FAQs Provide More Guidance to HIPAA Privacy Rule 

This week, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) released new and updated guidance on specific parts of the HIPAA Privacy Rule in the form of frequently asked questions (FAQ).  

The Privacy Rule sets national standards for protecting individually identifiable health information, limits how PHI can be used or disclosed, such as with Reproductive Health Care Privacy, and grants individuals key rights, such as timely access to copies of their health records. 

Key Clarifications on PHI Disclosures and Patient Access Rights 

The new and updated HIPAA FAQs clarify two key points: how covered health care providers are permitted to disclose PHI for treatment purposes within value-based care arrangements, and exactly what health information is included within a designated record set that patients have the right to access. 

New and Updated HIPAA Privacy Rule FAQs: 

New:  Does the HIPAA Privacy Rule permit a covered health care provider to disclose protected health information to value-based care arrangements, such as accountable care organizations, for treatment purposes without the individual’s authorization? 

Under the HIPAA Privacy Rule, covered health care providers may share PHI for treatment purposes—including with value-based care organizations like accountable care organizations—without an individual’s authorization. This allows PHI disclosures to any entity involved in a provider’s treatment activities and includes: 

• coordinating 
• managing 
• consulting 
• and referring care between providers 

Updated: What personal health information do individuals have a right under HIPAA to access from their health care providers and health plans?

Under the HIPAA Privacy Rule, with limited exceptions, individuals can request access to their PHI in designated record sets, including medical, billing, claims, enrollment, case management, lab results, imaging, treatment notes (excluding psychotherapy notes), and other records used to make decisions about them. This applies whether the provider, health plan, or a business associate holds the data.  

However, access does not extend to records unrelated to individual care—such as quality improvement files, business planning documents, or legal preparation materials—although the underlying PHI in medical or payment records remains accessible. 

Aligning HIPAA Guidance with CMS’s Digital Health Care Goals 

The FAQs support the Centers for Medicare & Medicaid Services’ July 30, 2025, announcement regarding the development of a patient-centric, digital health care ecosystem that aims to improve patient outcomes, reduce provider burden, and increase value.  

In this initiative, the White House Administration will partner with private sector companies—including Amazon, Anthropic, Apple, Google, and OpenAI—to focus on two broad areas: promoting a CMS Interoperability Framework to easily and seamlessly share information between patients and providers, and increasing the availability of personalized tools so that patients have the information and resources they need to make better health decisions.    

“The Office of Civil Rights supports actions that improve the timeliness in providing individuals with access to their electronic protected health information, without sacrificing health information privacy and security,” said OCR Director Paula M. Stannard.