of the amendment and that may have relied on or could
foreseeably rely on the information to the detriment of the individual
If the covered entity denies the requested
amendment, it must provide the individual with a timely, written denial
written in plain language that contains:
- the basis for the denial
- the individual’s right to submit
a written statement disagreeing with the denial and how the individual
may file such a statement
- a statement that if the individual
does not submit a statement of disagreement, the individual may request
that the covered entity provide the individual’s request for amendment
and the denial with any future disclosures of protected health information
- a description of how the individual
may complain to the covered entity or the secretary of Health and Human
Services
- the name or title, and telephone
number of the designated contact person who handles complaints for the
covered entity
The covered entity must permit the
individual to submit to the covered entity a written statement disagreeing
with the denial of all or part of a requested amendment and the basis
of such disagreement. The covered entity may reasonably limit the length
of a statement of disagreement.
The covered entity may prepare a written
rebuttal to the individual’s statement of disagreement. Whenever such
a rebuttal is prepared, the covered entity must provide a copy to the
individual who submitted the statement of disagreement.
The covered entity must, as appropriate,
identify the record of protected health information that is the subject
of the disputed amendment and append or otherwise link the individual’s
request for an amendment, the covered entity’s denial of the request,
the individual’s statement of disagreement, if any, and the covered entity’s
rebuttal, if any.
If a statement of disagreement has
been submitted by the individual, the covered entity must include the
material appended or an accurate summary of such information with any
subsequent disclosure of the protected health information to which the
disagreement relates.
If the individual has not submitted
a written statement of disagreement, the covered entity must include the
individual’s request for amendment and its denial, or an accurate summary
of such information, with any subsequent disclosure of protected health
information only if the individual has requested such action.
When a subsequent disclosure is made
using a standard transaction that does not permit the additional material
to be included, the covered entity may separately transmit the material
required.
A covered entity that is informed
by another covered entity of an amendment to an individual’s protected
health information must amend the protected health information in written
or electronic form.
A covered entity must document the
titles for the persons or offices responsible for receiving and processing
requests for amendments.
State Law
Individual states may also have laws
or regulations that address how amendments should be processed, and healthcare
organizations must comply with these requirements if they are more stringent
than those outlined under the federal standards.
Recommendations
In order to comply with the standards
for privacy of individually identifiable health information, it is necessary
to:
1. Study federal and state requirements
for patient access and amendments.
2. Draft an amendment form,
policy, and procedure that complies with applicable provisions of
federal and state law and regulation.
A sample is provided
below.
3. To simplify processing and maintain
positive patient-provider relationships, consider a protocol in which
amendments are generally accepted. The form below
could serve as a vehicle wherein the individual could submit an amendment
and the amendment could be accepted, even when the author disagrees with
the amendment. The author of the disputed entry could note why he or she
disagrees with the individual on the amendment form.
4. Educate staff as to the
new policy, procedure, and forms.
5. Implement the new policy,
procedure, and forms.
6. Monitor compliance and
implement corrective action where indicated.
Sample Amendment Policy
and Procedure
Policy
Patients who believe information
in their health records is incomplete or incorrect may request an
amendment or correction to the information as outlined below:
Procedure
The patient may approach the
author of the entry, point out the error, and ask the author to
correct it.
The entry author can correct
the entry or add a progress note to clarify content.
Alternatively, the patient can
contact the HIM professional.
The HIM professional will assist
the patient in completing the health record correction/amendment
form.
Upon completion of the form,
the HIM professional will give the last copy of the form to the
patient, place the third copy in the patient’s health record immediately,
and route the original and first copy with the record to the author.
If the author chooses to add
a comment to the amendment/correction form, the second copy of the
form will be routed to the patient with the author’s comments.
The original correction/amendment
with the author’s signature will replace the copy previously placed
in the patient’s record.
Copies of the correction/amendment
form will be furnished to those individuals or organizations the
patient deems necessary and documents on the correction/amendment
form.
Copies of the correction/amendment
form will also be furnished to the facility’s business associates
or others who have the information subject to the amendment and
that may have relied or could might rely on that information to
the detriment of the patient.
Disclosures will be noted on
the correction/amendment form with a short notation indicating to
whom the correction/amendment form was sent, the date, and the staff
member processing the disclosure.
When a correction/amendment
form is used, the HIM professional will make an entry at the site
of the information that is being corrected or amended indicating,
"See correction/amendment," and will date and sign that
entry. The correction/amendment form will be attached to the incorrect
or amended entry.
Whenever a copy of the corrected/amended
entry is disclosed, a copy of the correction/amendment form will
accompany the disclosed entry.
|
Sample Health Record
Correction/Amendment Form
Request for Correction/Amendment
of Health Information
| Patient Name: |
|
Birth date: |
|
| Patient Number: |
|
| Patient Address: |
|
| Date of Entry to be amended: |
|
| Type of entry
to be amended: |
|
Please explain how the entry
is incorrect or incomplete. What should the entry say to be more
accurate or complete?
Would you like this amendment
sent to anyone to whom we may have disclosed the information in
the past? If so, please specify the name and address of the organization
or individual.
|
|
|
| Signature of
Patient or Legal Representative |
|
Date |
For Healthcare Organization
Use Only:
| Date
Received |
|
Amendment has
been: o Accepted o
Denied |
If denied, check reason for
denial:
| o PHI
was not created by this organization |
o
PHI is not part
of patient’s designated record set |
| o
PHI is not available
to the patient for inspection as required by federal law (e.g.,
psychotherapy notes) |
o
PHI is accurate
and complete |
Comments
of Healthcare Practitioner:
|
|
|
|
Name
of Staff Member
|
|
Title
|
|
|
|
|
Signature
of Healthcare Practitioner
|
|
Date
|
Note: This sample form was
developed by AHIMA for discussion purposes only. It should not be
used without review by your organization’s legal counsel to ensure
compliance with local and state laws.
|
Prepared by
Gwen Hughes, RHIA, HIM practice manager
Acknowledgments
Mary Brandt, MBA, RHIA, CHE
Jill Callahan Dennis, JD, RHIA
Simone Handler Hutchinson, Esq.
Cheryl M. Smith, BS, RHIT, CPHQ
Note
1. Medical or billing
records about individuals maintained by or for a covered healthcare provider;
the enrollment, payment, claims adjudication, and case or medical management
record systems maintained by or for a health plan; or records used in
whole or in part by or for the covered entity to make decisions about
individuals.
References
Brandt, Mary. Release and Disclosure:
Guidelines Regarding Maintenance and Disclosure of Health Information.
Chicago: American Health Information Management Association, 1997.
"Standards for the Privacy of
Individually Identifiable Health Information; Final Rule." 45 CFR
Parts 160 through 164. Federal Register 65, no. 250 (December 28,
2000). Available at http://aspe.hhs.gov/admnsimp/.
Article citation:
Hughes, Gwen. "Patient Access and Amendment to Health Records (AHIMA Practice Brief)." Journal of AHIMA 72, no.5 (2001): 64S-V. |
|