New and Updated HIPAA Privacy Rule FAQs

1. What's Changed?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued new and updated Frequently Asked Questions (FAQs) interpreting the HIPAA Privacy Rule. These additions align with the Centers for Medicare & Medicaid Services' (CMS) focus on the creation of a patient-centric, digital health care ecosystem to improve patient outcomes, reduce provider burden, and drive value.

• New FAQ: Does the HIPAA Privacy Rule permit a covered health care provider to disclose protected health information (PHI) to value-based care arrangements, such as accountable care organizations, for treatment purposes without the individual's authorization? The rule clarifies that covered health care providers may disclose PHI to value-based care arrangements (e.g., accountable care organizations) for treatment purposes without the patient's authorization.
• Updated FAQ: What personal health information do individuals have a right under HIPAA to access from their health care providers and health plans? It reinforces that the individual's right of access extends to all information in a designated record set, including clinical, billing, and other records used to make decisions about the individual, regardless of whether the records were created by the provider or another source (subject to certain exceptions).

2. Who's Feeling the Impact?

• Hospitals, Physician Groups, and Integrated Delivery Networks participating in value-based care models
• Accountable Care Organizations (ACOs) and other collaborative care entities receiving PHI for treatment purposes
• Health Plans and Managed Care Organizations subject to the right of access provisions
• Health Information Management, Compliance, and Privacy Officers responsible for HIPAA compliance and patient rights
• IT and Data Exchange Teams enabling PHI disclosures and record access

3. Why Should Health Care Providers Care?

• Regulatory Clarity: The new FAQ removes ambiguity around whether PHI can be shared with value-based care partners for treatment without patient authorization, potentially streamlining data exchange.
• Compliance Risk: The updated FAQ underscores OCR's broad interpretation of the designated record set, heightening the risk of right of access violations if providers fail to produce all applicable records upon request.
• Operational Burden: Providers must ensure that systems, workflows, and policies can identify and produce the full designated record set in a timely manner.

4. What's Your Next Move?

Review HIPAA policies to determine if they should be updated to address PHI sharing with value-based care partners for treatment purposes, consistent with the new FAQ. In addition, confirm staff education on what constitutes a designated record set and the scope of an individual's right of access. Conduct internal audits to ensure patient requests for right of access are fulfilled completely and within required timelines. Verify that electronic health record systems, data warehouses, and other repositories can support complete and secure responses to right of access requests.

For convenience, we have provided the full update provided by HHS below:

New and Updated HIPAA Privacy Rule Frequently Asked Questions

Today, the U.S. Department of Health and Human Services Office for Civil Rights issued deregulatory guidance in the form of Frequently Asked Questions (FAQs) about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The HIPAA Privacy Rule establishes national standards to protect individually identifiable health information, sets limits and conditions on the uses and disclosures of protected health information (PHI), and gives individuals certain rights, including the right to timely access and to obtain a copy of their health records.

The FAQs support the Centers for Medicare & Medicaid Services' July 30, 2025, announcement regarding the creation of a patient-centric, digital health care ecosystem that will improve patient outcomes, reduce provider burden, and drive value. Specifically, the HIPAA FAQs address how covered health care providers are permitted to disclose PHI to value-based care arrangements for treatment purposes and what health information is included in a designated record set and thus subject to the individual's right to access such information.

New and Updated FAQs:

1. New. Does the HIPAA Privacy Rule permit a covered health care provider to disclose protected health information to value-based care arrangements, such as accountable care organizations, for treatment purposes without the individual's authorization?
2. Updated. What personal health information do individuals have a right under HIPAA to access from their health care providers and health plans?

In addition to the Privacy Rule, OCR enforces the HIPAA Security and Breach Notification Rules. These rules, collectively known as the HIPAA Rules, set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers) and business associates must follow to protect the privacy and security of PHI. Guidance about the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule can be found on OCR's website.