HHS prioritizes patient-centric healthcare, enhancing interoperability and access to health information while addressing privacy concerns and technology disparities.
Rachel V. Rose, JD, MBA
The end of summer has been busy for the U.S. Department of Health and Human Service (HHS). First, on July 30, 2025, HHS (through the Centers for Medicare and Medicaid Services (CMS)) announced that the creation patient-centric healthcare ecosystem is a priority. It appears to be a public-private initiative with tech and healthcare companies working on interoperability and user-friendly apps. Two notable items in the CMS press release follow:
The Administration’s efforts focus on two broad areas: promoting a CMS Interoperability Framework to easily and seamlessly share information between patients and providers, and increasing the availability of personalized tools so that patients have the information and resources they need to make better health decisions.
“The Office of Civil Rights (OCR) supports actions that improve the timeliness in providing individuals with access to their electronic protected health information, without sacrificing health information privacy and security,” said OCR Director Paula M. Stannard. “If an individual receives another individual’s electronic protected health information in error, generally, OCR’s primary HIPAA enforcement interests are ensuring that the affected individual and HHS receive timely HIPAA breach notification.”
The focus on patient-centered care is not new. One of the primary objectives of the Affordable Care Act (ACA) was to refine health care delivery through patient-centered care and tie it to funding. Technology has evolved significantly since 2010, as well as some patient populations increased adoption of smartphone and tablet technology. I say “some patients” because not all patients have a smart phone or a tablet or it may be outdated and unable to support the requirements of new technology. This is an issue that covered entities, especially providers, need to appreciate and ask about because it could tie back to patient care on top of potential HIPAA violations for not providing medical records within the 30-day (that may be extended to 60-days in some circumstances) prescribed period.
Second, HHS – Office for Civil Rights released two FAQs, which serve to clarify rights and responsibilities. The first FAQ, addresses a Privacy Rule issue related to disclosing patient information for diagnostic, treatment or financial purpose to value-based arrangements, including accountable care organizations (ACOs), which are another ACA creation. Two treatment examples that the FAQ provides are as follows:
A covered health care provider may disclose PHI for the treatment activities of another health care provider without the individual’s authorization where both providers are treating the individual through a value-based care arrangement (e.g., an accountable care organization).
A health plan may disclose PHI to a health care provider without the individual’s authorization to enable the health care provider to provide treatment as part of a value-based care arrangement.
What is notably absent is the express mention of value-based enterprises (VBEs), which came on the scene in late-2020 and were effective January 19, 2021, as part of the new Anti-Kickback Statute and Stark Law safe harbors/exceptions. There are differences between the AKS and Stark Law requirements, which should be read closely.
The second FAQ addresses the types of information that patients can access pursuant to the HIPAA Privacy Rule from their health care providers and health plans. Three key areas of emphasis in this FAQ are as follows:
In sum, the FAQs are a good review and may be used to refine existing policies and procedures for existing covered entities. As for the interoperability and patient access initiatives announced by CMS, there is a lot of complexity that covered entities and business associates alike need to understand and appreciate that not all patients will have electronic access for a variety of reasons.
Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
Optimize your practice with the Physicians Practice newsletter, offering management pearls, leadership tips, and business strategies tailored for practice administrators and physicians of any specialty.