Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 164.526(a) - Right to Amend

12/28/2000

In proposed § 164.516, we proposed to establish the individual's right to request a covered health care provider or health plan to amend or correct protected health information about the individual for as long as the covered entity maintains the information.

In § 164.526 of the final rule, we retain the general proposed approach, but establish an individual's right to have the covered entity amend, rather than amend or correct, protected health information. This right applies to protected health information and records in a designated record set for as long as the information is maintained in the designated record set. In the final rule, covered health care providers, health plans, and health care clearinghouses that create or receive protected health information other than as a business associate must comply with these requirements.

Denial of Amendment

We proposed to permit a covered health care provider or health plan to deny a request for amendment if it determined that the protected health information that was the subject of the request was not created by the covered provider or health plan, would not be available for inspection and copying under proposed § 164.514, or was accurate and complete. A covered entity would have been permitted, but not required, to deny a request if any of these conditions were met.

As in the proposed rule, the final rule permits a covered entity to deny a request for amendment if the covered entity did not create the protected health information or record that is the subject of the request for amendment. We add one exception to this provision: if the individual provides a reasonable basis to believe that the originator of the protected health information is no longer available to act on the requested amendment, the covered entity must address the request for amendment as though the covered entity had created the information.

As in the proposed rule, a covered entity also may deny a request for amendment if the protected health information that is the subject of the request for amendment is not part of a designated record set or would not otherwise be available for inspection under § 164.524. We eliminate the ability to deny a request for amendment if the information or record that is the subject of the request would not be available for copying under the rule. Under § 164.524(a)(2)(ii), an inmate may be denied a copy of protected health information about the inmate. We intend to preserve an inmate's ability to request amendments to information, even if a copy of the information would not be available to the inmate, subject to the other exceptions provided in this section.

Finally, as in the proposed rule, a covered entity may deny a request for amendment if the covered entity determines that the information in dispute is accurate and complete. We draw this concept from the Privacy Act of 1974, governing records held by federal agencies, which permits an individual to request correction or amendment of a record "which the individual believes is not accurate, relevant, timely, or complete." (5 U.S.C. 552a(d)(2)). We adopt the standards of "accuracy" and "completeness" and draw on the clarification and analysis of these terms that have emerged in administrative and judicial interpretations of the Privacy Act during the last 25 years. We note that for federal agencies that are also covered entities, this rule does not diminish their present obligations under the Privacy Act of 1974.

This right is not intended to interfere with medical practice or to modify standard business record keeping practices. Perfect records are not required. Instead, a standard of reasonable accuracy and completeness should be used. In addition, this right is not intended to provide a procedure for substantive review of decisions such as coverage determinations by payors. It is intended only to affect the content of records, not the underlying truth or correctness of materials recounted therein. Attempts under the Privacy Act of 1974 to use this mechanism as a basis for collateral attack on agency determinations have generally been rejected by the courts. The same results are intended here.