Right to Amend PHI
Plain English Translation
Organizations must have procedures allowing individuals to request amendments to their PHI if they believe it is inaccurate or incomplete, and must respond to such requests within 60 days. If the amendment is denied, the individual must be informed in writing with the reason for denial.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Designate a specific privacy officer or compliance lead to manually receive, review, and process all PHI amendment requests.
- Create a standard paper or digital form for patients to formally request medical record corrections.
Required Actions (scaleup)
- Implement a ticketing system to track amendment requests, ensuring compliance with the 60-day response timeline.
- Develop a standardized template for amendment denial letters and statements of disagreement to ensure consistent regulatory language.
Required Actions (enterprise)
- Deploy patient portal workflows that allow individuals to digitally submit and track the status of their amendment requests.
- Automate the downstream notification process to alert business associates and health information exchanges whenever an amendment is approved.
The HIPAA right to amend PHI allows individuals to request corrections or updates to their protected health information if they believe it is inaccurate or incomplete within the designated record set.
It requires covered entities to permit individuals to request amendments to their PHI in a designated record set, and to maintain a formal, documented process to review and respond to these requests.
A covered entity must respond to an amendment request within 60 calendar days of receipt. A one-time 30-day extension is permitted if the individual is notified in writing of the delay.
Yes, a provider can legally deny a request if the PHI is deemed accurate and complete, was not originally created by the provider, or is not part of the designated record set.
A denial letter must be written in plain language and include the basis for the denial, the individual's right to submit a statement of disagreement, and instructions on how to file a formal complaint.
A designated record set includes the medical, clinical, and billing records maintained by or for an organization that are used, in whole or in part, to make decisions about individuals.
No, HIPAA generally requires amending or appending the record with the corrected information rather than permanently deleting, altering, or erasing historical clinical entries.
The patient has the right to submit a formal HIPAA statement of disagreement, which the organization must append to the medical record and include in any future disclosures of that specific PHI.
Organizations must meticulously document the original request, the internal review process, the final acceptance or denial decision, and any subsequent statements of disagreement submitted by the patient. Tools like WatchDog Security's Compliance Center can help organize these records as control evidence and monitor whether review steps remain on schedule.
Yes, if an amendment is formally accepted, the organization must make reasonable efforts to promptly notify relevant business associates and third parties who possess the amended PHI. Tools like WatchDog Security's Vendor Risk Management can help identify affected vendors and maintain a record of vendor-related follow-up activities.
PHI amendment requests create documentation risk because teams must retain the request, review notes, decision rationale, response timing, and any statement of disagreement. Tools like WatchDog Security's Compliance Center can centralize control evidence, assign owners, track due dates, and show whether required amendment-handling artifacts are current.
Organizations often miss amendment requirements when procedures are informal, outdated, or not acknowledged by the staff responsible for intake and review. Tools like WatchDog Security's Policy Management can maintain version-controlled PHI amendment procedures, route policy acknowledgements, and help demonstrate that workforce members received the current process.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-05 | WatchDog GRC Team | Initial publication |

