Feds Issue New HIPAA Guidance to Speed Patient Record Access

HHS OCR’s updated FAQs clarify disclosures to value-based care groups and what must be released under the “designated record set,” aligning with CMS’s new interoperability push.

Federal regulators issued fresh HIPAA Privacy Rule guidance to remove friction when patients ask for their own medical records. New FAQs from HHS OCR clarify what information is included in a “designated record set” and confirm providers may disclose PHI to value-based care arrangements for treatment—moves that dovetail with CMS’s new interoperability framework.

Federal health officials have published new HIPAA FAQs aimed at speeding patient access to records and smoothing data sharing for treatment, the latest step in Washington’s campaign to make health information easier to obtain and exchange across apps, providers and health plans.

• The Department of Health and Human Services’ Office for Civil Rights (OCR) released updated HIPAA Privacy Rule FAQs clarifying two issues: (1) when providers may disclose protected health information (PHI) to value-based care arrangements for treatment, and (2) what constitutes a “designated record set” that must be produced to patients upon request.
• The refresh complements CMS’s recently announced Health Tech Ecosystem initiative and Interoperability Framework, a voluntary, standards-based blueprint intended to expand patient access to data through modern identity and app-based exchange.
• OCR’s FAQ reiterates that disclosures of PHI to entities participating in value-based care—such as ACOs—are permitted for treatment without patient authorization under the Privacy Rule.
• The “designated record set” extends beyond the clinical chart to billing, claims, case management and other records used to make decisions about an individual; psychotherapy notes and certain non-decision records remain excluded.
• The guidance lands as the administration presses for a “patient-centric, digital healthcare ecosystem,” recruiting major tech and health systems to enable more seamless, secure sharing of records through vetted apps and modern identity—while privacy advocates continue to scrutinize guardrails.

“The FAQs don’t rewrite HIPAA, but they do remove ambiguity that slows down releases of records and collaboration in value-based care.” — Marianne Kolbasuk McGee, BankInfoSecurity reporter, summarizing expert reactions to OCR’s move.

“For those who understand HIPAA, nothing is new. Clarification on items like peer review not being in the designated record set likely stems from recurring inquiries.” — Rachel V. Rose, regulatory attorney, on the practical impact of the FAQs.

“This framework is a voluntary, open, standards-based blueprint to put patients and providers first.” — Centers for Medicare & Medicaid Services (CMS), Interoperability Framework overview.

How requests should be fulfilled now

• Scope: Covered entities must provide all PHI within any designated record set—not only the EHR “chart”—including billing and claims records used to make decisions about the patient.
• Exclusions: Psychotherapy notes kept separately and PHI not used to make decisions (e.g., certain business planning docs) remain out of scope.
• Format & timeliness: HIPAA’s right-of-access timeline and format rules still apply; delays due to uncertainty over record-set boundaries should diminish as staff lean on the clarified definitions.

Disclosures for value-based care

• Permitted without authorization: Sharing PHI with value-based care participants for treatment is allowed under the Privacy Rule’s existing treatment exception; the FAQ confirms this explicitly.
• Guardrails: Minimum necessary does not apply to treatment, but entities should maintain access controls, audit logging and BAAs when appropriate.

Mitigations & compliance steps

1. Update release-of-information (ROI) SOPs and patient-access policies to reflect the designated record set definition.
2. Map systems beyond the EHR (billing, CRM, care management) to ensure complete responses.
3. Train ROI staff on exclusions (e.g., psychotherapy notes) and denial pathways.
4. For value-based care data flows, document treatment purpose, data minimization where possible, and security controls.

Impact & Response

Who’s affected: Patients seeking records; hospital HIM/ROI teams; value-based care networks; app developers aligning to CMS’s ecosystem. Expected outcome: Faster, more consistent access; fewer disputes over what must be released; clearer legal footing for treatment-related sharing.

Long-term implications: The FAQs, paired with CMS’s interoperability plan, signal tighter federal alignment on access and exchange, as OCR also steps up Security Rule modernization and right-of-access enforcement—pressure that will be felt most by smaller providers.

Background

HIPAA’s right-of-access has been repeatedly emphasized since 2019 enforcement initiatives, yet organizations still stumble over the breadth of “designated record sets.” The latest FAQs aim to standardize interpretations while the administration’s interoperability initiative seeks industry commitments for app-based, identity-driven access.

Conclusion

The federal message is consistent: patients should get their data quickly and completely, and providers should share for treatment without undue friction. The new FAQs won’t upend HIPAA, but they should streamline compliance and accelerate the shift to interoperable, patient-centric data exchange.

Sources

• BankInfoSecurity — “Feds Issue More HIPAA Guidance in Push for Patient Access” (Aug. 13, 2025).
• HHS OCR — FAQ: Individuals’ Right of Access and the “Designated Record Set.”
• HHS OCR — FAQ: Disclosing PHI to value-based care participants for treatment.