Per the notice below, the United States Office for Civil Rights (OCR) has issued updated Frequently Asked Questions (FAQs) on the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

New and Updated HIPAA Privacy Rule Frequently Asked Questions

The U.S. Department of Health and Human Services, Office for Civil Rights, issued deregulatory guidance in the form of frequently asked questions (FAQs) about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.  The HIPAA Privacy Rule establishes national standards to protect individually identifiable health information, sets limits and conditions on the uses and disclosures of protected health information (PHI), and gives individuals certain rights, including the right to timely access and to obtain a copy of their health records.  The FAQs support the Centers for Medicare & Medicaid Services’ July 30, 2025 announcement regarding the creation of a patient-centric, digital health care ecosystem that will improve patient outcomes, reduce provider burden, and drive value.  Specifically, the HIPAA FAQs address how covered health care providers are permitted to disclose PHI to value-based care arrangements for treatment purposes, and what health information is included in a designated record set and thus subject to the individual’s right to access such information.

New and Updated FAQs:

• New.  Does the HIPAA Privacy Rule permit a covered health care provider to disclose protected health information to value-based care arrangements, such as accountable care organizations, for treatment purposes without the individual’s authorization?
• Updated.  What personal health information do individuals have a right under HIPAA to access from their health care providers and health plans?

In addition to the Privacy Rule, OCR enforces the HIPAA Security and Breach Notification Rules.  These rules, collectively known as the HIPAA Rules, set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers) and business associates must follow to protect the privacy and security of PHI.  Guidance about the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule can be found on OCR’s website.  If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at: https://www.hhs.gov/ocr/complaints/index.html.