Patient Access and Amendment to Health Records (Updated)

Editor’s note: This update supplants the 2001 practice brief "Patient Access and Amendment to Health Records."

Background

Before April 2003 a patient’s legal right to access and amend his or her health records was limited to those patients treated at healthcare organizations operated by the federal government or patients in states that had passed specific legislation affording them that right. Traditionally, the information contained within the health record belonged to the individual patient, and the paper it was printed on belonged to the healthcare facility.

The Health Information Portability and Accountability Act (HIPAA) and subsequent privacy rule revisions under the Health Information Technology for Economic and Clinical Health Act (HITECH) changed how covered entities approach a patient’s right to access and amend protected health information (PHI). Generally, all consumers now have the ability to view, copy, and amend information collected and maintained about them.

This practice brief provides guidance regarding patient access and amendment rights granted under federal and state law. It describes patient access rights under 45 CFR 164.524 and amendment rights under 164.526. (This brief does not cover organizational requirements under the HIPAA security rule regarding roles-based access or HITECH requirements for access to PHI in electronic format.)

A Patient’s Right to Access PHI

The HIPAA privacy rule (45 CFR 164.524) provides patients with specific rights to their health information. Regulations applied to healthcare plans, healthcare clearinghouses, and healthcare providers who transmit specific transactions electronically established an individual’s right to access and amend their PHI in all but a limited number of situations. This includes PHI in any media (paper, electronic, or oral) that is maintained by a covered entity or its business associate. HIPAA grants patients the following rights regarding their health information:

  • To inspect and obtain copies of their health records (covered entities may impose reasonable, cost-based fees for copying and postage)
  • To request privacy protections
  • To amend health information
  • To receive a notice of privacy practices that outlines how their health information may be used and shared
  • To be allowed to grant or deny permission to use PHI for certain purposes, such as marketing
  • To obtain an accounting of disclosures that lists to whom their health information has been disclosed
  • To file a complaint with the covered entity or federal government if they believe their privacy rights have been denied

HITECH, a section of the American Recovery and Reinvestment Act of 2009, created additional provisions that:

  • Give consumers the right to request electronic access to their health information
  • Expand the accounting of disclosure requirements to include treatment, payment, and operations
  • Require the federal government to provide covered entities with greater guidance on the HIPAA minimum necessary requirements

Final regulations for these provisions had not yet been issued by the end of 2010.

Exceptions to a Patient’s Right to Access

Individuals have the right to inspect and obtain copies of their PHI outlined within the organization’s designated record set, with a few exceptions. Covered entities may deny patient access without providing the patient an opportunity to review the designated record set in the following circumstances:

  • The information is contained in psychotherapy notes.
  • The information has been compiled in reasonable anticipation of or use in a civil, criminal, or administration action or proceeding.
  • The information is subject to the Clinical Laboratory Improvements Amendments of 1988. CLIA (42 USC 263a) is the federal law that spells out the requirements for the certification of clinical laboratories.
  • The covered entity is a correctional institution or a healthcare provider acting under the direction of the correctional institution, and an inmate’s request to obtain a copy of protected health information would jeopardize the individual, other inmates, or the safety of any officer, employee, or other person at the correctional institution, or a person responsible for transporting the inmate.
  • The individual agreed to temporary denial of access when consenting to participate in research that includes treatment and the research is not yet complete.
  • The records are subject to the Privacy Act of 1974 and the denial of access meets the requirements of that law.
  • The PHI was obtained from someone other than a healthcare provider under a promise of confidentiality and access would likely reveal the source of the information.

Detailed requirements for denial review are outlined in 45 CFR, section 164.524.

A covered entity may also deny an individual access for other reasons, provided that the individual is given a right to have such denials reviewed under the following circumstances:

  • A licensed healthcare provider has determined that the access is likely to endanger the life or physical safety of the individual or another person.
  • The PHI makes reference to another person who is not a healthcare provider, and a licensed healthcare professional has determined that the access requested is likely to cause substantial harm to that other person.
  • The request for access is made by the individual’s personal representative, and a licensed healthcare professional has determined that access is likely to cause substantial harm to the individual or another person. In such situations, the individual must be given the right to have the denial reviewed by a licensed healthcare professional for a second opinion.

Covered entities must implement and enforce policies and procedures governing the access and amendment of protected health information that comply federal and state requirements. At a minimum, these include:

  • Definition of a designated record set
  • Notice of privacy practices
  • Patient procedure for requesting PHI access that includes:
    • Time restrictions
    • Processing valid authorizations and revocations
    • Fees or charges
    • Whether the request must be written
    • Identification of persons responsible for receiving and processing requests
    • Denial of access circumstances and process
    • Form of output/requested media (electronic or paper)
  • Patient procedure for requesting an amendment
  • Patient procedure for filing a complaint
  • Patient procedure for requesting an accounting of disclosures

A Patient’s Right to Amend PHI

The HIPAA privacy rule provides individuals with the right to request an amendment of their PHI within the designated record set. The rule specifies the processes covered entities must follow in responding to such a request. Appendix A of this brief features a sample policy on patient request for amendment. Appendix B contains a sample form for a request for amendment.

Covered entities may require individuals to make requests for amendment in writing and to provide a reason to support the amendment, provided that it informs individuals in advance of such requirements.. A covered entity must document the titles of the persons or offices responsible for receiving and processing individual’s requests for amendments of PHI within the designated record set.

The covered entity may deny the request if it determines that the PHI or record that is the subject of the request:

  • Was not created by the covered entity (unless the originator is no longer available to act on the request)
  • Is accurate and complete
  • Does not include the information in the defined designated record set
  • Would not be available for inspection under CFR 164.524

The covered entity must act on the individual’s request for amendment within 60 days of receipt. The covered entity may have a one-time extension of up to 30 days for an amendment request if it gives the individual a written statement of the reason for the delay and the date by which the amendment will be processed.

If a patient’s request for amendment is granted, the covered entity must:

  • Insert the amendment or provide a link to the amendment at the site of the information that is the subject of the request for amendment
  • Inform the individual that the amendment is accepted
  • Obtain the individual’s agreement to have the covered entity notify the relevant persons with whom the amendment needs to be shared
  • Within a reasonable time frame, make reasonable efforts to provide the amendment to persons identified by the individual and persons, including business associates, that the covered entity knows also hold the PHI that is the subject of the amendment and that may have relied on or could possibly rely on the information to the detriment of the individual

A covered entity that is informed by another covered entity of an amendment to an individual’s PHI within the designated record set must amend the protected health information in written or electronic form.

If the covered entity denies the requested amendment, it must provide the individual with a timely, written denial written in plain language that contains:

  • The basis for the denial.
  • The individual’s right to submit a written statement disagreeing with the denial and how the individual may file such a statement. The covered entity may reasonably limit the length of the statement of disagreement.
  • A statement that if the individual does not submit a statement of disagreement, the individual may request that the covered entity provide the individual’s request for amendment and the denial with any future disclosures of PHI.
  • A description of how the individual may complain to the covered entity or the secretary of Health and Human Services.
  • The name (or title) and telephone number of the designated contact person who handles complaints for the covered entity.

The covered entity may prepare a written rebuttal to the individual’s statement of disagreement. Whenever such a rebuttal is prepared, the covered entity must provide a copy to the individual who submitted the statement of disagreement.

If a statement of disagreement has been submitted by the individual, the covered entity must, as appropriate, identify the record or PHI in the designated record set that is the subject of the disputed amendment and append or link the individual’s request for amendment, the covered entity’s denial of the request, the individual’s statement of disagreement (if any), and the covered entity’s rebuttal (if any), to the designated record set.

When a subsequent disclosure is made using a standard transaction that does not permit the additional material to be included, the covered entity may separately transmit the material required.

State Law

Individual states may also have laws or regulations that address how amendments should be processed. Healthcare organizations must comply with these requirements if they are more stringent than those outlined under the federal standards. 

Prepared by

Patricia Cunningham, MS, RHIA

Acknowledgements

Nancy Davis, MS, RHIA
Angela Dinh, MHA, RHIA, CHPS
Margaret Foley, PhD, RHIA, CCS
Laurie Lutz, MA, RHIS, CHPS
Peg Schmidt, RHIA
Diana Warner, MS, RHIA, CHPS
Lou Ann Wiedemann, MS, RHIA, FAHIMA, CPEHR

Prepared by (original)

Gwen Hughes, RHIA

Acknowledgments (original)

Mary Brandt, MBA, RHIA, CHE 
Jill Callahan Dennis, JD, RHIA 
Simone Handler Hutchinson, Esq. 
Cheryl M. Smith, BS, RHIT, CPHQ

References

American Health Information Management Association. "Preemption of the HIPAA Privacy Rule (Updated)." June 2010. Available online in the AHIMA Body of Knowledge at www.ahima.org.

Brandt, Mary. Release and Disclosure: Guidelines Regarding Maintenance and Disclosure of Health Information. Chicago: American Health Information Management Association, 1997.

Dennis, Jill Callahan. "What’s  Next for the Privacy Rule? HIPAA for All, or Something Quite Like It." Journal of AHIMA 79, no.4 (April 2008): 24-29.

Dimick, Chris. "The Empowered Patient: Preparing for a New Patient Interaction." Journal of AHIMA 81, no.2 (February 2010): 26-31.

US Department of Health and Human Services. "Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act; Proposed Rule." Federal Register 75, no. 134 (July 14, 2010). Available online at http://edocket.access.gpo.gov/2010/pdf/2010-16718.pdf.

US Department of Health and Human Services. "Standards for the Privacy of Individually Identifiable Health Information; Final Rule." 45 CFR Parts 160 through 164. Federal Register 65, no. 250 (December 28, 2000). Available online at www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/prdecember2000all8parts.pdf.

US Department of Health and Human Services. "Summary of the HIPAA Privacy Rule." Available online at www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html.

US Department of Health and Human Services. "Summary of the HIPAA Security Rule." Available online at www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html.

Woloszyn, William. "Reaffirming Your HIPAA Compliance Efforts." Journal of AHIMA 76, no.4 (April 2005): 52-53,65.

Article citation:
AHIMA. "Patient Access and Amendment to Health Records (Updated)." (Updated January 2011).