If a covered health care provider or health plan accepted a request for amendment, in whole or in part, we proposed to require the covered entity to make the appropriate change. The covered entity would have had to identify the challenged entries as amended or corrected and indicate the location of the amended or corrected information.
We also proposed to require the covered provider or health plan to make reasonable efforts to notify certain entities of the amendment: 1) entities the individual identified as needing to be notified and 2) entities the covered provider or health plan knew had received the erroneous or incomplete information and who may have relied, or could foreseeably rely, on such information to the detriment of the individual.
The covered provider or health plan would also have been required to notify the individual of the decision to amend the information.
As in the proposed rule, if a covered entity accepts an individual's request for amendment or correction, it must make the appropriate amendment. In the final rule, we clarify that, at a minimum, the covered entity must identify the records in the designated record set that are affected by the amendment and must append or otherwise provide a link to the location of the amendment. We do not require covered entities to expunge any protected health information. Covered entities may expunge information if doing so is consistent with other applicable law and the covered entity's record keeping practices.
We alter some of the required procedures for informing the individual and others of the accepted amendment. As in the proposed rule, the covered entity must inform individuals about accepted amendments. In the final rule, the covered entity must obtain the individual's agreement to have the amended information shared with certain persons. If the individual agrees, the covered entity must make reasonable efforts to provide a copy of the amendment within a reasonable time to: 1) persons the individual identifies as having received protected health information about the individual and needing the amendment; and 2) persons, including business associates, that the covered entity knows have the unamended information and who may have relied, or could foreseeably rely, on the information to the detriment of the individual. For example, a covered entity must make reasonable efforts to inform a business associate that uses protected health information to make decisions about individuals about amendments to protected health information used for such decisions.