HIPAA Privacy Rule Patient’s Right to Amend Their Health Information

1. HIPAA Privacy Rule Patient’s Right to AmendTheir Health Information July 18, 2013 David Holtzman, JD, CIPP/G Senior Health Information Technology & Privacy Policy Specialist HHS Office for Civil Rights HHS/OCR July 2013

2. Right to Amend45 CFR 164.526 • Standard: An individual has right to have covered entity (CE) amend protected health information (PHI) or a record about the individual in a designated record set (DRS) as long as it is maintained in a DRS HHS/OCR July 2013

3. Handling Amendment Requests • CE must permit requests to amend • May require a written request and a reason if it gives advance notice of its requirements in the Notice of Privacy Practices • Amend or append in whole or in part and inform individual and others as appropriate in 60 days if amendment accepted • One 30 day extension by written notice to patient supported by explanation of why extra time needed • Must act on notifications from other CEs of amendments HHS/OCR July 2013

4. Denials of Amendment Requests • CE must give written notice of denial with basis, including individual’s right to submit statement of disagreement in 60 days • One 30 day extension by written notice to patient supported by explanation of why extra time needed • CE may provide rebuttal to statement • CE must thereafter include request, denial, disagreement and rebuttal in DRS and all disclosures (or disclose accurate summary) HHS/OCR July 2013

5. Amendment Applies to Entire Designated Record Set (DRS) • An individual’s right of amend generally applies to the information that exists within a covered entity’s designated record set(s), including: • a health care provider’s medical and billing records, • a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems • any information used, in whole or in part, by or for the covered entity to make decisions about individuals. • A record is any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for the covered entity. • See 45 C.F.R. § 164.501 (definition of “designated record set”) HHS/OCR July 2013

6. Designated Record Sets • CEs that use EHRs must remain cognizant that the right of amend applies regardless of the information’s format. • The term “designated record set,” not limited to information contained in an electronic record, but also will include any non-duplicative, electronic or paper-based information that meets the term’s definition. HHS/OCR July 2013

7. Obligation to Notify & Maintain Amendments • CE must notify those identified by patient as having received the PHI and needing the amendment • CEs that utilize a business associate to maintain or otherwise operate its electronic records (e.g., EHR or PHR) will want to ensure the BA is obligated to include any amendment request, denial, disagreement and rebuttal in the DRS and all disclosures (or disclose accurate summary) • The same would be true if a health information organization (HIO), as a BA, maintains an electronic repository of some or all of a covered entity’s PHI HHS/OCR July 2013