On August 11, 2025, the Office for Civil Rights (OCR) published updated guidance relating to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (Privacy Rule) in the form of two new FAQs. The FAQs clarify the OCR’s position on (1) permitted disclosures of protected health information (PHI) to value-based care arrangements and (2) the scope of PHI that individuals may request access to under the Privacy Rule.

Treatment Disclosures to Value-Based Care Arrangements Are Permitted

Although the Rule typically requires an individual’s authorization for disclosure of their PHI, there are several exceptions, including disclosures for treatment purposes. Under the Privacy Rule, “treatment purposes” includes:

• The provision, coordination, or management of health care and related services by one or more health care providers;
• The coordination or management of health care by a health care provider with a third party;
• Consultation between health care providers relating to a patient; and
• The referral of a patient for health care from one health care provider to another.”

The new FAQ clarifies that providers may disclose PHI for treatment purposes (without individual authorization) to participants in value-based care arrangements. The OCR notes that providers may still choose to obtain patient consent as a matter of practice. Value-based care is a healthcare model that ties payment to patient outcomes, such as quality and cost of care. Value-based care organizations include accountable care organizations and patient-centered medical homes.

The FAQ guidance is timely given the Centers for Medicare & Medicaid Services (CMS) July 30, 2025, announcement of its CMS Health Tech Ecosystem initiative. According to CMS, the initiative seeks to modernize digital health infrastructure through a voluntary Interoperability Framework, which aims to enhance information exchange and patient empowerment. The framework outlines criteria for participants across the health ecosystem, including health networks, electronic health record vendors, providers, payers, and digital health companies. Over 60 organizations—including Epic, Oracle Health, CVS Health, UnitedHealth Group, Microsoft AI, Google, and Apple—have pledged to become early adopters of the framework.

Against this backdrop, the OCR’s FAQ clarification aligns with CMS’s push for a more connected health data ecosystem, explicitly recognizing value-based care partners as permissible recipients of PHI for treatment purposes.

Request to Access PHI Includes Consent Forms for Treatment

The second new FAQ underscores the broad scope of an individual’s right to access their PHI within a designated record set, which includes medical records, billing records, enrollment files, case management records, and other documents used by providers to make decisions about an individual.

The OCR’s updated guidance specifically highlights that consent forms for treatment are included within the scope of a designated record set. Most providers and legal counsel were likely already treating such forms as subject to access rights, but the FAQ removes any lingering ambiguity.

At the same time, the FAQ reaffirms existing limitations on the right to access. Individuals do not have the right to access PHI that is not part of a designated record set and is not used to make decisions about them, such as:

• Quality assessment or improvement records;
• Patient safety activity records; and
• Business planning documents.

Still, an individual has the right to access any underlying PHI from their designated record set. For instance, while a patient may not access a company’s internal memos related to formulary design, they do retain the right to access their prescription records and related claims data.

The OCR also reiterates that psychotherapy notes (when maintained separately from the medical record) and information compiled in reasonable anticipation of litigation both remain excluded from individual access rights.

This clarification comes in the context of the OCR’s Right of Access Initiative, launched in 2019 to focus enforcement efforts on patient right of access complaints. Since the launch of the initiative, the OCR has announced 53 enforcement actions to date. The most recent settlement, announced in March 2025, imposed a $200,000 civil monetary penalty on a provider that failed to provide timely access to a patient’s records. Providers are reminded that access requests must generally be fulfilled within 30 days and at a reasonable cost. Even though the initiative was launched six years ago, the recent enforcement actions and the new FAQ indicate that enforcement remains an active priority for the agency.

Takeaways

The new FAQs reflect the agency’s ongoing focus on two key areas: facilitating efficient data sharing, and monitoring compliance with patient access rights. For providers and business associates, these developments serve as a reminder to:

• Review HIPAA policies to allow for and properly document permissible disclosures to value-based care entities;
• Confirm that designated record sets include consent forms and that these forms are available in response to patient requests to access their PHI;
• Reinforce processes for timely and cost-compliant responses to patient access requests in light of continued enforcement in this area.

As the federal administration continues to advance initiatives designed to increase interoperability and patient empowerment, health care organizations should proactively align compliance practices with evolving guidance.