On Aug. 11, 2025, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced updates to the Privacy Rule’s frequently asked questions (FAQs). The announcement indicated that the updates were a follow-up to a July 30, 2025 press release from the Centers for Medicare & Medicaid Services (CMS) regarding the development of a digital ecosystem intended to facilitate health care interoperability, better communications between patients and providers and to enhance timeliness of access to patient information. We held our collective professional breath as these FAQs loaded, clearing our schedules for the anticipated onslaught of questions from clients along the lines of “What does this mean for us?” Once the updates came into view, however, the real question on the health care industry’s lips was more along the lines of “Why did OCR feel the need to clarify these issues?”
OCR’s announcement encompasses both a new FAQ and a minor update to an existing FAQ.
The New FAQ: The new FAQ addresses the permissible disclosure of protected health information (PHI) for treatment activities without a patient’s authorization under 45 C.F.R. § 164.506(c). While the FAQ title includes a clickbait-style reference to value-based care and accountable care organization use cases, the body of the FAQ reaffirms what HIPAA enthusiasts already understand – covered entities are permitted to disclose an individual’s PHI to other health care providers to treat the individual, without the individual’s authorization. The FAQ emphasized that was the case when both the disclosing and receiving providers were members of an accountable care organization. Making that point is like saying that you are legally allowed to enter your house even if you go in through the side door.
The Updated FAQ: OCR made a minor update to an existing FAQ that addresses the definition of a designated record set to which an individual has a right of access under 45 CFR § 164.524. OCR’s update adds “consent forms for treatment” to the definition. The definition of a designated record set includes any documents maintained by the entity and relied on to make decisions about the individual patient. Covered entities certainly rely on consent-for-treatment forms before a provider interacts with and/or provides care of any kind to a patient.
Many covered entities would have appreciated OCR addressing whether it views metadata as part of the designated record set. Covered entities have seen a significant increase in requests for metadata related to electronic health records, with some patients threatening to submit complaints to OCR or even file lawsuits if the entity does provide the requested metadata. Such data, however, is not relied on by entities to make decisions about patients. Rather, it merely indicates how providers interact with the electronic health record. Perhaps OCR’s next round of FAQs will be more boom than bust.
[View source.]
