When May a Covered Entity Deny a Patient Request to Amend PHI?

Modified on Mon, 11 Dec, 2023 at 12:27 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.  





When May a Covered Entity Deny a Request to Amend PHI?
If a patient makes a PHI amendment request, the covered entity must grant the request unless a specific HIPAA Privacy Rule provision allows for denial of the request.

Under the HIPAA Privacy Rule, a covered entity may deny a patient’s request to amend PHI, if the covered entity determines that the protected health information or record that is the subject of the request:

  1. Was not created by the covered entity (unless the individual requesting the amendment provides a reasonable basis to believe that the originator of protected health information is no longer available to act on the requested amendment);
  2. Is not part of the designated record set;
  3. Would not be available for inspection under the HIPAA Privacy Rule right of access provisions; or
  4. Is accurate and complete.

If the covered entity denies the requested amendment, in whole or in part, the covered entity must provide the patient with a timely, written denial, in plain language. The covered entity must inform the patient of its decision to deny the request within 60 days after the covered entity has received the request.

    What Information Must be in the Written Denial?

The denial must contain the following information:

  1. The basis for the denial;
  2. The individual‘s right to submit a written statement disagreeing with the denial, and how the individual may file such a statement;
  3. A statement that, if the individual does not submit a statement of disagreement, the individual may request that the covered entity provide the individual‘s request for amendment and the denial with any future disclosures of the protected health information that is the subject of the amendment; and
  4. A description of how the individual may complain to the covered entity.
  5. A description of how the patient may complain to the Secretary of Health and Human Services

What is a Statement of Disagreement?
If the covered entity denies all or part of a requested amendment, the covered entity must permit the individual to submit to the covered entity a written statement disagreeing with the denial of all or part of a requested amendment. The patient may state the basis of the disagreement in the written statement. The covered entity is permitted to reasonably limit the length of a statement of disagreement.

If an individual submits a written statement, the covered entity is entitled to prepare a written rebuttal to the individual‘s statement of disagreement. The covered entity must provide a copy of the rebuttal to the patient who submitted the statement of disagreement.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article