Regulation of Medicine
Responding to Medical Record Amendment Requests
Under HIPAA, patients have a right to request amendments to their medical records, but it is up to the provider to decide whether or not to do it. However, regardless of what the provider decides, they must respond to the patient’s amendment request. This guide helps providers respond to amendment requests in a way that is HIPAA compliant.
Step 1: Check the Validity of the Amendment Request
- The request must be in writing and signed by the patient or their personal representative. An attorney is generally NOT a personal representative of a patient.
- The patient should sign your organization’s amendment request form. If your organization does not have a current amendment request form, you can obtain a sample “Amendment of Protected Health Information form” in the HIPAA toolkit.
Step 2: Evaluate the Amendment Request
- The provider must decide whether to accept, partially accept or deny the amendment. The provider can consult with appropriate staff members if needed.
- The provider must respond to the request for amendment no later than 60 days after receiving the amendment request.
Step 3: Respond to the Amendment Request
There are three (3) possible responses to a request for amendment. Steps 4A and 4B detail further procedures to be taken.
- Acceptance. If the provider accepts the amendment request, the provider must notify the patient within 60 days of receiving the request.
- Denial. If the provider denies/rejects the amendment, the provider must notify the patient within 60 days of receiving the request.
- Request for Extension. If the provider cannot respond to the amendment request within 60 days from the receipt of it, the provider may obtain a one-time extension of up to 30 days. To get the extension, the provider must notify the patient in writing of the extension, the reason for the extension and the date by which action will be taken.
Step 4A: Accept the Amendment Request
If the provider accepts or partially accepts the requested amendment, the provider must take the following steps:
- Indicate in the record that it has been amended, and place a copy of the amendment in the patient’s medical record or provide a reference to the location of the amendment within the medical record.
- Notify the parties identified by the patient or listed on the Amendment of Protected Health Information form of the amendment.
- Make reasonable efforts to notify other parties, including Business Associates, who had received the original medical record of the amendment in a reasonable time. Notifying other parties becomes even more important when not doing so will be detrimental to the patient.
- Best Practice: After the record amendment is finalized, the provider should notify other parties who received the original record as soon possible. This quick response will help insulate the provider from liability.
- Notify the patient that the amendment was accepted, and obtain the patient’s agreement to notify such other persons or organizations of the amendment. The agreement to notify other persons and the response to the patient notifying them that the amendment was accepted should be copied and placed in the medical record along with the amendment.
Step 4B: Deny the Amendment Request
If the provider decides to deny or partially deny the amendment request, the provider must send an amendment denial letter in a timely fashion, no later than 60 days after receiving the amendment request. A sample letter can be found on page 10 of the “Amendment of Medical Record” document found under sample policies. https://www.magmutual.com/learning/article/guidelines-telemedicine-policies-and-procedures-0/.
- The Denial Letter. The amendment denial letter must be written in plain language (no medical jargon is allowed). The letter must also contain:
- The reason the amendment was denied.
- A statement that the patient has a right to submit a written statement disagreeing with the denial and an explanation of how the patient may file such a statement.
- A statement that informs the patient that they can have the original amendment request and physician denial added to their record instead of submitting a written statement of disagreement if they want.
- A description of how the patient may file a complaint with the provider or to the Secretary of the U.S. Department of Health and Human Services. The description must include the name or title and telephone number of the contact person for complaints.
- Reasons for Denial. Below are the reasons a provider can deny an amendment request.
- The provider who received the amendment request had not created the original record. The record was created at another office. There is an exception if the creator is no longer available and the mistake in the record is apparent.
- The patient does not have the right to access this part of the record under HIPAA. An example would be psychotherapy notes or ongoing research.
- The request does not pertain to the patient’s medical and financial records. An example would be patient asking a provider to add something to their record that the provider never saw the patient for.
- The health information is accurate and correct (the most common reason for denial).
- Written Statement of Disagreement. If an amendment request is denied, the patient may submit a written statement of disagreement. If the patient submits a written statement of disagreement, the provider may prepare a written rebuttal to the statement. The provider shall provide a copy of the written rebuttal to the patient who submitted the statement.
- Documents Added to the Record Post-Denial. Below is a list of the documents that must either be copied and placed in the part of the medical record that the patient attempted to amend, or linked to that part of the record.
- The patient’s Amendment of PHI form;
- Provider’s amendment denial letter;
- The patient’s statement of disagreement, if any; and
- Provider’s written rebuttal, if any.
Want to learn more?
Interested in how MagMutual can help?View our products
The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.