The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released an updated guidance about some changes to the HIPAA Privacy Rule, including a new FAQ about allowed PHI disclosures to value-based care arrangements and an updated FAQ about the types of personal health data that people can get access to.
The new FAQ pertains to disclosures to value-based care arrangements, including accountable care organizations, for purposes of treatment and follows the HHS Centers for Medicare and Medicaid Services (CMS) announcement concerning the steps being done to enhance interoperability and stop information blocking. During a July 30, 2025 White House event, the Trump Administration talked about getting commitments from a number of tech companies to focus on interoperability and simple apps that enable patients to have better results and healthcare experience by means of seamless sharing of data among patients and healthcare providers.
At the event, the CMS revealed voluntary specifications for trustworthy, patient-centered, and useful data exchange that will be available for all types of network – Electronic Health Records (EHR), health information networks and exchanges, and technological platforms. The idea is to develop a digital health care environment that will enhance patient results, minimize provider load, and generate value.
The new FAQ clarifies that the Privacy Rule normally permits the use and disclosure of PHI without limit for treatment reasons. This consists of PHI disclosures to individuals involved in value-based care arrangements, for example, accountable care companies. The FAQ also explains the incorporation of the needed interaction of multiple entities. Consequently, a covered entity is allowed to share PHI, irrespective of to whom the PHI is disclosed, as long as it is done for the treatment steps of a health care company.
This means that a patient does not need to give their consent before a HIPAA-covered healthcare company can share PHI for the treatment actions of another healthcare company, as long as the two are treating the patient via a value-based care arrangement like an accountable care company. The same goes to PHI disclosures by health plans to healthcare providers, as long as the disclosure allows the healthcare service provider to give treatment within a value-based care arrangement.
As per HIPAA, patients have specific rights with regard to their health data, such as the right to secure a copy of their data (in a number of specified record sets) and request modifications to correct errors. The FAQ about the types of personal health data that people can access has been modified to include authorization forms for getting treatment.
According to the updated FAQ, patients have a right to obtain a variety of health data concerning themselves from a covered entity or its business associate. The following data can be accessed: health records, billing and payment data, insurance details, clinical lab test reports, X-rays, wellness and disease care program details, authorization forms for treatment, and notes (like SOAP notes or clinical case notes).
Image credit: IB Photography, AdobeStock
