ITRC Fact Sheet 130A - Correcting Misinformation on Medical Records
This guide covers:
- Information on correcting medical and insurance records
Misinformation on medical records may be caused by human error or identity theft. It can lead to an inaccurate diagnosis of a condition and could be fatal if the information causes a drug interaction, allergic reaction or inappropriate diagnoses.
You should be able to fully correct medical records created in your name. HIPAA, the Health Insurance Portability and Accountability Act, is a federal privacy act that protects patients from unauthorized access to personal medical information and addresses the problem of errors in medical records.
Most health providers are reluctant to completely remove information from a record or to transfer it to another file due to legal issues, nor are they required by HIPAA to do so. Should the imposter come in for further treatment (patient B), and use your name again (patient A), their legal departments are concerned that they will not have access to records needed to treat patient B. Another problem is that there is a patchwork of state laws that also dictate the actions of health care providers.
For the purpose of this information guide, all information provided is per HIPAA regulations. We suggest that you also check your state laws about health care privacy and record correction.
Information on correcting medical and insurance records:
- Ask to see a copy of your medical record. HIPAA requires health providers to either supply you with the requested records within 30 days or ask for more time. If they deny your request, they must state the reason in writing. Note: An agency may decline to grant access to records pertaining to a physical or psychological condition if the agency determines that this disclosure may be detrimental to the individual. §164.524 Access of individuals to protected health information.
- HIPAA does not prohibit providers from charging a reasonable cost based fee for copying records. They may also allow you to read your records in-house and avoid those costs.
- HIPAA requires that each hospital and health care provider to post a notice of its privacy practices. You may also request a copy, as it describes your rights, including your right to ask for an “amendment,” or correction, to a medical record. This may also provide information about which department you need to talk with, or to write to, if you have questions or complaints.
- Make notes about, or mark, any erroneous information you find on your medical records while you are reading the file. The manner you use will depend on the format of the file. Ask the provider if you may write on the file or if you need to write down notes. Be specific as to the location of the misinformation, so you can find it again for correction.
The following items are listed in HIPAA §164.526 Amendment of protected health information.
- Speak with your individual health care provider or doctor. HIPAA does not require they remove the erroneous information but they must mark it and record a correction, called an amendment. You can request that the provider RED FLAG your file so other readers know there are at least two different patient records merged in the one file.
- Per HIPAA they must make amendments within 60 days. They can take an additional 30 days to act if they provide you with a written explanation of the delay.
- Make sure any information about your medical condition that has been shared with other parties is also tracked down and notified about the correction. This includes: other health care providers, insurance and pharmaceutical companies, benefit agencies, or employers that may have requested medical information with written approval by the employee. Health providers should have a list of the groups with whom they have shared your information. Per HIPAA, you may ask that providers NOT share health information with certain people, groups or companies. However, they do not have to agree to do what you ask. You may also have to request that list of other parties, and to send out corrective letters yourself.
- If an entire medical file is not yours, you may try to have your name and SSN or medical record number removed from that file. There is no federal law that states they must do so, other than note that it is “in error.” You will need to sit down with the legal department, compliance officer, or patient records manager and negotiate for a resolution.
- If the file is not amended, you have the right to request a “statement of disagreement” placed in your file, written by you explaining the situation and itemizing the erroneous information. A “bullet format” works best for the itemizing misinformation. HIPAA does not address the length of your statement. Some states do, however. For ease in reading, ITRC recommends that you limit your statement to 250 words or less. If your statement is lengthy, people might be reluctant to take the time to read it.
- Review every EOB, “Explanation of Benefits,” that you receive as well as medical bills for any possible use of your medical insurance by another person.
- ITRC Letter Form 130A is a sample letter you may wish to use to make requests of the medical agency. Be sure to mail the letter “certified, return receipt requested.” Enclose identifying documents such as copies of your driver’s license and health insurance card. You may want to check with your provider to see if you need to include any additional information.
ITRC Fact Sheet 130 – Basic Medical Identity Theft
U.S. Department of Health & Human Services - The area of medical privacy is complex. It is guided by HIPAA (U.S. Department of Health and Human Services), and your state laws.
This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to ITRC@idtheftcenter.org.
© Copyright 2010 by Identity Theft Resource Center. Created by ITRC staff