OCR Publishes New FAQ on Disclosures of PHI to Value-Based Care Arrangements
The HHS’ Office for Civil Rights (OCR) has published a new FAQ on the HIPAA Privacy Rule and disclosures of protected health information (PHI) to accountable care organizations and other value-based care arrangements.
Under the value-based care model, healthcare providers are compensated based on patient health outcomes, rather than the volume of services they deliver, as is the case under the fee-for-service model. The fee-for-service model is wasteful, as it creates an incentive for providing unnecessary care, which increases the cost of healthcare for patients and federal healthcare programs such as Medicare. The Medicare Shared Savings Program (MSSP) and Medicare Advantage are two examples of programs that operate under the value-based care model.
In late July 2025, the HHS’ Centers for Medicare and Medicaid Services (CMS) issued an update on the progress being made toward a new patient-centric, digital health ecosystem that supports value-based care and will improve patient outcomes, reduce provider burden, and drive better value. The new FAQ provides HIPAA-regulated entities with clarity on how the HIPAA Privacy Rule applies to disclosures of PHI to value-based care arrangements for treatment purposes.
The new FAQ explains that disclosures of PHI to value-based care arrangements, such as accountable care organizations, for treatment purposes are permitted by the HIPAA Privacy Rule without an individual’s authorization. These disclosures fit within the HIPAA regulatory framework as the disclosures are for treatment purposes, which are generally allowed by the HIPAA Privacy Rule.
The HIPAA Privacy Rule defines treatment as “the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.” That definition covers disclosures to value-based care arrangements for treatment purposes. OCR confirmed that “a covered entity is permitted to disclose PHI, regardless of to whom the disclosure is made, where the disclosure is made for the treatment activities of a health care provider.”
An individual’s authorization is not required before a disclosure of PHI for treatment purposes by a healthcare provider to another healthcare provider, when both are treating an individual under a value-based care arrangement. Similarly, health plans may disclose PHI to a healthcare provider to allow the healthcare provider to treat a patient as part of a value-based care arrangement. OCR explained that HIPAA-regulated entities are permitted to obtain an individual’s consent for such disclosures, should they so wish.
OCR has also updated its “What personal health information do individuals have a right under HIPAA to access from their health care providers and health plans?” FAQ, adding “consent forms for treatment” to the types of information contained in a designated record set that individuals have a right to access, if they so require.
