This installment covers what happens if changes occur to protected health information
Patients accessing their protected health information may give rise to another patient right under the Health Insurance Portability & Accountability Actthe right to request an amendment to PHI, or to a record about the patient, contained in the designated record set.
HIPAA requires a covered entity to allow a patient to request an amendment for as long as the PHI or patient record is maintained in the designated record set. The covered entity may require that the request be made in writing and contain a reason for the requested amendment. However, HIPAA does not require that the covered entity agree to all amendment requests.
A covered entity may deny the patient's request if it determines that the PHI or patient record that is the subject of the request: was not created by the covered entity, unless the patient provides a reasonable basis to believe that the person who originally created the PHI is no longer available to act on the request; is not part of the designated record set; would not be available for access by the patient under the HIPAA rules on access to PHI; and/or is accurate and complete.
If the request is denied, the covered entity must provide the patient a written statement, in "plain language," containing information on the following:
The patient's written statement disagreeing with the denial must include the basis for the disagreement, and the covered entity may reasonably limit the length of the statement. The covered entity may prepare a written rebuttal and a copy must be provided to the patient.
Although an amendment request can be denied, there actually may be an error or inaccuracy in the PHI or patient record that needs to be corrected by the covered entity accepting the request. If it is accepted, the covered entity must inform the patient in writing and make the necessary change. The entity must also ask the patient to identify other persons with whom the entity needs to share the amendment and obtain the patient's agreement to do so.
If the patient identifies other persons, and agrees to the sharing, the covered entity must, within a reasonable time, share the amendment with them. In addition to persons identified by the patient, the covered entity must share the amendment with those it knows have the PHI or patient record and may rely on it to the detriment of the patient.
Whether the amendment is accepted or not, it is essential that the patient's written request be maintained. Further, the PHI that is the subject of the request must have the information relating to the change appended to it, or contain a link to the location of the information. This information would include, in the case of a denial, the patient's written amendment request and the covered entity's written statement denying the request. It would also include, if prepared, the patient's written statement disagreeing with the denial and the covered entity's written rebuttal. Any future disclosure of the PHI or patient record must include this information, as applicable.
For example, a family practice physician refers a patient to a specialist, and the specialist contacts the pharmacy requesting the patient's profile in order to identify all of the patient's current medications. Six months ago, the patient requested an amendment to the patient profile, and the pharmacy properly denied it based on one of the reasons for denial. Then the patient submitted to the pharmacy a written statement disagreeing with the denial, and the pharmacy prepared a written rebuttal and gave a copy to the patient.
Based on this scenario, the patient's amendment request, the pharmacy's statement denying it, the patient's statement disagreeing with the denial, and the pharmacy's rebuttal must all be appended to the profile when it is sent to the specialist.
A request for an amendment must be acted uponeither accepted or deniedby the covered entity no later than 60 days from receipt of the request. The only exception to this is a onetime, 30-day extension, obtained by sending the patient a written statement, within the 60-day period, containing the reason for the delay and the date by which the request will be acted upon.
Two additional rules must be remembered. First, if a covered entity notifies another covered entity that it has amended its PHI or patient record, the other entity must also amend its PHI or record, as applicable. Second, a covered entity must document the titles of the persons or offices responsible for receiving and processing amendment requests and retain the documentation.
Walter Fitzgerald. HIPAA Today: Requests for amendments to PHI.
Nov. 17, 2003;147:54.