PHI Policy

Policy on Patient Access, Correction, and Data Transfer of Protected Health Information (PHI)

1. Purpose

The purpose of this policy is to ensure that patients have the right to access, correct, and transfer their Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and other applicable laws.

2. Scope

This policy applies to all workforce members, including employees, contractors, and business associates who handle PHI within curaJOY.

3. Policy Statement

3.1 Patient Access to PHI

  • Patients have the right to request access to their PHI as maintained in their designated record set.
  • Requests for access must be submitted using the Patient Access Request Form and directed to the Health Information Management (HIM) or Privacy Office.
  • The organization will respond to requests within 30 days of receipt, with one 30-day extension permitted if necessary.
  • PHI may be provided in electronic or paper format, as requested by the patient, if readily producible.
  • A reasonable, cost-based fee may be charged for copies of PHI in accordance with HIPAA regulations.

3.2 Request for Correction of PHI

  • Patients may request corrections or amendments to their PHI if they believe the information is incorrect or incomplete.
  • Requests for correction must be submitted using the PHI Correction Request Form and must include a reason for the requested amendment.
  • The organization will review and respond to correction requests within 60 days of receipt, with one 30-day extension if needed.
  • If the request is denied, a written explanation will be provided, and the patient has the right to submit a statement of disagreement.

3.3 Transfer of PHI

  • Patients may request the transfer of their PHI to another healthcare provider or entity.
  • Requests must be submitted using the PHI Data Transfer Request Form and specify the recipient and method of transfer.
  • Transfers will be completed within 30 days of approval, in a secure manner that protects the confidentiality of the PHI.

4. Security and Confidentiality

  • All PHI access, corrections, and transfers must comply with HIPAA Privacy and Security Rules.
  • PHI will only be disclosed to authorized individuals or entities as per patient consent or legal requirements.
  • Electronic transfers of PHI must be encrypted to prevent unauthorized access.

5. Compliance and Enforcement

  • Employees who fail to comply with this policy may be subject to disciplinary action.
  • Any violations of HIPAA or patient rights must be reported to the Privacy Officer immediately.

6. References

  • HIPAA Privacy Rule (45 CFR §164.524 & §164.526)
  • HITECH Act (2009) – Electronic PHI Transfers
  • Office for Civil Rights (OCR) Guidance on Patient Rights

7. Contact Information

For questions or requests regarding this policy, please contact:


Privacy Officer
curaJOY