AlfaOlga/istock via Getty Images

News

OCR updates HIPAA FAQs following health tech initiative launch

OCR updated some HIPAA Privacy Rule FAQs in support of CMS' recent health tech initiative launch, providing clarity on permitted PHI disclosures.

Jill McKeon
By
Published: 13 Aug 2025

The HHS Office for Civil Rights, or OCR, updated its HIPAA Privacy Rule frequently asked questions to include guidance on permitted disclosures of protected health information to value-based care arrangements and the types of PHI individuals can request access to under HIPAA.

HHS said that the new and updated FAQs support CMS' July 2025 launch of its health tech ecosystem initiative. The initiative aims to create a patient-centric healthcare ecosystem through a new interoperability framework and a series of pledges from major tech companies, patient-facing app developers and payers to increase the availability of personalized digital health tools.

The HIPAA Privacy Rule FAQs do not constitute changes to HIPAA regulations. Rather, they provide clarity on certain aspects of HIPAA to help covered entities understand the law's complexities.

"Specifically, the HIPAA FAQs address how covered health care providers are permitted to disclose PHI to value-based care arrangements for treatment purposes, and what health information is included in a designated record set and thus subject to the individual's right to access such information," OCR said in a statement.

PHI disclosures to value-based care arrangements

The newest FAQ asks: "Does the HIPAA Privacy Rule permit a covered health care provider to disclose protected health information to value-based care arrangements, such as accountable care organizations, for treatment purposes without the individual's authorization?"

Value-based care is a form of reimbursement that ties payment amounts to patient outcomes. Examples of value-based care models include accountable care organizations, bundled payments and patient-centered medical homes.

In response, OCR clarified that the HIPAA Privacy Rule does permit a covered entity to disclose PHI without authorization from a patient to participants in value-based care arrangements for treatment purposes.

OCR reasoned that the Privacy Rule defines "treatment" as "the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another."

"Thus, the definition incorporates the necessary interaction of more than one entity," OCR stated, meaning that a covered entity could disclose PHI, "regardless of to whom the disclosure is made," as long as that disclosure is made for treatment purposes.

OCR updates guidance on patient access to health records

The second FAQ included in OCR's announcement is a minor update to an existing question, rather than a new inquiry.

"What personal health information do individuals have a right under HIPAA to access from their health care providers and health plans?" the FAQ asks.

Patients have a right to request a copy of their health information from covered entities under HIPAA. The updated FAQ expanded the types of information that patients can request to include consent forms for treatment.

Individuals have a right to request information maintained by a covered entity or business associate, including "medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information, consent forms for treatment, and notes," OCR clarified.

As federal initiatives strive to make the health tech ecosystem more interconnected, covered entities must navigate the HIPAA compliance complexities that come with these efforts. Guidance from OCR on how to proceed will play a crucial role in ensuring that covered entities and their growing list of business associates remain compliant during industry-wide health tech shifts.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.

Dig Deeper on HIPAA compliance and regulation