OCR Publishes New and Updated HIPAA Privacy Rule Guidance
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published new and updated guidance on certain aspects of the HIPAA Privacy Rule, adding a new FAQ on permitted disclosures of PHI to value-based care arrangements and updating an FAQ on the types of personal health information that individuals can request access to.
The new FAQ relates to disclosures to value-based care arrangements, such as accountable care organizations, for treatment purposes and follows an announcement by the HHS Centers for Medicare and Medicaid Services (CMS) about the steps being taken to improve interoperability and prevent information blocking. At a White House event on July 30, 2025, the Trump Administration explained that commitments had been obtained from several tech firms to work on interoperability and user-friendly apps that empower patients to improve their outcomes and their healthcare experience through seamless sharing of information between patients and providers.
At the event, the CMS unveiled voluntary criteria for trusted, patient-centered, and practical data exchange that will be accessible for all network types—health information networks and exchanges, Electronic Health Records (EHR), and tech platforms. The plan is to create a digital health care ecosystem that will improve patient outcomes, reduce provider burden, and drive value.
The new FAQ explains that “The Privacy Rule generally allows PHI to be used or disclosed without restriction for treatment purposes. This includes disclosures of PHI to participants in value-based care arrangements, such as accountable care organizations.” The FAQ goes on to explain that, “The definition [of treatment] incorporates the necessary interaction of more than one entity. As a result, a covered entity is permitted to disclose PHI, regardless of to whom the disclosure is made, where the disclosure is made for the treatment activities of a health care provider.”
That means that a patient is not required to give their authorization before a covered healthcare provider can disclose PHI for the treatment activities of another healthcare provider, as long as both providers are treating the individual through a value-based care arrangement, such as an accountable care organization. The same applies to disclosures of PHI by health plans to healthcare providers, provided the disclosure enables the healthcare provider to provide treatment as part of a value-based care arrangement.
Change Guidance on Access to Personal Health Information
Under HIPAA, individuals have certain rights over their health records, including the right to obtain a copy of their records (in one or more designated record sets) and request changes to correct inaccuracies. The FAQ on the types of personal health information that individuals can access has been updated to include consent forms for treatment.
Per the updated FAQ, “Individuals have a right to access a broad array of health information about themselves, whether maintained by a covered entity or by a business associate on the covered entity’s behalf, including medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information, consent forms for treatment, and notes (such as clinical case notes or “SOAP” notes (a method of making notes in a patient’s chart)”