Imagine you are in your office and your assistant informs you that an irate former patient is on the telephone. You locate the record and are ready for the call. Prepared to defuse the situation, whatever it may be, the call is transferred to your office. You learn that the patient was last seen two years ago and is embroiled in a custody battle with her ex-husband. The patient had requested and received her record with the plan, unbeknownst to you, to use the contents in the dispute. After a long, tearful diatribe, the patient insists that you change the medical record since she disagrees with your diagnosis of “mood disorder with suicidal thoughts.”
Most healthcare providers tend to reject such requests. After all, physicians and nurses are routinely lectured that the medical record should not, and cannot, be altered. This axiom is especially true when months, or years, have passed since the date of treatment. Also, documented assessments and diagnoses cannot be removed once they are in the medical record. Or can they?
If you are faced with this (or a similar) dilemma, do not simply dismiss the patient’s demand to modify the chart. If you are a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) purview, it allows patients the right to request that protected health information (PHI) be amended. The effect of this lesser known HIPAA provision means that a physician may not summarily deny a request to change the content of a medical record entry. At the same time, HIPAA is not intended to impede your routine record-keeping practices or eliminate your ability to use sound medical judgment in a clinical setting.
In order to properly comply with HIPAA and maintain professional autonomy, a physician must follow certain prescribed procedures. This article summarizes a suggested course to assist covered entities, including psychiatrists, when faced with a patient’s demand that the record be modified or changed.
Requests Should be in Writing
First, inform the patient that you will consider the request. It is important that this communication be in written form and mailed to the patient with a copy retained with the record. Your letter should state that the patient’s demand must be in writing, include the specific entry(ies) and the reason for the proposed change(s). Your letter should designate someone in your office responsible for receiving, processing, and retaining any amendment request and communicate the identity of that person to the patient. For most small practices, the treating psychiatrist should be designated. However, in a busy, multi-practitioner practice, an office manager or medical record administrator will likely be the best person to handle the matter.
HIPAA’s “Designated Record Set”
Next, identify your “designated record set.” The HIPAA privacy rules define the “designated record set” as:
1. A group of records maintained by or for a covered entity that is:
- the medical records and billing records about individuals maintained by or for a covered healthcare provider;
- the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- used, in whole or in part, by or for the covered entity to make decisions about individuals.
2. For purposes of this paragraph, the term “record” means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used or disseminated by or for a covered entity.1
Although the definition is potentially broad, you will be well served by gathering all the patient’s records maintained by you and/or your practice. Analyzing all the patient’s records in your custody will provide a solid foundation for any subsequent record modification or decision to deny the patient’s request. In addition, it assures the provider that the request pertains to information contained in the designated record set and addresses the scope of treatment provided. For example, you, as a covered entity, should not add a diagnosis that is outside your expertise or the capabilities of the facility, if applicable.
Importance of Timely Responses
Once you receive the written request from the patient that specifies the proposed changes, calendar a 60-day deadline to respond to the request. If you are not able to act on the request within 60 days, you may request a 30-day extension. Please note, you are allowed only one 30-day extension and you must inform the patient of the extension, in writing, before the expiration of the original 60-day deadline. This applies to both paper and electronic records.2
Inform Patient and Document Your Decision
After considering the content of the record set and the patient’s request, you may decide to comply with the patient’s suggested modifications to the medical record or perhaps a portion of the request. You must make a reasonable effort to inform the patient that the request has been granted in whole or in part. Specify where in the record the changes were made.
You should seek written authorization from the patient to notify other healthcare providers or other relevant person(s) such as health insurers of any changes that you made. If possible, refrain from deleting an entry entirely from the paper record. Instead, amend the record by adding updated data to the chart rather than merely removing the information. For electronic health records, any changes made will be recorded in the metadata. As an example, a patient notifies you and disputes your diagnosis of Bipolar Disorder. Instead, he believes the correct diagnosis is Major Depressive Disorder. If you decide to modify your original diagnosis, you should include a complete analysis of findings that lead to the correction.
Alternatively, you may decide to deny the patient’s request, in whole or in part. The grounds for denying the request may include the fact that the request is not part of the designated record set or that the medical record subject to the request was not created by you. Another legitimate reason may be that the chart or entry complained of is accurate and complete in its current form.
Again, any denial, in whole or in part, must be communicated to the patient in writing within 60 days and a copy of which should be incorporated into the medical record. This denial should contain the following information:
1. The rationale for your decision not to comply with the patient’s request.
2. A statement that tells the patient that he or she has the right to file a letter that disagrees with the denial.
3. A statement that tells the patient how the statement may be submitted.
4. Also state that you will provide the patient’s request for the amendment and the denial with any future requests for protected health information if the patient so chooses.
5. Describe how he or she may file a complaint with the Secretary of Health and Human Services.
6. If the patient decides to file a letter of disagreement, you have the option of writing a rebuttal. Any rebuttal letter must be sent to the patient with a copy retained in the record.
Amending in an EMR World
Providers with electronic medical records may face additional concerns when amending or modifying a record. Since there are many and varied electronic medical record systems, each may have unique design features. For example, some software systems may not provide a clear distinction between edited and original text. In most instances, it is advisable to work with the software vendor or health information management personnel prior to making an amendment.
Psychotherapy notes are treated differently under HIPAA. The patient does not have the right to read or amend psychotherapy notes created by covered entities. The rationale for this special protection is based on the concept that psychotherapy notes are the personal notes of the therapist and are intended to help him or her recall the therapy discussion.
Psychotherapy notes have a specific definition. According to HIPAA, they are “notes recorded (in any medium) by a healthcare provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session.” The definition excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: “Diagnosis, functional status, the treatment plan, symptoms prognosis and progress.”
To meet the definition of psychotherapy notes under HIPAA, the information must be separated from the rest of the individual’s medical record or retained in a tab with restricted access in the electronic health record.
Every healthcare provider confronted with a request to change, modify, amend or delete a chart entry should bear in mind that perfect charting is not required by HIPAA. The standard continues to be reasonable accuracy and completeness when creating and maintaining a medical record. HIPAA does not give individuals the right to alter their medical records. Patients may request an amendment or modification, but they do not have the authority to determine the final diagnosis and make unreasonable changes to their medical records.
Do not deny a demand to change the information in a record because the original entry was made in the distant past. It is essential that you, as a covered entity under HIPAA, assure that health information is as accurate as possible as the patient journeys through the healthcare delivery system.
We live in an age where a patient can browse the internet and obtain information pertaining to almost any symptom or diagnosis. Although the validity of this easily accessible data is often called into question, many doctors and facilities increasingly find their opinions being tested by their patients. To meet this challenge and maintain public trust, providers should follow the aforementioned procedure while maintaining a tenor of cooperation with a patient.
Keep in mind that laws vary from state to state. Be aware of your jurisdiction’s laws pertaining to alterations of the medical record as well as the principles of medical ethics. Don’t hesitate to consult with an attorney or risk management professional should you have questions.
1 HIPAA Privacy Rule of 2001 (45 C.F.R. § 164.526).