Final Rule for Standards for Privacy of Individually Identifiable Health Information. What the Rule Covers

Analysis by the AHIMA Policy and Government Relations Team

Amendment of Protected Health Information

Standard: Right to Amend

The Rule says (§164.526) that "an individual has the right to have a covered entity amend PHI or a record about the individual in a designated record set for as long as the PHI is maintained in the designated record set."

Denial of Amendment
The Rule also says a covered entity may deny an individual’s request for amendment, if it determines that the PHI or record that is the subject of the request:

  • Was not created by the covered entity, unless the individual provides a reasonable basis to believe that the originator of PHI is no longer available to act on the requested amendment;

  • Is not part of the designated record set;

  • Would not be available for inspection as noted in the regulation on access; or

  • Is accurate and complete.

Specifications: Requests for Amendment and Timely Action -- Individuals Request for Amendment
"A covered entity must permit an individual to request that the covered entity amend the PHI maintained in the designated record set. The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs individuals in advance of such requirements."

A covered entity must act on the individual’s request for an amendment no later than 60 days after receipt of such as request, as follows:

  • If the covered entity grants the requested amendment, in whole or in part, and

  • If the covered entity denies the requested amendment, in whole or in part, it must provide the individual with a written denial.

Timely Action by the Covered Entity
If a covered entity is unable to act on the amendment within the 60-day time limit, the covered entity may extend the time for such action by no more than 30 days, provided that :

  • The covered entity, within the [initial] 60 day time limit, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and

  • The covered entity may have only one such extension of time for action on a request for an amendment.

Specifications: Making the Amendment
If the covered entity grants the requested amendment, in whole or in part it must:

  • Make the Amendment—"Make the appropriate amendment to the PHI or record that is the subject of the request for amendment by, at a minimum, identifying the records in the designated record set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment."

  • Inform the Individual—"Timely inform the individual that the amendment is accepted and obtain the individual’s identification of and agreement to have the covered entity notify the relevant persons with which the amendment needs to be shared"

  • Informing Others—"Make reasonable efforts to inform and provide the amendment within a reasonable time to:
    • Persons identified by the individual as having received PHI about the individual and needing the amendment; and
    • Persons, including business associates, that the covered entity knows have the PHI that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of the individual.

Specifications: Denying the Amendment
If the covered entity denies the requested amendment, in whole or in part, the covered entity must comply with the following requirements:

  • Denial—"The covered entity must provide the individual with a timely, 60 days or less, written denial. The denial must use plain language and contain:
    • The basis for the denial in accordance with those provided in the Rule
    • The individuals right to submit a written statement disagreeing with the denial and how the individual may file such a statement;
    • A statement that, if the individual does not submit a statement of disagreement, the individual may request that the covered entity provide the individual’s request for amendment and the denial with any future disclosures of the PHI that is the subject of the amendment; and
    • A description of how the individual may complain to the covered entity pursuant to the [Rules] complaint procedures. The description must include the name or title, and telephone number of the contact person or office."
  • Statement of Disagreement—"The covered entity must permit the individual to submit to the covered entity a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The covered entity may reasonably limit the length of a statement of disagreement."
  • Rebuttal Statement—"The covered entity may prepare a written rebuttal to the individual’s statement of disagreement. Whenever such a rebuttal is prepared, the covered entity must provide a copy to the individual who submitted the statement of disagreement."
  • Recordkeeping—The covered entity must, as appropriate, identify the record or PHI in the designated record set that is the subject of the disputed amendment and append or otherwise link the individual’s request for an amendment, the covered entity’s denial of the request, the individual’s statement of disagreement, if any, and the covered entity’s rebuttal, if any, to the designated record set."

  • Future Disclosures:
    • "If a statement of disagreement has been submitted by the individual, the covered entity must include the material appended in accordance with the recordkeeping requirements, or at the election of the covered entity, an accurate summary of any such information, with any subsequent disclosure of the PHI to which the disagreement relates."
    • When a subsequent disclosure is made using a standard transaction [one of the HIPAA electronic transactions] that does not permit the additional material to be included with the disclosure, the covered entity may separately transmit the material required by and as applicable to the recipient of the standard transaction.

Specifications: Actions on Notices of Amendment
"A covered entity that is informed by another covered entity of an amendment to an individual’s PHI,…must amend the PHI in designated record sets as provided" by this Rule.

Specifications: Documentation
"A covered entity must document the titles of the persons or offices responsible for receiving and processing requests for amendments by individuals and retain the documentation" as the Rule requires.

Go to next section, Accounting of Disclosures of Protected Health Information.

Go to previous section, Access of Individuals to Protected Health Information .

Go to document index.