Right to Amend PHI: HIPAA Definition for Small Clinics

The right to amend PHI is a patient’s right under 45 CFR § 164.526 to request that your clinic correct or supplement information in their designated record set that they believe is inaccurate or incomplete. This right is not a right to delete records, and it does not require your clinic to agree that the record is wrong. Understanding its precise scope prevents your clinic from either ignoring amendment requests or mishandling the procedural requirements that attach to both acceptance and denial.

Small-clinic example: A patient at a 4-provider family medicine practice calls to report that a medication allergy documented in her chart is wrong - the chart says “penicillin” but her actual allergy is to sulfa drugs. Your clinic has 60 days to respond formally. If you accept the amendment, you must append the correction and notify the referring cardiologist who received her summary with the incorrect allergy on record. If you deny it, you must send a written denial explaining the grounds and informing her of her right to submit a statement of disagreement.

What the Right to Amend Covers

Under 45 CFR § 164.526(a)(1), an individual has the right to request that your clinic amend PHI or a record about the individual in a designated record set for as long as the PHI is maintained in that set.

The right applies to PHI in the designated record set - defined to include medical records, billing records, and records used to make decisions about individuals. For a full discussion of the designated record set concept, see the right of access.

An “amendment” means appending a correction, clarification, or addendum to the existing record. HIPAA does not require your clinic to alter or delete original entries. The standard medical records management approach - adding an amendment that references and corrects the original entry without removing the original - is consistent with the regulation.

What Cannot Be Amended

45 CFR § 164.526(a)(2) provides specific grounds on which your clinic may deny an amendment request.

Grounds for Denial

Your clinic did not create the record. If the PHI at issue came from another covered entity - records received in a referral from a specialist or records imported from a prior treating physician - your clinic is not the appropriate entity to amend it. Direct the patient to the originating provider. There is an exception: if the originating entity is no longer available (the provider retired, the practice closed), your clinic may be the only entity in a position to act.

The PHI is not part of the designated record set. Quality improvement data, peer review records, and certain research records fall outside the designated record set. If a patient requests amendment of records that do not fall within the designated record set, your clinic may deny on that ground.

Your clinic believes the record is accurate and complete. This is the most common denial ground. Your clinic may deny an amendment if it believes the PHI is accurate and complete - you are not required to accept the patient’s version of events. But the denial must follow the procedural requirements in 45 CFR § 164.526(d). You cannot simply refuse and move on.

The PHI would not be available for inspection. If the PHI falls in a category excluded from the right of access (psychotherapy notes, litigation-prepared records), it is also not available for amendment.

The 60-Day Timeline

Under 45 CFR § 164.526(b), your clinic must act on an amendment request no later than 60 calendar days after receipt. If your clinic cannot act within 60 days, you may extend by no more than 30 additional days - but only if you notify the patient within the original 60-day period of the reasons for the delay and the date by which you will act.

Only one extension is permitted per request.

When an Amendment Is Accepted

If your clinic accepts the amendment in whole or in part, you must take these steps under 45 CFR § 164.526(c).

Make the amendment. Identify the records in the designated record set that need correction and append or otherwise link the patient’s request and your amendment to those records.

Inform the individual. Notify the patient that the amendment was accepted within the 60-day response period.

Notify relevant parties. Your clinic must make reasonable efforts to provide the amendment to persons the patient identifies as needing the update, and to persons your clinic knows have relied on - or may foreseeably rely on - the original information to the detriment of the patient.

Clinical example: The patient in the example above requests amendment of the incorrect penicillin allergy. Your clinic accepts the amendment, appends the correction to the chart, and sends notification to the referring cardiologist who received the patient summary with the wrong allergy on record. If you skip the referral notification and the cardiologist prescribes based on the incorrect allergy, your clinic knew of a foreseeable reliance risk and failed to address it.

When an Amendment Is Denied

When your clinic denies an amendment request, 45 CFR § 164.526(d) requires a precise set of actions.

Written denial. Provide the patient with a written denial in plain language that includes: the basis for the denial, the patient’s right to submit a written statement of disagreement, a statement that the patient may request your clinic include their request and denial with future disclosures of the disputed PHI, and how to file a complaint with your clinic or HHS.

Statement of disagreement. If the patient submits a written statement of disagreement, your clinic must maintain it with the disputed PHI and include it - or a summary - with any future disclosures of that PHI.

Rebuttal. Your clinic may prepare a written rebuttal to the patient’s statement of disagreement. If you do, provide the rebuttal to the patient and include it alongside the statement of disagreement in future disclosures.

What not to do: A clinic that verbally tells a patient “we don’t think the record is wrong” and files nothing has violated the regulation. Denials require a written explanation that meets each of the content requirements above. Informal denials are non-compliant regardless of whether the denial itself was substantively correct.

Practical example: A patient insists their blood pressure reading from a recent visit was inaccurate - they believe the cuff was malfunctioning. Your physician confirms the reading was taken correctly and repeated. Your clinic denies the amendment with a written explanation citing the accuracy grounds. The patient submits a statement of disagreement. Your clinic files it with the chart and includes it in future record disclosures. The receiving provider at the patient’s new clinic sees both the original reading and the patient’s note about the disputed accuracy.

Documentation Requirements

Your clinic must document all amendment-related actions and retain that documentation for six years from the date of the document or the date it was last in effect, whichever is later. Required documentation includes:

• The original amendment request with the date received
• Your clinic’s response - acceptance or denial - with the date
• Any statement of disagreement from the patient
• Any rebuttal your clinic prepared
• Records of notifications sent to third parties

The documentation obligation applies whether your clinic accepted or denied the amendment. A clinic that informally corrects a chart without tracking the request has fixed the record but has not satisfied the procedural requirements of 45 CFR § 164.526.

For a complete framework for managing patient rights including the right to amend, see PHIGuard’s HIPAA compliance platform.