the information for which they are responsible. The HIE should
be able to confirm that the information from the source CE is
available to other HIE participants in a form that is both accurate and complete. Confirmation should be accomplished
through both documentation of data flows and robust testing
of the use cases. In other words, test the amendment process.
Testing the inclusion of the amendment denial information in
future disclosures is an important part of overall testing. Understanding the capabilities of each application between the CE
and HIE will allow for a design to be developed and thoroughly
tested before implementation.
Policies will also need to address the appropriate timeframe
for responding to a patient requesting an amendment of PHI.
The policy should detail which entity is responsible for reviewing the request, either granting approval or denying the request,
notifying the patient of the decision, and following the appeals
process if the patient chooses to appeal a denial of an amendment request. The HIE’s policy will need to address the methods
by which erroneous information is corrected and disputed denials are documented. 1
Training for Processing Amendments
Education and training for both HIE staff and CE staff is critical.
Ideally, the HIE participation agreement will address the steps
the HIE is responsible for and how they communicate with the
CE once an amendment request is brought to their attention.
The CE will also have its policies and procedures on how to
handle a request for amendment. Each entity is responsible for
training their staff on how to handle an amendment request.
If they become aware of a request, the HIE will have processes
for notifying the CE. The HIE will also have to ensure the process
for receiving the updated amendment or notification and ensuring the information is connected to the appropriate record,
then notify all CEs that originally received the initial document.
It is vital that all staff understand the full amendment process and know which entity is responsible for each step in the
amendment process. Failure to adequately understand the roles
of all those involved can result in a breakdown in the amendment process. Such breakdown could compromise patient care
due to a significant error that is not corrected in a timely manner
and/or a violation of a patient’s HIPAA rights if the amendment
process is not properly followed.
Amendments Involving the HIE
Generally, the CE that created the documentation in question de-
termines whether to grant the amendment request or deny it. One
challenge with an HIE may be identifying the originating provider
if the patient directs the request to the HIE or to another provider
who obtained the health information through the HIE. It is impor-
tant that the HIE or the provider who receives the amendment re-
quest from the patient have a designated process for identifying the
originating provider so that the amendment request may be passed
along to that provider. If the identity of the originating provider is
not evident by reviewing the PHI in question, the HIE administra-
tor may be called upon for assistance in identifying the originating
provider and forwarding the amendment request. The HIPAA Pri-
vacy Rule requires all amendment requests be processed within 60
days of the date of the initial request (with 30-day extension). There
must be clear processes with time frames for the HIE to notify the
originating provider of the amendment request. If the CE grants the
amendment request, it must generate the amendment, notify the
patient, and relay the changes to all involved parties. In the event
the request is denied, the patient must be notified in writing and fol-
lowing the conclusion of the patient appeal procedure, the CE must
append the following information to the PHI that is in question: the
amendment request, the CE’s denial, the patient’s statement of dis-
agreement, and the CE’s rebuttal. The appended information, or an
accurate summary thereof, must be included with any subsequent
disclosures of the PHI related to the amendment request.
CEs must understand the role the HIE plays in updating or
correcting any patient data that has been placed with the HIE.
Depending upon the design and workflow of the HIE, it may
be necessary for HIE employees to manually remove or correct
data within the HIE databases that has been sent by the CE. If
the information is manually removed, the audit trail must reflect who made the change, the organizations, and the date
and time. Alternatively, the CE may choose to have the patient
“opted-out” of HIE until the correction can be made. HIE participants need to make sure the HIE has a sufficient number of
employees to handle correction needs in a timely manner. CEs
may also find that there is a combination approach for which
the HIE employees will make certain changes, such as manually
removing two pages of Patient A’s radiology report which were
inadvertently included with Patient B’s radiology report, while
the provider is tasked with uploading a corrected surgery report
that had listed “right hip” rather than “left hip.” It is important
that the HIE and the participants have clearly delineated which
party is responsible for specific actions.
Notification of Amendment
Part of providing accurate and complete information involves updating any other providers who may have relied upon the incorrect information. In order to reach out to those other providers, the
originator of the data must be able to determine whether the data
has been accessed during the time period after it was sent to the HIE
and prior to the data’s correction and, if so, by whom. Therefore, it
is important to know whether the information system used by the
HIE has a robust audit trail. It is also important to know whether a CE
can run its own audit trail of the information system or whether the
provider must rely on the HIE employees to supply the information.
Once an HIE receives any updated or corrected information,
the HIE makes the information available to its participants. If a CE
makes updates to the medical record, that updated information
will be available to any participant who accesses the information
going forward. Most HIEs track where information is distributed.
However, there are typically no alerts to notify providers when information has changed. The onus is usually on the provider who
must access or request the latest information from the HIE. Data
with a corrected status is usually shown with the “old” data to keep
the data in context. Newer data is usually appended, not deleted,
so the history can be tracked. In the case where data has been
applied to the wrong patient, that data is removed to avoid deci-