Regulation of Medicine


Responding to Medical Record Amendment Requests 

Executive Summary 

Although patients have the right to request amendments to their medical records, providers can determine whether to agree to their requests. Regardless of the medical provider’s ultimate decision regarding an amendment, however, they must still comply with HIPAA when responding to avoid financial fines or penalties.  

Recommended Actions  
  • Look out for medical record amendment requests and ensure that all staff flag such requests for review in a timely manner. 
  • Establish a policy for responding to medical record amendment requests and make certain that all staff members are HIPAA-trained. 
  • Ensure that your practice calendars all appropriate response deadlines when receiving an amendment request.  

Under HIPAA, patients have a right to request amendments to their medical records, but it is up to the provider to decide whether to agree to their requests. However, regardless of what the provider decides, they must respond to the patient’s request. This guide will helps providers answer amendment requests in a way that is HIPAA-compliant. 

Step 1: Check the Validity of the Amendment Request 

The request must be in writing and signed by the patient or their personal representative. An attorney is generally not a personal representative of a patient. 

The patient should sign your organization’s amendment request form. If your organization does not have a current amendment request form, you can obtain a sample “Amendment of Protected Health Information form” in the HIPAA toolkit.  

Step 2: Evaluate the Amendment Request 

The provider must decide whether to accept, partially accept or deny the amendment. The provider can consult with appropriate staff members if needed. 

The provider must respond to the request for amendment no later than 60 days after receiving it. 

Step 3: Respond to the Amendment Request 

There are three possible responses to a request for amendment. Steps 4A and 4B detail further procedures. 


 If the provider accepts the amendment request, the provider must notify the patient within 60 days of receiving the request. 


If the provider denies/rejects the amendment, the provider must notify the patient within 60 days of receiving the request. 

Request for Extension

 If the provider cannot respond to the amendment request within 60 days, the provider may obtain a one-time extension of up to 30 days. To get the extension, the provider must notify the patient in writing of the extension, the reason for the extension and the date by which action will be taken. 

Step 4A: Accept the Amendment Request 

If the provider accepts or partially accepts the requested amendment, the provider must take the following steps: 

  • Indicate in the record that it has been amended and place a copy of the amendment in the patient’s medical record or provide a reference to the location of the amendment within the medical record. 
  • Notify the parties identified by the patient or listed on the Amendment of Protected Health Information form of the amendment.  
  • Make reasonable efforts to notify other parties, including business associates, who had received the original medical record of the amendment in a reasonable time. Notifying other parties becomes even more important when not doing so will be detrimental to the patient. 
  • Best Practice: After the record amendment is finalized, the provider should notify other parties who received the original record as soon possible. This quick response will help insulate the provider from liability.  

Notify the patient that the amendment was accepted and obtain the patient’s agreement to notify such other persons or organizations of the amendment. The agreement to notify other persons and the response to the patient notifying them that the amendment was accepted should be copied and placed in the medical record along with the amendment.  

Step 4B: Deny the Amendment Request 

If the provider decides to deny or partially deny the amendment request, the provider must send an amendment denial letter no later than 60 days after receiving the amendment request. A sample letter can be found on page 10 of the “Amendment of Medical Record” sample policy found under the HIPAA toolkit.  

The Denial Letter

The amendment denial letter must be written in plain language (no medical jargon is allowed). The letter must also contain: 

The reason the amendment was denied. 

A statement that the patient has a right to submit a written statement disagreeing with the denial and an explanation of how the patient may file such a statement. 

A statement that informs the patient that they can have the original amendment request and physician denial added to their record instead of submitting a written statement of disagreement.   

A description of how the patient may file a complaint with the provider or to the Secretary of the U.S. Department of Health and Human Services. The description must include the name or title and telephone number of the contact person for complaints. 

Reasons for Denial

Below are the reasons a provider can deny an amendment request. 

The provider who received the amendment request had not created the original record. The record was created at another office. There is an exception if the creator is no longer available and the mistake in the record is apparent. 

The patient does not have the right to access this part of the record under HIPAA. An example would be psychotherapy notes or ongoing research. 

The request does not pertain to the patient’s medical and financial records. An example would be patient asking a provider to add something to their record that the provider never saw the patient for. 

The health information is accurate and correct (the most common reason for denial). 

Written Statement of Disagreement

If an amendment request is denied, the patient may submit a written statement of disagreement. If the patient submits a written statement of disagreement, the provider may prepare a written rebuttal to the statement. The provider shall provide a copy of the written rebuttal to the patient who submitted the statement. 

Documents Added to the Record Post-Denial. Below is a list of the documents that must either be copied and placed in the part of the medical record that the patient attempted to amend or linked to that part of the record. 

  • The patient’s Amendment of PHI form 
  • Provider’s amendment denial letter 
  • The patient’s statement of disagreement, if any 
  • Provider’s written rebuttal, if any 
Lessons Learned 
  • Ensure that your healthcare organization has an up-to-date amendment request form or use the “Amendment of Protected Health Information form” in the HIPAA toolkit.  
  • Store all amendment requests and responses together and place them in the patient’s medical record. 
  • If denying the amendment request, provide ample reasoning written in plain language. 
Potential Damages 

If a healthcare provider fails to comply with medical record amendment rules, they could face a HIPAA violation. Although infrequent, these violations could lead to costly HIPAA fines and financial penalties.    


    1. When my practice gets a medical record amendment request, we have 6 months to respond.
    2. If my practice decides to deny a patient’s amendment request, we can send the denial letter within 6 months of receiving the amendment request.
    3. If I accept the patient’s amendment request, I should indicate the amendment in the patient’s record.


    Want to learn more?

    Interested in how MagMutual can help?

    View our products


    The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.