The U.S. Department of Health and Human Services Office for Civil Rights issued new and updated Frequently Asked Questions interpreting the HIPAA Privacy Rule, clarifying PHI sharing requirements for value-based care arrangements and reinforcing patient access rights to designated record sets.
HHS OCR released deregulatory guidance in the form of FAQs about the HIPAA Privacy Rule that align with CMS's focus on creating a patient-centric, digital health care ecosystem. The guidance includes one new FAQ and one updated FAQ that address critical aspects of PHI disclosure and patient rights.
The new FAQ clarifies that covered health care providers may disclose PHI to value-based care arrangements, such as accountable care organizations, for treatment purposes without patient authorization. The updated FAQ reinforces that individuals' right of access extends to all information in a designated record set, including clinical, billing, and other records used to make decisions about the individual, regardless of whether the provider or another source created the records.
The new FAQ specifically addresses value-based care arrangements like accountable care organizations, removing previous ambiguity around PHI sharing for treatment purposes. This change potentially streamlines data exchange between healthcare providers and their value-based care partners.
The updated FAQ emphasizes OCR's broad interpretation of designated record sets, which heightens compliance risks for providers who fail to produce all applicable records upon patient request. The guidance subjects clinical, billing, and other decision-making records to patient access requirements, regardless of their origin.
According to the HHS announcement, "The FAQs support the Centers for Medicare & Medicaid Services' July 30, 2025, announcement regarding the creation of a patient-centric, digital health care ecosystem that will improve patient outcomes, reduce provider burden, and drive value."
The guidance states that "covered health care providers are permitted to disclose PHI to value-based care arrangements for treatment purposes and what health information is included in a designated record set and thus subject to the individual's right to access such information."
Value-based care arrangements are healthcare delivery models where providers are compensated based on patient health outcomes rather than the volume of services provided. Accountable care organizations are specific types of value-based care arrangements where groups of providers coordinate care for Medicare patients and share responsibility for quality and costs.
A designated record set under HIPAA includes medical records, billing records, and any other records used by covered entities to make decisions about individuals. This encompasses information created both internally and from external sources.
This guidance directly impacts healthcare organizations participating in value-based care models by removing regulatory barriers to treatment-focused data sharing. For providers in accountable care organizations and similar arrangements, this clarification eliminates the need to obtain patient authorization for PHI disclosures related to treatment, potentially accelerating care coordination and improving patient outcomes.
The reinforced interpretation of designated record sets creates compliance implications. Healthcare organizations must ensure their systems can identify and produce complete patient records from all sources when requested, not just records they created internally. This expanded scope increases the operational burden on health information management teams and elevates the risk of right of access violations if providers cannot produce all applicable records within HIPAA's required timelines.
Healthcare providers should immediately review their HIPAA policies to incorporate these clarifications on value-based care PHI sharing and conduct internal audits to ensure complete compliance with right of access requests. Organizations must verify that their electronic health record systems and data warehouses can support comprehensive responses to patient record requests that include all designated record set information, regardless of origin.
Related: HIPAA Compliant Email: The Definitive Guide
The guidance focuses on treatment purposes broadly, so it is not limited to Medicare arrangements.
The FAQs do not address state laws, but providers must comply with both HIPAA and stricter state requirements.
The FAQs deal only with PHI, so de-identified data remains outside their scope.