In August 2025, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published new and revised guidance related to the HIPAA Privacy Rule. HHS-OCR added a new FAQ describing permitted disclosures of protected health information (PHI) to value-based care arrangements and updated an existing FAQ explaining which types of PHI are included in a designated record set and subject to the individual’s right to access. The FAQs support the Centers for Medicare & Medicaid Services’ (CMS) July 30, 2025 event hosted by the Trump Administration regarding the creation of a “patient-centric, digital health care ecosystem that will improve patient outcomes, reduce provider burden, and drive value in partnership with the major health care and information technology firms” (“Make Health Tech Great Again” initiative). The CMS announcement is available here.
New FAQ on treatment disclosures pursuant to value-based care arrangements
The new FAQ relates to disclosures made pursuant to value-based arrangements for treatment purposes. Within this FAQ, HHS-OCR states that the Privacy Rule generally allows PHI to be used or disclosed without restriction for treatment purposes, which includes disclosures of PHI to participants in value-based care arrangements, such as accountable care organizations. The FAQ further provides that “The definition [of treatment] incorporates the necessary interaction of more than one entity. As a result, a covered entity is permitted to disclose PHI, regardless of to whom the disclosure is made, where the disclosure is made for the treatment activities of a health care provider.” Additionally, within the FAQ, HHS-OCR further provides that a health plan may disclose PHI to a health care provider without the individual’s authorization to enable the health care provider to provide treatment as part of a value-based care arrangement.
The new FAQ on treatment disclosures pursuant to value-based care arrangements is available here.
Revised guidance on access to PHI and designated record sets
Pursuant to the HIPAA Privacy Rule, individuals have certain rights over their health records, including right to access, upon request, the PHI that pertains to them in one or more designated record sets maintained by or for the individuals’ health care providers and health plans (HIPAA covered entities). See 45 CFR § 164.524. The HHS-OCR FAQ on the PHI that individuals can access has been revised to incorporate consent forms for treatment. Accordingly, HHS-OCR has clarified that consent forms for treatment are available to individuals when they request their PHI in one or more designated record sets. When responding to a request for access to PHI, covered entities must ensure that consent forms for treatment are included in the designated record set.
Per HHS-OCR, among other PHI available, “individuals have a right to access a broad array of health information about themselves, whether maintained by a covered entity or by a business associate on the covered entity’s behalf, including medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information, consent forms for treatment, and notes” (emphasis added).
The updated FAQ on access to PHI and designated record sets is available here.
