GuardWell Compliance
HIPAA

Patient Wants to Amend Their Medical Record: When You Can (and Cannot) Say No

By GuardWell Compliance Team·May 2, 2026·9 min read

A patient calls your office and says, “My chart says I have a history of substance abuse, and that’s wrong. I want it removed.” Your office manager freezes. Can the patient make you change the record? Can you refuse? What if the information came from another provider? The right to request an amendment under HIPAA is one of the most misunderstood patient rights — by both patients and practices. Here is how 45 CFR 164.526 actually works and what your practice must do when the request arrives.

The Right to Request an Amendment

Under the HIPAA Privacy Rule, an individual has the right to request that a covered entity amend PHI maintained in a designated record set. This right applies to any information the practice uses to make decisions about the individual — medical records, billing records, insurance records, and case management files.

The operative word is “request.” The patient has the right to ask for an amendment, but the covered entity is not obligated to accept every request. HIPAA provides specific, limited grounds for denial. Understanding where that line falls is essential for handling these requests correctly and avoiding OCR complaints.

Timeline: 60 Days to Act

Your practice must act on an amendment request within 60 calendar days of receipt. A single 30-day extension is available if you provide the individual with a written explanation of the delay and the date by which you will complete your review. The maximum allowable timeline is therefore 90 days — and, as with records access requests, OCR expects that most requests should be resolved well before the deadline.

You may require amendment requests to be submitted in writing and to include a reason supporting the requested change. If you impose these requirements, you must inform individuals of them — ideally in your Notice of Privacy Practices.

When You Must Accept an Amendment

If the PHI in question is inaccurate or incomplete, and the amendment would correct or supplement it, you should accept the request. Common examples include:

  • A misspelled medication name or incorrect dosage in the chart
  • A diagnosis code that was entered in error
  • An allergy notation that is factually wrong
  • Missing information that makes the existing record misleading

When you accept an amendment, you must make the amendment (or append the correction) to the record, inform the individual that the amendment has been accepted, and make reasonable efforts to inform any person or entity that you know received the inaccurate information and that the individual identifies as having received it. If the PHI has been disclosed to business associates, you must inform them as well.

The Four Grounds for Denial Under 45 CFR 164.526

You may deny an amendment request in four specific situations:

  1. You did not create the information. If the PHI was created by another provider or entity, you may direct the patient to that originating source — unless the originator is no longer available.
  2. The information is not part of the designated record set. PHI maintained outside the designated record set (such as peer review files or quality assurance records) is not subject to the amendment right.
  3. The information is not available for inspection. If the PHI falls under one of the access exceptions in 45 CFR 164.524 (such as psychotherapy notes), it is also exempt from amendment requests.
  4. The information is accurate and complete. This is the most commonly invoked and most frequently disputed ground. If the existing record is factually correct and not misleading, you may deny the request even if the patient disagrees with it.

That last ground is where most of the friction arises. A patient may disagree with a clinical impression, a documented observation, or a risk factor notation. The physician’s professional judgment that the record is accurate and complete is a valid basis for denial — but it must be documented and communicated properly.

How to Issue a Proper Denial

If you deny an amendment request, you must provide the individual with a written denial that includes:

  • The basis for the denial (one of the four grounds above)
  • A statement of the individual’s right to submit a written statement of disagreement
  • A statement that if no disagreement is filed, the individual may request that the original request and your denial be included with any future disclosures of the disputed PHI
  • A description of how the individual may file a complaint with OCR or with your practice’s Privacy Officer

This is not optional. An undocumented or informal denial — such as a phone call telling the patient “we reviewed it and the record is correct” — does not satisfy HIPAA and leaves your practice exposed to an OCR complaint.

Statements of Disagreement and Rebuttal

If the patient submits a written statement of disagreement, you may prepare a written rebuttal. Both the statement of disagreement and your rebuttal (if any) must be appended to or linked with the disputed record. Whenever the disputed PHI is subsequently disclosed, the amendment request, denial, statement of disagreement, and rebuttal must accompany it — or at minimum a summary of this information.

This mechanism ensures that both perspectives are preserved in the record. The patient cannot force a change, but they can ensure their objection travels with the information.

Common Mistakes Practices Make

Based on OCR enforcement patterns and our work with healthcare practices through GuardWell’s compliance platform, these are the most frequent errors:

  • Ignoring the request entirely. Failing to respond within 60 days is a violation regardless of whether the amendment would have been accepted or denied.
  • Verbal-only denials. HIPAA requires a written denial with specific content. A phone call does not suffice.
  • Deleting instead of amending. An amendment supplements the record — it does not erase it. The original entry should remain with the correction appended, not deleted.
  • No tracking system. Without a log or workflow for amendment requests, practices lose track of deadlines and cannot prove compliance during an audit. Integrating this into your compliance risk management process protects you.
  • Refusing to forward to the originator. If you did not create the information, you should help the patient identify the originating entity and direct them there, not simply deny and move on.

Practical Tips for Small Practices

Small practices should build a simple but documented workflow for amendment requests: log the request with a date stamp, assign it to the Privacy Officer or treating provider for review, document the determination, and communicate the outcome in writing within 60 days. Maintain a copy of all correspondence in the patient’s file and in a centralized compliance tracking system. Staff should be trained to recognize amendment requests and escalate them immediately rather than attempting to handle them informally.

Frequently Asked Questions

Can a patient demand that I delete a diagnosis from their record?

No. The HIPAA amendment right allows a patient to request a correction or supplement to information they believe is inaccurate or incomplete. It does not create a right to deletion. If the diagnosis is accurate based on clinical judgment, you may deny the request under the “accurate and complete” ground. The patient may file a statement of disagreement that will be appended to the record.

What if the amendment request involves records from a specialist who referred the patient to us?

If the disputed information was created by another provider, you may deny the amendment and direct the patient to request the change from the originating entity. However, if the originator is no longer available (e.g., the practice closed), you must consider the request yourself.

Do I need to notify other providers if I accept an amendment?

Yes. Under 45 CFR 164.526(c)(3), when you accept an amendment you must make reasonable efforts to inform persons identified by the individual and persons you know have received the inaccurate information and may have relied on it. This includes business associates who received the original PHI.

Is there a fee we can charge for processing an amendment request?

No. Unlike the right of access, there is no provision in 45 CFR 164.526 for charging a fee for processing an amendment request. You may not charge the patient for reviewing, accepting, or denying the amendment.

amend medical recordHIPAA amendment45 CFR 164.526patient rightsrecord correction

Part of our guide to

HIPAA Compliance

See how GuardWell helps medical practices manage hipaa compliance end to end — checklists, policies, training, and audit-ready documentation in one platform.

Ready to simplify compliance?

GuardWell brings HIPAA, OSHA, OIG, and 7 more compliance modules into one affordable platform built for medical practices.

Start Free Trial

Related Articles

HIPAA

HIPAA Compliance Checklist for Small Medical Practices in 2026

A practical HIPAA compliance checklist for small medical practices covering the Privacy Rule, Security Rule, breach notification, risk assessments, and staff training requirements.

HIPAA

I Just Got a Letter from OCR — What Do I Do?

Step-by-step guide for medical practices that received an investigation letter from the HHS Office for Civil Rights. What it means, how to respond, and how to protect your practice.

Start your compliance journey today

Join practices using GuardWell Compliance to stay ahead of HIPAA audits, OCR enforcement, and state regulatory inspections — $199/month with annual billing. Try free for 7 days.

No setup fees · No contracts · Cancel anytime

GuardWell

Healthcare Compliance Assistant

Hi! I'm GuardWell's sales assistant.

I can answer questions about our healthcare compliance platform, pricing, and features. How can I help?

Powered by GuardWell AI