By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
Under the HIPAA Privacy Rule, individuals have the right to request an amendment to their protected health information if there is a concern about the accuracy of the information. The word amendment carries a certain understanding that may not align with the actual language of the Privacy Rule though. Parsing through the language of the regulation and seeing how it applies in reality can help avoid a mismatch of expectations and real results.
Dictionary Definition
How does the dictionary define amendment? The definition generally is the process of altering or amending a document. To help clarify the circular use of the word amending, that is defined as to change or modify for the better.
Taking the definitions at face value, a reasonable implicit understanding is that any perceived and agreed upon error or mistake will be changed so it is accurate.
Is that what HIPAA requires? Let’s look at the regulation.
Amendment of Protected Health Information (45 CFR 164.526)
Under the HIPAA Privacy Rule, an individual has the right to submit a request to a covered entity for an amendment to protected health information (PHI) maintained by the covered entity in a designated record set. As a quick reminder, the designated record set is the group of records maintained by a covered entity that includes all medical records and billing records as well as enrollment, payment, claims, and adjudication information that are used in whole or in part by a covered entity to make decisions about the individual who is the subject of the information. Accordingly, the designated record set is pretty expansive.
Once a request for amendment is submitted, the covered entity has 60 days to deny or grant the request.
Denying an Amendment
Why or when can the amendment request be denied? The regulation sets the following four instances when a request can be denied:
- The information was not created by the covered entity receiving the amendment request, unless the entity who did create the information is no longer available to act on the request;
- The information subject to the amendment request is not part of the designated record set;
- The information is not subject to the right of access, which practically means it is (i) in psychotherapy notes or (ii) compiled in or with reasonable anticipation of a criminal, civil, or administrative action or proceeding; or
- The information is accurate and complete. (45 CFR 164.526(a)(2))
If the request is denied, the covered entity must send the requesting individual a written notice explaining why the request is being denied. If the individual disagrees with the denial, the individual is permitted by the regulation to submit a written statement disagreeing with the denial. The individual can also ask for the initial request, denial, and response to be included with any future disclosure of the relevant PHI.
Accepting the Amendment
On a more positive note, the request can also be accepted and the amendment implemented. At a minimum, accepting an amendment means identifying the records impacted by the amendment and appending or otherwise providing a link to the location of the amendment. The individual who submitted the request also needs to be notified when the amendment is accepted. Part of the notification process is to receive the individual’s help in identifying who needs to be told about the amendment.
Once identification of who should be told about the amendment is done, then the covered entity needs to timely inform or provide the amendment to those identified parties. The covered entity also needs to tell applicable business associates or others that the covered entity knows hold the affected PHI about the amendment.
That is a brief summary of all of the key points of what the Privacy Rule says about the right to request an amendment.
What does Amending Do?
There is a big gap in what the language of the regulation says though. What does the amendment actually look like? The regulation sort of implies what happens. Once an amendment is accepted, the regulation notes that the covered entity needs to append the amendment to the affected part of the designated record set or provide a link to the location of the amendment. That description implicitly shows that the original language in the designated record set will not necessarily be changed or modified in a way that removes the original error.
Why won’t the record itself be wholly changed? Aside from the Privacy Rule not calling for that action, there is also an interaction with state law around medical records and when an official document can be altered. Commentary in the original Privacy Rule acknowledges that limitation on the scope of an amendment. For example, the commentary discusses a hypothetical situation where the wrong x-ray is included in an individual’s record. The commentary states that if agree exists that the wrong x-ray was included, then that problem should be noted and if state law allows then the wrong x-ray can be removed. The state law condition is the key determinant. That means there could be variation depending on physical location of exactly how the amendment can be implemented.
Given the limitation, in many instances, the likely outcome is just an additional notation in the record that a change was made. From the practical perspective, that outcome is probably different than the impact that many individuals may expect. Individuals likely think, not necessarily erroneously, that an amendment means the offending information will be completely removed.
To avoid the misalignment, covered entities can more proactively describe what the amendment process entails and what the end result can or will look like. At the same time, covered entities should likely keep an eye on what state law allows when it comes to actually modifying a record.
Conclusion
Demystifying what the different pieces of HIPAA actually do is important to level setting expectations and minimizing frustration. If the scope of the regulations is causing concern, then knowing that can inform advocacy for changing those regulations.
This article was originally published on The Pulse blog and is republished here with permission.