§164.526(c) Implementation specifications: Accepting the amendment. If the covered entity accepts the requested amendment, in whole or in part, the covered entity must comply with the following requirements.
(1) Making the amendment. The covered entity must make the appropriate amendment to the protected health information or record that is the subject of the request for amendment by, at a minimum, identifying the records in the designated record set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment.
(2) Informing the individual. In accordance with paragraph (b) of this section, the covered entity must timely inform the individual that the amendment is accepted and obtain the individual’s identification of an agreement to have the covered entity notify the relevant persons with which the amendment needs to be shared in accordance with paragraph (c)(3) of this section.
(3) Informing others. The covered entity must make reasonable efforts to inform and provide the amendment within a reasonable time to: (i) Persons identified by the individual as having received protected health information about the individual and needing the amendment; and (ii) persons, including business associates, that the covered entity knows have the protected health information that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of the individual.
Audit Inquiry
Does the covered entity have policies and procedures consistent with the established performance criterion for accepting requests for amendments?
Review policies and procedures for compliance with amendment criteria.
Obtain and review a sample of requests by individuals to amend their PHI or a record about the individual in a designated record set to determine whether they were addressed in accordance with the established performance criterion.