Does HIPAA Grant a Patient the Right to Change their Medical Record?, published by AHLA’s Health Law Weekly, written by Christopher Tellner, Esq. and Henry Norwood, Esq., 4-11-2025

Kaufman Dolowich’s Christopher Tellner and Henry Norwood weigh in on a patient’s rights to change their medical record in the American Health Law Association Health Law Weekly article below. 

A patient’s medical record often holds the patient’s most sensitive information, including medical history, former and ongoing treatment, health conditions, and financial information. Of course, patients have a heavily vested interest in ensuring this information remains private, but also that the information is accurate. Accuracy of information in the medical record is typically a concern regarding providers’ opinions and subjective impressions that are included in the patient’s treatment notes. For example, a provider may indicate in their treatment notes that a patient presents as anxious or aggressive and the patient, likely reviewing the notes after the fact, may dispute this characterization. The dispute may also be more consequential, such as whether a patient refused treatment or whether a provider gave the patient warnings prior to rendering services. Can a patient demand a provider revise their medical record?

Federal law provides the answer to this question, including a detailed framework regarding the rights and responsibilities of patients and providers. Reviewing the legal requirements demonstrates the careful balance sought between a patient’s right to control their health information and a provider’s medical discretion and judgment in treating their patients.

HIPAA and a Patient’s Right to Amend

The Health Insurance Portability and Accountability Act (HIPAA) provides for the privacy and security of protected health information (PHI). In the context of the health provider-patient relationship, PHI is typically held by the provider in the form of a medical record. The medical record often includes reports, test results, and provider notes. Patients are entitled to a copy of their medical record, and they may disagree with its contents. This raises the question whether a patient may request changes to their record?

HIPAA provides patients a right to amend their medical record, subject to four exceptions: (1) the record was not created by the provider (unless the provider who created the record is no longer able to amend the record); (2) the record is not part of the designated record set as defined under HIPAA regulations; (3) the record is not subject to inspection under HIPAA regulations (including psychotherapy notes and records created in anticipation of civil, criminal, or administrative legal proceedings); and (4) the record is accurate and complete in the reasonable opinion of the provider. The fourth exception is implicated when a provider’s notes regarding a patient’s diagnosis or some other matter is disputed by the patient, but the provider stands by their conclusions.

In accordance with HIPAA, if a provider receives a patient request to amend their record, the provider must act on the request within 60 days. If the provider agrees with the request, they must amend the patient’s record accordingly and notify the patient, and any business associates or other providers identified by the patient, of the amendment. If the provider disagrees with the request, the provider must notify the patient of the disagreement, inform them of their rights to submit a statement of disagreement and to demand their amendment request and the provider’s denial be included in all transmissions of the patient’s record.

Statements of Disagreement and Rebuttals

If a provider denies a patient’s request to amend their record, the provider must offer the patient the right to submit a statement of disagreement with the determination. The statement of disagreement provides the patient the opportunity to state their position on a disputed aspect of their medical record. While the provider is not required to make an amendment with which they disagree, the provider must include the patient’s statement of disagreement with the patient record going forward. Similarly, once a patient submits a statement of disagreement, the provider has the right to submit a rebuttal statement, responding to the patient’s disagreement. The statement of rebuttal must be provided to the patient and may be included with the record.

No Private Right of Action

If a patient believes a provider has violated the HIPAA right to amend provisions, the patient has no ability to bring their own lawsuit. HIPAA does not permit a patient to sue a provider for right to amend violations. This rule has been upheld in several cases, including the 2024 case, Bondick v. Sanchez (D. Or. Mar. 13, 2024). A patient may, however, bring their complaint before the U.S. Department of Health and Human Services, which may initiate its own investigation into the provider’s conduct and impose monetary and nonmonetary penalties for violations.

It should also be noted that nearly every state in the country has passed some form of health information privacy law at the state level. These laws generally follow the scope of HIPAA and are prohibited from applying less stringent privacy requirements, but may apply more stringent privacy requirements. Importantly, many states expressly provide for a private right of action for breaches of health information privacy. Thus, even though HIPAA does not afford patients a private right of action to sue for HIPAA right to amend violations, applicable state law may provide such a private right of action.

Counsel for patients may also be able to circumvent the lack of a private right of action under HIPAA by raising common law causes of action against providers. Patients may still sue providers for HIPAA violations under such causes of action as breach of privacy or negligent nondisclosure. While HIPAA is not itself the basis for the suit, patients may cite to their provider’s breach of the right to amend rule as evidence of their breach of privacy or negligence. The lack of a private right of action is, therefore, often not a sweeping hinderance to any relief for HIPAA right to amend violations.

Conclusion

Medical records often include sensitive and potentially consequential patient information, resulting in a patient’s understandable desire to know what it contains, and at times, present challenges when patients may disagree with a provider’s documentation within it. This can result in a patient’s desire to change the information in their record. Thanks to HIPAA, there are set guidelines in place for those who find themselves at odds regarding the contents of a medical record; therefore, it is imperative patients and providers both be informed of their rights and obligations under HIPAA. This ensures all parties are acting within legal bounds and properly maintaining the pivotal patient-provider relationship.

About the Authors

Chris Tellner is Co-Chair of the Health Care/Managed Care practice group of Kaufman Dolowich LLP and Henry Norwood is an Associate within the group. They represent health care professionals, organizations, including health plans and administrators, patients, and facilities, including long-term care facilities, assisted living facilities, rehabilitation centers, and doctors in professional liability defense matters.

Copyright 2025, American Health Law Association, Washington, DC. Reprint permission granted.