Get ready to comply with strict new privacy regs [or pay big fines]

Four PHI Rule Changes Coming in 2022

This article was updated August 8, 2022, to emphasize the rules are proposed and not in their final form.

Proposed new rules from the Health and Human Services (HHS) department put stricter guardrails on how and when healthcare organizations provide access to information. These proposed new rules will necessitate new procedures and practices to comply. Here’s is a rundown of the potential new rule changes.

1. A tougher new response deadline

Just about a year ago, on December 20, 2020, OCR issued a Notice of Proposed Changes. A public comment period ended February 2021, and the proposed new rules are anticipated to kick in this year.

One creates more urgency for you to fulfill requests. It cuts response time to information requests in half – from 30 to just 15 calendar days.

It’s just one more sign that HHS takes response time very, very seriously. Indeed, its Office of Civil Rights investigated 25 patient complaints in 2021 – and nearly all involved delays in making information available to patients.

2. Increased transparency

Another new proposed reg is far less severe but requires some thought and work on your part. It gives patients the right to review their Personal Health Information (PHI) in person, take notes, and make photographs. Which raises several questions:

  • Where will these reviews take place? Will it be in your Records department? In doctors’ offices? In that patient’s home? Some of the above? All of the above? Healthcare organizations will have to that sort out. 
  • How? You’ll have to consider format. If on paperhow do you get the PHI printed out and delivered? If as an Electronic Health Record (EHR), what must you do to help patients uncomfortable with computers access and read it? 

3. Greater disclosure

You’ll have to be more up-front about charges. New proposed regulations will require you to make the following updates on your web sites:  

  • Post estimated fee schedules for authorized access and disclosures 
  • Post individual estimated fees for requested PHI copies 
  • Provide itemized bills for completed requests 

The first two are one-time changes, and the third can be automated. 

One disclosure you’ll no longer have to make is printed pieces spelling out your privacy policies. You’ll no longer need to have another form for patients to sign acknowledging that you’ve offered them. 

4. More electronic information sharing 

When patients request you to share PHI with another healthcare provider or health plan, you can do it in an EHR instead of on paper. 

Prepare yourselves 

Ready or not, these proposed new privacy regulations will be here. So prepare yourselves:  

It’s better for your patients’ health, and your organization’s. 

How is your healthcare organization keeping up with regulatory changes like these? Read more about our regulatory monitoring process or schedule a demo.  

Jerry Shafran is the founder of YouCompli.

Subscribe for healthcare regulatory updates.

Sign up for demo
Request a demo of the YouCompli solution.