Individual Patient Rights vs HIPAA Security


At HIPAA One, we hope to have potential clients contact us for questions around HIPAA Compliance and risk management.  As we post our phone number online, we get sometimes get random questions from Individuals regarding their rights, employer questions, NPI management and complaints.

We recently had a call from a man complaining he has requested his Physician take more detailed notes about his encounters.  He has a medical condition that will be shared with other specialists.

His question was as follows:

“I have a great relationship with my Physician but his note-taking is very generic in nature.  I have asked him over the past year repeatedly to provide more details about my condition, observations and he says he will.  When they provide me with a copy of my encounter notes, they are still generic and [the clinic] has not entered in the details I requested.  This is concerning because other Physicians will need to know more details than generic diagnosis as I plan to see other specialists to help with my condition…”  “… Don’t I have rights to have my information edited the way I feel is necessary?”

After responding to this concerned Individual indicating we are not legal counsel, and we do provide HIPAA risk management professional services and compliance software, he insisted we should know about his rights.

So at that point, I explained how there are provisions under 45 CFR Section 164.524 and 45 CFR Section 164.526 that the Clinic must honor in terms of allowing the amendment, documenting and either amending his record or providing a rejection with explanation as to why.

It sounds pretty elementary, right?

Then came the kicker, as stated by this individual, “What if they don’t comply or take me seriously?”

My answer, “You can let them know if they won’t edit your record or provide you with a reason why they will not, you can report them to Health and Human Services by filing a complaint.  If you meet the requirements, the Office of Civil Rights is required to investigate the complaint and audit your Physician’s clinic…”

He was very excited at the idea and responded, “I don’t want to get him in trouble.  I just want them to edit my record but no matter how many times I ask, they say they will but never do.  Thanks for your help I knew you would know what my rights would be.  Thank you.”medical-record-technician

How do you handle the situation when a Physician will only put basic chart notes regarding the patient encounter, yet the patient is concerned for their health and feels powerless to have their record amended with the level of detail that would make them comfortable for their safety?  It is not like they can login to their chart and make edits, they can only request it and have the clinic/office make the change.

There are several HIPAA citations I could reference here (e.g. 170.314(d)(4)) as part of the requirements for Critical Access Hospitals and Hospitals to prove they can amend patient records under Meaningful Use Stage 2.   And of course legally speaking, per above the Physician does have a responsibility to honor the patient’s request under their HIPAA Privacy rights.

Any organization that goes through a proper HIPAA Security and Privacy Risk Analysis will cover, among other things, the ability of the organization to do these amendments.  If not, the HIPAA Security Risk Analysis process will require the organization to “figure it out” using their EHR software (or write them if still using paper charts).

He did offer us to call his Physician and require them to go through the process of the HIPAA Security Risk Analysis under 45 CFR Section 164.308(a)(1)(ii)(A), which is required by all Covered Entities.  But that is, in my mind, extortion to some degree and requested he simply focus on his health condition and wished him improved health through his illness.

How would you respond to this concerned Individual?  Feel free to leave comments below or contact us if you would like to learn more about preparing for this, and all other scenarios under the HIPAA rule.









Pass Rate

five star review


Star Reviews

Let HIPAA One do the heavy lifting for your company when it comes to compliance. Make us part of your team to stay up-to-date, stay automatically compliant, and most importantly, protect your client's information.


Join Us in Our Mission to Simplify HIPAA Compliance!

Simple. Automated. Affordable.

Scroll to Top