HHS HIPAA updates

Rachel V. Rose, JD, MBA

The end of summer has been busy for the U.S. Department of Health and Human Service (HHS). First, on July 30, 2025, HHS (through the Centers for Medicare and Medicaid Services (CMS)) announced that the creation patient-centric healthcare ecosystem is a priority. It appears to be a public-private initiative with tech and healthcare companies working on interoperability and user-friendly apps. Two notable items in the CMS press release follow:

The Administration’s efforts focus on two broad areas: promoting a CMS Interoperability Framework to easily and seamlessly share information between patients and providers, and increasing the availability of personalized tools so that patients have the information and resources they need to make better health decisions.

“The Office of Civil Rights (OCR) supports actions that improve the timeliness in providing individuals with access to their electronic protected health information, without sacrificing health information privacy and security,” said OCR Director Paula M. Stannard. “If an individual receives another individual’s electronic protected health information in error, generally, OCR’s primary HIPAA enforcement interests are ensuring that the affected individual and HHS receive timely HIPAA breach notification.”

The focus on patient-centered care is not new. One of the primary objectives of the Affordable Care Act (ACA) was to refine health care delivery through patient-centered care and tie it to funding. Technology has evolved significantly since 2010, as well as some patient populations increased adoption of smartphone and tablet technology. I say “some patients” because not all patients have a smart phone or a tablet or it may be outdated and unable to support the requirements of new technology. This is an issue that covered entities, especially providers, need to appreciate and ask about because it could tie back to patient care on top of potential HIPAA violations for not providing medical records within the 30-day (that may be extended to 60-days in some circumstances) prescribed period.

Second, HHS – Office for Civil Rights released two FAQs, which serve to clarify rights and responsibilities. The first FAQ, addresses a Privacy Rule issue related to disclosing patient information for diagnostic, treatment or financial purpose to value-based arrangements, including accountable care organizations (ACOs), which are another ACA creation. Two treatment examples that the FAQ provides are as follows:

• A covered health care provider may disclose PHI for the treatment activities of another health care provider without the individual’s authorization where both providers are treating the individual through a value-based care arrangement (e.g., an accountable care organization).

• A health plan may disclose PHI to a health care provider without the individual’s authorization to enable the health care provider to provide treatment as part of a value-based care arrangement.

What is notably absent is the express mention of value-based enterprises (VBEs), which came on the scene in late-2020 and were effective January 19, 2021, as part of the new Anti-Kickback Statute and Stark Law safe harbors/exceptions. There are differences between the AKS and Stark Law requirements, which should be read closely.

The second FAQ addresses the types of information that patients can access pursuant to the HIPAA Privacy Rule from their health care providers and health plans. Three key areas of emphasis in this FAQ are as follows:

• With limited exceptions, the HIPAA Privacy Rule gives individuals the right to access, upon request, the medical and health information (protected health information or PHI) about them in one or more designated record sets maintained by or for the individuals’ health care providers and health plans (HIPAA covered entities). See 45 CFR 164.524. Designated record sets include medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals. See 45 CFR 164.501.
• Individuals do not have a right to access PHI about them that is not part of a designated record set because this information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals. For example, peer review files, practitioner or provider performance evaluations, quality control records used to improve customer service, and formulary development records may be generated from and include an individual’s PHI but may not be in the covered entity’s designated record set(s) to which the individual has access. However, the underlying PHI from the individual’s medical or payment records used to generate such information remains part of the designated record set and subject to access by the individual.
• Individuals also do not have a right to access the psychotherapy notes that a mental health professional maintains separately from the individual’s medical record and that document or analyze the contents of a counseling session with the individual.

In sum, the FAQs are a good review and may be used to refine existing policies and procedures for existing covered entities. As for the interoperability and patient access initiatives announced by CMS, there is a lot of complexity that covered entities and business associates alike need to understand and appreciate that not all patients will have electronic access for a variety of reasons.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.