Medical practices in the United States must now follow strict regulations about the way they handle patient data. The Health Insurance Portability and Accountability Act (HIPAA) aims to protect the security and privacy of patient data held in computerized systems and electronic health records (EHR). If your medical practice stores patient information electronically, patients will often need to update or delete their personal details. Learn more about the rules that relate to changes to patient data, and what you need to do to comply with HIPAA legislation.

HIPAA overview

Legislation protects patient data primarily through the HIPAA Privacy Rule and the HIPAA Security Rule. The HIPAA Privacy Rule sets out national standards for the management of protected health information (or PHI). The Security Rule protects a subset of these data to include all personal health information that a medical practice creates, receives, maintains or transmits in electric form (e-PHI).

Patients have a number of important rights under HIPAA rules. These include:

1. The Right to receive a Notice of Privacy Practices
2. The Right to access PHI
3. The Right to amend PHI
4. The Right to an Accounting of Disclosures of PHI
5. The Right to request a Specified Method of Communication
6. The Right to request Restrictions on Use and Disclosure of Health Information

As such, when using electronic health records, medical practices must put in place robust rules and controls to meet these obligations. Administrative employees and practice managers may often need to deal with patient requests to amend personal details in EHR software.

Record retention and HIPAA protection

The law says that a person has the right to amend PHI and other medical records for as long as the covered entity (the medical practice) maintains the information in the designated record set. HIPAA regulations do not include medical record retention requirements, but state laws will generally apply limits to the amount of time you can hold a patient's records. All the time you hold a patient's records, HIPAA privacy regulations apply.

Method and timing of requesting amendments

HIPAA legislation says that the covered entity may ask patients to request an amendment in writing. Medical practices should also ask for a reason for the revision, but you must tell patients about these requirements in advance. Upon receipt of a request to amendment personal details, medical practices must take action within sixty days.

If you amend PHI, you must tell the patient that you have made the change. Where applicable, you must also ask for the patient's consent to share the amendment with other relevant parties. For example, where you have referred the patient to a specialist for treatment, you cannot share the details of the amendment without consent.

If you deny the amendment, you must tell the patient the reason for your decision in writing. You must also tell the patient that he or she can challenge the decision, and you must outline the process for doing this. You must also tell the patient that you can include the request and denial to amend data in any future disclosure of PHI related to the request. You should also advise how the patient can complain to the relevant authorities.

Why decline requests to amend

Practice managers should use professional judgment to decide when to decline a request to amend PHI. HIPAA legislation says that personally identifiable health information relates to "the past, present or future physical or mental health or condition of an individual...that identifies the individual". Many patients may want to change these details for inappropriate reasons.

For example, a patient may consent to the release of medical records to a potential employer. In this case, the patient may not want the employer to see details of a particular diagnosis or treatment episode, and may ask your practice to remove this information. This would not normally be grounds for a clinic to make any changes. Alternatively, if the request is to amend information that is incorrect or incomplete, medical practices would normally need to make the change.

Medical practices should consult the Department of Health and Human Services in the first instance, if it is unclear whether it is appropriate to agree to any request to amend PHI.

Electronic health records make it easier to store patient information, but strict privacy regulations control medical practice responsibilities. To avoid penalties, practice managers must make sure that all internal procedures comply with these regulations.