HIPAA Technology and Clinical Research Guidance Library

1. Who is responsible for amendment of protected health information in an electronic health information exchange environment?

The HIPAA Privacy Rule designates a covered entity as the responsible party for acting on an amendment request. However, a health information organization (HIO), acting as a business associate of the covered entity, may be required by its business associate contract to perform certain functions related to amendments, such as informing other participants in the HIO’s health information exchange who are known to have the individual’s information, of the amendment. See 45 C.F.R. § 164.504(e)(2)(i)(F).

2. What are a covered entity’s responsibilities to notify others in a network if an amendment to protected health information is made?

Under the HIPAA Privacy Rule, a covered entity must make reasonable efforts to communicate an amendment to others in the network identified by the individual as needing the amendment, as well as generally to other parties that are known to have the information about the individual. It is also the entity’s responsibility to communicate the amendment within a reasonable timeframe. A health information organization (HIO), with the ability to track where information was exchanged in the past, or to otherwise identify where an individual’s information resides on the network, can assist the covered entity, as its business associate, in efficiently disseminating amended information to appropriate recipients throughout the electronic network.

The information presented in our library is for informational purposes only, they are not for implementation in operations. Please consult official HIPAA guidance documents for operational use.

This information was sourced from HIPAA FAQs for Professionals.