You are here:
< Back

ITRC Fact Sheet 130A

Misinformation on medical records may be caused by human error or identity theft. It can lead to an inaccurate diagnosis of a condition and could be fatal if the information causes a drug interaction, allergic reaction or inappropriate diagnoses.

You should be able to fully correct medical records created in your name. HIPAA, the Health Insurance Portability and Accountability Act, is a federal law that protects patients from unauthorized access to personal medical information and addresses the problem of errors in medical records.

Health care providers are often unwilling to remove any information from your medical record because it may simply be a case of mixing two patients’ records and they don’t want to lose any information regarding either patient. Outlined below are steps that you can take to rectify mistakes in your medical records and protect yourself from the consequences associated with erroneous health records.

For the purpose of this information guide, all information provided is per HIPAA regulations. We suggest that you also check your state laws about any additional rules or regulations regarding healthcare privacy and record correction.

How to correct errors in your medical and insurance records

  • Request copies of your medical records from any health care provider where you feel your records may contain errors. If you are denied copies of your medical records, you have a right to appeal their decision. You are entitled to knowing what is in your medical records. If the provider still denies you access to your medical records after 30 days of your written request, you have the right to file a complaint with the Office for Civil Rights in the U.S. Department of Health and Human Services.
  • HIPAA does not prohibit providers from charging a reasonable cost-based fee for copying records. The healthcare provider may allow you to read your records in-house and avoid those costs.
  • HIPAA requires that each hospital and health care provider post a notice of its privacy practices. You may also request a copy, as it describes your rights, including your right to ask for an “amendment,” or correction, to a medical record. This may also provide information about which department you need to talk with, or to write to, if you have questions or complaints.
  • Make notes about, or mark, any erroneous information you find on your medical records while you are reading the file. Ask the provider if you may write on the file or if you need to write down notes. Be specific as to the location of the misinformation, so you can find it again for the correction.
  • Speak with your individual healthcare provider or doctor. HIPAA does not require they remove the erroneous information but they must mark it and record a correction, called an amendment. You can request that the provider RED FLAG your file so other readers know there are at least two different patient records merged in the one file.
  • Per HIPAA they must make amendments within 60 days. They can take an additional 30 days to act if they provide you with a written explanation of the delay.
  • Make sure any information about your medical condition that has been shared with other parties is also tracked down and notified about the correction. This list, or accounting of disclosures, includes other health care providers, insurance and pharmaceutical companies, benefits agencies, or employers that may have requested medical information with written approval by the employee. Health providers should have a list of the groups with whom they have shared your information. You may also have to request that list of other parties and to send out corrective letters yourself.
  • If an entire medical file is not yours, you may try to have your name and SSN or medical record number removed from that file. There is no federal law that states they must do so, other than note that it is “in error.” You will need to sit down with the legal department, compliance officer, or patient records manager and negotiate a resolution.
  • If the file is not amended, you have the right to request a “statement of disagreement” placed in your file, written by you explaining the situation and itemizing the erroneous information. A “bullet format” works best for the itemizing misinformation. HIPAA does not address the length of your statement. Some states do, however. For ease in reading, ITRC recommends that you limit your statement to 250 words or less. If your statement is lengthy, people might be reluctant to take the time to read it.
  • Review every EOB, “Explanation of Benefits,” that you receive as well as medical bills for any possible use of your medical insurance by another person.
  • ITRC Letter Form 130A is a sample letter you may wish to use to make requests of the medical agency. Be sure to mail the letter “certified, return receipt requested.” Enclose identifying documents such as copies of your driver’s license and health insurance card. You may want to check with your provider to see if you need to include any additional information.


ITRC Fact Sheet FS 130 – Basic Medical Identity Theft

ITRC Letter Form LF 130A – Request for Medical Records – a nonprofit organization that studies medical privacy rights

U.S. Department of Health & Human Services – The area of medical privacy is complex. It is guided by HIPAA (U.S. Department of Health and Human Services), and your state laws.


This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to