What to Do When a Patient Submits a "Statement of Disagreement" for Their Medical Record (§ 164.526(d)(2))
Executive Summary
Under HIPAA’s Privacy Rule, patients have the right to request amendments to their medical records. If a provider denies that request, the patient may submit a Statement of Disagreement under § 164.526(d)(2). This statement becomes part of the medical record and must be handled according to strict HIPAA rules. Small practices often mishandle these situations due to confusion over what must be included, when to respond, and how to document appropriately. This guide offers a clear roadmap for compliance, documentation, and avoiding retaliation or liability.
Introduction
It’s not uncommon for patients to disagree with information in their medical records, perhaps a diagnosis they believe is incorrect, or a summary they feel misrepresents their history. HIPAA gives patients the right to request an amendment. If you deny that request, the patient has the right to submit a Statement of Disagreement, which you must accept, maintain, and distribute appropriately.
For small practices, this scenario may be rare but poses significant compliance risk if mishandled. This article explains what § 164.526(d)(2) requires and how to manage these situations without compromising patient trust or violating the law.
Understanding the Right to Amend
The Patient’s Amendment Right
Under § 164.526:
-
Patients may request to amend their PHI in designated record sets
-
You may accept or deny that request, based on whether the record is accurate and complete
-
If denied, the patient may submit a Statement of Disagreement, up to a reasonable length (e.g., 1–2 pages)
Your Obligation Upon Receiving a Statement of Disagreement
When a patient submits this statement:
-
You must include it with the original record
-
You must attach your written rebuttal, if desired
-
Both documents must be shared with future recipients of that PHI
-
You may not retaliate or alter access rights based on the disagreement
Case Study: The Overlooked Statement
In 2020, a patient receiving care at a family medicine clinic requested an amendment to their medical record. The patient argued that a progress note inaccurately stated they had “declined all treatment options,” which they believed misrepresented the facts and could negatively impact their care. The clinic’s provider denied the request, citing clinical accuracy and the provider’s professional judgment.
Following the denial, the patient submitted a formal, written Statement of Disagreement to be included in their record, as allowed under HIPAA regulations. However, the clinic failed to properly handle the patient’s statement in several critical ways:
-
The clinic did not append the Statement of Disagreement to the patient’s medical record.
-
Subsequent healthcare providers, including a referred cardiologist, were not informed about the patient’s disagreement or the disputed note.
-
The clinic did not document the rebuttal process or ensure that any PHI disclosures reflected the existence of the disagreement.
The patient later discovered that the cardiologist had reviewed only the original, unamended note during a referral, leading to a formal complaint filed with the Office for Civil Rights (OCR).
Upon investigation, OCR found the clinic had no established procedure for receiving, managing, and incorporating disagreement statements into the medical record. The patient’s statement was never added to the record, and PHI disclosures did not include any information about the disagreement, violating HIPAA’s patient amendment requirements.
Result:
The clinic entered into a resolution agreement that included a $25,000 financial settlement and a mandatory overhaul of its policies and procedures related to patient requests for amendments. The clinic was required to implement clear protocols for:
-
Receiving and processing amendment requests and disagreement statements
-
Documenting all steps in the rebuttal process
-
Ensuring all subsequent disclosures include relevant amendment or disagreement information
Lesson:
This case highlights the importance of complying fully with patient amendment rights under HIPAA. Denying amendments is allowed only when justified, but the patient’s right to submit a Statement of Disagreement must be honored and clearly documented. Failure to do so can lead to significant regulatory consequences and negatively impact patient care continuity.
Steps to Take When You Deny an Amendment and Receive a Statement of Disagreement
1. Review and Accept the Statement
-
The statement must be a written explanation of why the patient disagrees with your denial
-
You cannot refuse to accept the statement
-
There is no obligation to change the record, but you must retain and link the statement to the disputed PHI
2. Add the Statement to the Designated Record Set
-
Place the Statement of Disagreement in the patient’s medical record
-
Ensure it is linked to the specific note or section in question
-
Flag it for all future PHI disclosures from that section
3. Write and Attach a Rebuttal (Optional)
-
You may write a rebuttal to the patient’s disagreement
-
The rebuttal must be objective, professional, and non-retaliatory
-
Give a copy of the rebuttal to the patient
4. Include Both When Disclosing PHI
Under HIPAA, for all future disclosures of the disputed record:
-
You must include either:
-
The Statement of Disagreement and any rebuttal, or
-
A summary of both, if the full versions are too long
This applies to other providers, insurers, or any third parties who receive that part of the record.
5. Document the Entire Process
Maintain:
-
The original amendment request
-
Your written denial
-
The Statement of Disagreement
-
Any rebuttal
-
Communication logs (emails, letters)
-
Proof that you’ve updated record-sharing protocols
Common Pitfalls and How to Avoid Them
|
Pitfall |
Consequence |
How to Avoid |
|
Ignoring or discarding a Statement of Disagreement |
Violation of § 164.526(d)(2); OCR penalties |
Create a formal intake and tracking system |
|
Refusing to distribute the statement with the record |
Misleading third parties; possible harm |
Link the statement to all PHI disclosures |
|
Writing a hostile or unprofessional rebuttal |
Retaliation risk; reputational harm |
Use factual, respectful language in all rebuttals |
|
Failing to notify staff |
Mishandling of record disclosures |
Train staff on how to recognize flagged PHI |
|
Treating the patient differently afterward |
HIPAA retaliation violation |
Reinforce non-retaliation in policies and behavior |
Checklist: How to Handle a Statement of Disagreement
|
Task |
Responsible |
Frequency |
|
Document the original amendment request |
Privacy Official |
Per event |
|
Provide written denial with explanation |
Provider / Privacy Officer |
Per event |
|
Accept and log the Statement of Disagreement |
Office Manager |
Per event |
|
Write optional rebuttal and send to patient |
Privacy Officer |
Per event |
|
Link statement and rebuttal to PHI |
Health IT / EMR admin |
Per event |
|
Include statement in future disclosures |
Privacy Officer / Staff |
Ongoing |
|
Train staff annually on process |
Compliance Officer |
Annually |
Frequently Asked Questions
Can I reject a Statement of Disagreement if it’s too long?
You can request the patient shorten it if it’s excessive, but you may not refuse it altogether. Set reasonable length limits in your policy (e.g., 1–2 pages).
Do I have to notify HHS or OCR?
No. This is handled internally unless the patient files a complaint with OCR. However, proper documentation will protect you if that occurs.
What if the patient keeps demanding a change?
You are only required to process one formal amendment request. After that, you may inform the patient the process is complete.
Can I remove the statement after the patient leaves the practice?
No. It must remain part of the designated record set indefinitely, and HIPAA requires retention for at least six years.
Official References and Guidance
Final Takeaways
The right to submit a Statement of Disagreement gives patients a meaningful way to express concerns when their request to amend a medical record is denied. It’s a critical part of HIPAA’s commitment to transparency and patient rights. For providers, respecting this right means more than just passive acceptance, it requires active and careful handling.
When a patient submits a Statement of Disagreement, your practice must:
-
Accept and include the statement in the patient’s record without judgment or alteration. This shows respect for the patient’s perspective, even if you disagree clinically.
-
Document the entire amendment and disagreement process thoroughly. This includes recording the patient’s original request, the reason for denial, receipt of the disagreement statement, and any steps taken thereafter.
-
Ensure all future disclosures of the patient’s record include the Statement of Disagreement. This guarantees that other providers or entities receiving PHI have a complete and balanced understanding of the patient’s health information.
-
Avoid any form of retaliation or biased treatment against the patient. Upholding professional and ethical standards is essential to maintaining trust and compliance.
By treating the Statement of Disagreement process seriously and respectfully, your practice not only complies with legal requirements but also demonstrates accountability and empathy. Even in moments of disagreement, this approach builds patient trust and reinforces the integrity of your care.