CORRECTION AND THE HIPAA PRIVACY RULE
The Privacy Rule provides individuals with the right to have their protected health information (PHI) amended in a manner that is fully consistent with the Correction Principle in the Privacy and Security Framework. See 45 C.F.R. § 164.526. Both the Privacy Rule and the Correction Principle recognize that individuals have a critical stake in the accuracy of their individually identifiable health information and play an important role in ensuring the integrity of that data. Under the Privacy Rule, individuals have the right to have a covered entity amend their PHI in a designated record set, as defined in § 164.501, for as long as the entity maintains the records. The covered entity must act timely, usually within 60 days, to correct the record as requested by the individual or to notify the individual the request is denied. When a correction is made, the covered entity must make reasonable efforts to see that the corrected information is provided generally to its business associates, such as a health information organization (HIO), and others who are known to have the PHI that was amended.
A covered entity may deny a requested amendment if it determines that the information is complete and accurate, and on limited other grounds. When a request is denied, but the individual continues to dispute the accuracy of the information, the individual must be provided an opportunity to file a statement of disagreement with the covered entity and the covered entity must provide documentation of the dispute with any subsequent disclosure of the disputed PHI.