Compliance Perspectives: Avoid HIPAA Violations When Denying Patient Requests to Amend PHI

On Sept. 9, 2019, the HHS Office for Civil Rights (OCR), the agency that enforces HIPAA rules, announced that it had done something it has never done before: settle an enforcement action for not complying with HIPAA provisions ensuring individuals access to their own protected health information (PHI). Rather than an outlier, the $85,000 settlement with a Florida hospital is an indication of where HIPAA enforcement is heading. Earlier this year, the OCR announced it was kicking off a new Right of Access enforcement focusing on the sometimes overlooked HIPAA patient access rights. Bottom Line: This would be an excellent time to review your current PHI access policies and procedures to ensure they meet HIPAA requirements. Let’s focus on a particularly troublesome aspect of PHI access: denying patients’ requests to amend their own PHI. When You Can Deny PHI Amendment Requests HIPAA requires labs and other covered organizations to give patients rights over their own PHI. That includes allowing patients to request amendments to their PHI. But HIPAA doesn’t say that you have to accept these requests. Denials are allowed in four situations:

• PHI is accurate and complete. You can deny an amendment request if you review the PHI in question and determine that it’s accurate and complete, i.e., you determine that there’s no erroneous or missing information that would justify making the requested amendment.
• PHI isn’t part of “designated record set.” You may also deny requests that aren’t part of the patient’s “designated record set,” which typically includes only a provider’s medical and billing records, a plan’s enrollment, payment and claims records and other materials used to make decisions about a patient.

 You didn’t create the PHI. You don’t generally have to let patients amend PHI that you didn’t create, e.g., requisitions for lab tests as opposed to lab test results. Exception: If the patient provides a reasonable basis to believe that the originator of the PHI is no longer available to the amendment request, e.g., the doctor who ordered the tests is dead and her practice is defunct, you must make your own determination about whether to grant the amendment request.    Privacy regulations restrict patient’s access to the PHI. Right to amend doesn’t apply to PHI that the regulations don’t give the patient the right to inspect, e.g., psychotherapy notes and PHI compiled in anticipation of a civil, criminal or administrative action.  How to Deny PHI Amendment Requests In addition to having a substantive basis for denial, you must comply with the rules for notifying patients when you nix their PHI amendment requests. Specifically, you must put the denial in writing and explain the rights patients have with regard to the denial. This is true even if you deny just part of the PHI requested. The deadline to furnish the written denial is 60 days from the date you receive the amendment request—subject to a 30-day extension that you may be able to get in some circumstances. The denial notice must also meet the criteria set out in the HIPAA privacy regulations, i.e., it must:

• Be written in plain language that’s easy to read and understand;
• State the reason for the denial, i.e., one of the four situations described above;
• List the patient’s right to submit a written statement disagreeing with the denial;
• Explain how the patient may file such a statement with the organization and any limitations on statement length that you impose;
• State that if the patient decides not to submit a statement of disagreement, he/she may ask the organization to include the amendment request and denial with any future PHI disclosures; and
• Describe how the patient can file a privacy complaint with your organization and/or to HHS; and
• List the name and title of and contact information for your privacy contact person.

Tool: Here's a Model Amendment Denial Letter that you can adapt for your own situation.