2 min read

OCR clarifies HIPAA privacy rule on value-based disclosures and access rights

OCR clarifies HIPAA privacy rule on value-based disclosures and access rights

New FAQs from the Office for Civil Rights offer guidance on treatment disclosures to value-based care partners and confirm patient access rights to consent forms.

 

What happened

On August 11, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released two new FAQs clarifying how the HIPAA Privacy Rule applies to value-based care disclosures and individual access rights. The updated guidance tries to support data sharing in healthcare while reinforcing patients’ rights to access their health information.

The first FAQ confirms that providers may disclose protected health information (PHI) to participants in value-based care arrangements for treatment purposes without patient authorization. The second FAQ clarifies that treatment consent forms fall within the scope of a patient’s designated record set and must be made available upon request.

 

Going deeper

Under the HIPAA Privacy Rule, PHI may be disclosed without individual authorization for treatment purposes, which includes coordination of care and referrals between healthcare providers. The OCR’s new FAQ discusses that this allowance extends to value-based care arrangements, such as accountable care organizations and patient-centered medical homes.

This clarification aligns with the Centers for Medicare & Medicaid Services’ (CMS) broader push toward interoperability. CMS recently announced its Health Tech Ecosystem initiative and Interoperability Framework, which encourages collaboration across digital health entities. Over 60 companies, including Epic, Oracle, Google, and UnitedHealth Group, have pledged support for the framework.

The second FAQ affirms that patients have the right to access a broad set of records, including consent forms, as part of their designated record set. Exclusions remain in place for documents not used to make decisions about individuals, such as internal quality reviews or legal memos prepared in anticipation of litigation. However, any underlying data used to make care or coverage decisions must be made available.

 

The big picture

According to Robinson & Cole, the new FAQs show regulators’ “ongoing focus on two key areas: facilitating efficient data sharing, and monitoring compliance with patient access rights.” The firm advised providers to review HIPAA policies, ensure record sets include consent forms, and strengthen processes for responding to patient access requests. They noted that as the federal government pushes for greater interoperability and patient empowerment, organizations should “proactively align compliance practices with evolving guidance.”

 

FAQs

What is a designated record set under HIPAA?

A designated record set includes medical and billing records, enrollment and case management files, and other documents used to make decisions about a patient’s care or benefits.

 

Can value-based care partners be treated the same as traditional providers under HIPAA?

Yes. If the information is shared for treatment purposes, value-based care partners such as accountable care organizations may receive PHI without the patient’s prior authorization.

 

Are providers required to obtain consent before disclosing PHI to value-based care organizations?

No. Authorization is not required for treatment disclosures under the Privacy Rule, though providers may choose to obtain consent as part of their internal policies.

 

Why are consent forms now explicitly included in access rights?

The OCR clarified its inclusion to remove ambiguity. While many providers already treated consent forms as accessible, the update ensures consistent compliance across the industry.

 

What are common pitfalls that lead to Right of Access enforcement actions?

Delays in fulfilling access requests, unreasonable fees, or failure to include all required documents, like consent forms, can all trigger enforcement by the OCR.