Earlier this month, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), released a new Frequently Asked Question (FAQ) related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, which establishes national standards to safeguard “protected health information” or “PHI.”
The HIPAA Privacy Rule guidance was announced in a post by HHS OCR, stating that the new FAQ is to support a new initiative by the Centers for Medicare & Medicaid Services (CMS) called the Digital Health Technology Ecosystem. Launched on July 30, 2025, CMS’s Health Technology Ecosystem aspires to modernize the nation’s digital health care data exchange and “Make Health Tech Great Again” by “promoting a CMS Interoperability Framework to easily and seamlessly share information between patients and providers, and increasing the availability of personalized tools so that patients have the information and resources they need to make better health decisions,” according to the post. Specifically, with the Digital Health Technology Ecosystem, CMS aims to enable connected networks where, among other goals, health care providers can receive the data they need at the point of care, patients can easily access and share their health information, and payers can support outcomes and value-based models through appropriate data exchange.
HHS OCR issued guidance about access to and disclosure of PHI under the HIPAA Privacy Rule in response to privacy concerns expressed about disclosures of sensitive patient health information to unregulated parties under CMS’s new digital health initiative. Specifically, HHS OCR added a new FAQ to address disclosures made pursuant to value-based arrangements for treatment purposes. The FAQ asks “[d]oes the HIPAA Privacy Rule permit a covered health care provider to disclose protected health information to value-based care arrangements, such as accountable care organizations, for treatment purposes without the individual’s authorization?”
The response begins by explaining how the Privacy Rule generally allows covered entities to use or disclose PHI without restriction for treatment purposes, which includes disclosures of PHI to participants in value-based care arrangements (e.g., accountable care organizations). HHS OCR goes on to clarify that, because the Privacy Rule’s definition of “treatment” incorporates the necessary interaction of more than one entity, “a covered entity is permitted to disclose PHI, regardless of to whom the disclosure is made, where the disclosure is made for the treatment activities of a health care provider” (emphasis in original). This new FAQ clarifies that disclosures of PHI for treatment purposes are not limited only to entities that are directly regulated by HIPAA, but rather, to any entity, so long as the purpose of the disclosure is for the treatment activities of a health care provider.
