Q&A: Patient request to change medical record
Q: I work in patient registration at a hospital. A patient asked if they could have something in their medical record changed. I know that patients can request to see their whole medical record, but can they change it? What does HIPAA allow?
A: Patients do have the right to request amendments to their health information. Under the Privacy Rule, they may ask a covered entity (CE) to amend their PHI:
- In a designated record set
- For as long as the CE maintains the information
For providers, the designated record set includes medical records and billing records. For health plans, the designated record set includes enrollment, payment, claims adjudication, and case/medical management records.
It’s a good idea for CEs to require a written request for amendments, along with the rationale for the changes requested. If so, the Notice of Privacy Practices should include this requirement.
CEs must act on a request for amendment within 60 days of receipt. If the CE is unable to act on the request within 60 days, it may extend the time for up to 30 days. Only one extension is allowed, and the CE must give the individual a written statement of the reason for the delay and the date by which it will complete its actions on the request.
Sometimes an individual’s request for amendment is straightforward and easy to process. If a date of birth is recorded incorrectly at the time of admission, the registration system may be quickly updated to include the correct information. Other requests are more challenging. For example, an individual who disagrees with the report of a psychiatric consultation may want the consult removed from the medical record or want the diagnosis changed. In this case, the privacy officer (or a designee, such as the director of health information management) would meet with the psychiatrist who recorded the consultation to review the request.
Talk with your supervisor and/or the hospital’s privacy officer about these requests so you can follow the hospital’s procedures for handling them.
Editor’s note: This question was answered by Mary Brandt, MBA, RHIA, CHE, CHPS. Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Heidi Samuelson at hsamuelson@hcpro.com.