A recent post by a health care attorney asked colleagues for input on a thorny issue.

What advice should they give to provider clients who are asked by a patient diagnosed with gender dysphoria to delete all references in the patient’s record to that diagnosis and to gender-affirming care?

In addition to confidentiality and patient well-being concerns, patient requests to amend PHI raise HIPAA compliance issues. Ultimately, the provider must do what is best for their patient.

Bottom Line:
“Healthcare providers must understand the procedural steps for responding to a request to amend any type of PHI, and factors to consider and discuss with patients when deciding how best to respond to the patient’s request.”

Whether this means agreeing to make a requested amendment or not, when an amendment request is received, procedures under HIPAA must be followed within specific timeframes. Healthcare providers must understand the procedural steps for responding to a request to amend any type of PHI, and factors to consider and discuss with patients when deciding how best to respond to the patient’s request.[i]

Section 164.526 of the HIPAA Privacy Rule gives patients the right to ask their physician or other health care provider to amend the PHI in the patient’s medical and billing records the provider maintains.[ii]  It also permits the provider to deny the request for an amendment in certain instances, such as when the subject PHI is “accurate and complete.”[iii]

Regardless of the subject of the amendment, a provider can say “no” to a patient’s request to amend or delete an accurate diagnosis or treatment documentation. Other reasons to deny an amendment request include when the PHI is not part of the provider’s record, or is part of the record but was created by another provider, or the PHI is not available to the patient for inspection under HIPAA section 164.524(a).[iv]

Providers who determine to grant a patient’s request to amend have 60 days from the date the request is received to make the amendment, notify the patient in writing that it has been made, and, with the patient’s signed consent, notify other covered entities of the amendment. At a minimum, amending PHI requires identifying the patient’s record(s) or portion of it that contains the PHI to be amended, and appending the amendment or a link (in electronic PHI) to its location in the record to the subject PHI.

Providers who decide to deny a request for amendment have 60 days to give the patient written notice of the denial. The notice must state the reason for the denial, the patient’s right to submit a written statement of disagreement, the process for submitting the statement, and the patient’s right to file a complaint with the provider’s HIPAA privacy officer. The amendment request and denial notice should be appended to the subject PHI in the patient’s record.

If the patient submits a statement of disagreement, the provider may reply with a written rebuttal. Even if the patient does not disagree with the denial in writing, the provider must include the patient’s amendment request and the denial notice with any subsequent disclosure of the PHI.

Given these compliance requirements, before accepting or denying a patient’s amendment request, but especially when the subject PHI is accurate and complete, the provider will want to discuss the reason for the request with the patient. This discussion should also include the provider’s ethical and legal obligations to protect the privacy of the PHI, when and to what entities disclosure is permitted, the potential consequences of making the amendment, and whether it will accomplish what the patient wants.

For example, Medicare and most commercial insurers require a well-documented diagnosis of gender dysphoria to authorize coverage for treatment.[v] If a payor requires a documented diagnosis to cover medically necessary care for a patient’s condition, deleting that diagnosis from the patient’s record could result in coverage denial. It is also not necessarily feasible to revise or delete PHI in electronic medical records on its face. Thus, HIPAA allows a link to the location of the amendment to be appended to the PHI – which is not itself changed or deleted.

Two more considerations when deciding to grant or deny a patients amendment request include the application of the Federal “Information Blocking Rule” which imposes penalties on providers that block the access, exchange or use of electronic health information, and the 2024 amendments to HIPAA to support reproductive health care privacy as they relate to PHI concerning gender-affirming care. Our article in the April issue of the Lexington Medical Society Newsletter will discuss those regulations in more detail.[vi]

Sarah Charles Wright is a corporate and healthcare law attorney with Sturgill, Turner, Barker & Moloney, PLLC. She can be reached at swright@sturgillturner.com or (859) 255-8581.

This article originally appeared in the Lexington Medical Society March 2025 Newsletter. It is intended as a summary of state and/or federal law and does not constitute legal advice.

[i] Requests to amend PHI in a minor’s health record are beyond the scope of this article.
[ii] 45 C.F.R. § 164.526 applies to requests to amend PHI in a “designated record set” which includes a patient’s medical and billing records kept by the provider. See 45 C.F.R. 164.501.
[iii] 45 C.F.R. § 164.526(a)(2)(iv).
[iv] 45 C.F.R § 164.524(a)(1) and (2).  Examples include PHI in psychotherapy notes, or providing access to it, is reasonably likely to cause substantial harm.
[v] Medicare coverage is determined case-by-case, see https://www.cms.gov/medicare-coverage-database/view/article.aspx?articleid=53793; see also, e.g., https://providernews.anthem.com/kentucky/ articles/prior-authorization-requirement-changes-effective-may-1-2024-35-18530; https://www.uhcprovider.com/ content/dam/provider/docs/public/ policies/ comm-medical-drug/gender-dysphoria-treatment.pdf. Kentucky Medicaid excludes coverage.
[vi] 45 C.F.R. Part 171 (as amended 12/16/2024); and 89 Fed. Reg. 32976 (04/26/2024).