OCR Publishes Updated Guidance on HIPAA Privacy Rule

If HIPAA had a personality, it would probably be the friend who says, “I’m not mad, I just need you to follow the process.” The Office for Civil Rights (OCR) has once again stepped into that role by publishing updated guidance on the HIPAA Privacy Rule. And while this update is not a dramatic Hollywood-style reboot with explosions and ominous violin music, it is a meaningful clarification for health care providers, health plans, business associates, compliance officers, and anyone else whose blood pressure rises at the phrase designated record set.

The latest OCR guidance does two especially important things. First, it clarifies that covered entities may disclose protected health information (PHI) for treatment purposes to participants in value-based care arrangements, such as accountable care organizations, without obtaining a patient’s written authorization. Second, it reinforces a broad interpretation of a patient’s HIPAA right of access, making clear that individuals are entitled to a wide range of records about themselves, including records maintained by business associates and even information that is old, archived, or stored somewhere other than the obvious electronic medical record.

In plain English, OCR is telling the industry two things at once: yes, care coordination can move faster when it is genuinely for treatment, and no, covered entities cannot play hide-and-seek with patient records. For organizations trying to balance privacy, interoperability, compliance, and operational sanity, that is a big deal.

What OCR Actually Updated

The updated guidance centers on HIPAA Privacy Rule FAQs. That sounds modest, but in the regulatory world, FAQs can have real practical force. They do not rewrite the regulation itself, but they tell providers and plans how the federal government expects them to interpret and apply it. Think of it as OCR saying, “Here is what we meant all along, and yes, we are absolutely looking at whether you understood the assignment.”

The first clarification addresses disclosures for treatment within value-based care arrangements. OCR confirmed that the HIPAA Privacy Rule permits a covered entity to disclose PHI for the treatment activities of a health care provider without the individual’s authorization. That includes disclosures to participants in value-based care arrangements, such as accountable care organizations. This matters because coordinated care often involves multiple entities touching the same patient journey: primary care physicians, specialists, hospitals, health plans, care managers, and digital support programs. OCR’s message is that HIPAA should not be misread as a traffic cone in the middle of that road.

The second clarification focuses on the right of access. OCR reaffirmed that individuals have a right to obtain a broad array of information about themselves from their designated record sets. This includes medical records, billing and payment information, insurance records, lab results, medical images, wellness and disease management files, and clinical notes. OCR’s updated materials also make clear that consent forms for treatment can fall within the scope of accessible information. In other words, when a patient asks for records, the answer should not be, “Here is a random slice of the chart and our warmest regards.”

Why the Value-Based Care FAQ Matters

Value-based care has been one of health care’s favorite buzz phrases for years, but underneath the jargon is a pretty simple idea: reward better outcomes instead of just more activity. That model depends on data moving where it needs to go. If providers, plans, and care teams cannot exchange relevant patient information appropriately, then coordinated care becomes a very expensive game of telephone.

OCR’s new FAQ gives covered entities more confidence that HIPAA does not block treatment-related disclosures merely because the arrangement is collaborative, networked, or part of a larger care model. If the disclosure is for the treatment activities of a health care provider, OCR is signaling that the Privacy Rule generally allows it without individual authorization. That can support referrals, consultations, handoffs, care coordination, and other interactions that make value-based models work in real life rather than just in conference slides.

This is especially important in the broader federal push toward a more connected digital health ecosystem. CMS and other federal actors have been pushing for better interoperability, patient-centered data mobility, and value-driven care. OCR’s FAQ fits neatly into that picture. It is not a free-for-all, and it does not erase the need for safeguards, role-based access, or sound policies. But it does remove a common excuse for overcautious data paralysis.

That is a welcome development for providers that have sometimes treated HIPAA like a universal “no” button. HIPAA is a privacy rule, yes, but it is also built to allow the flow of health information needed for quality care. OCR’s latest guidance is basically the legal equivalent of saying, “Please stop acting like coordinated treatment is contraband.”

The Bigger Message in the Right-of-Access Update

If the value-based care FAQ is the green light for appropriate treatment disclosures, the access guidance is the stern reminder that patients are not guests in their own records. OCR has repeatedly emphasized that the HIPAA Privacy Rule gives individuals a legal, enforceable right to access PHI in one or more designated record sets maintained by or for covered entities. That right is broad, and OCR is not in a mood to let organizations shrink it with clever filing systems, technical excuses, or selective memory.

Several practical points stand out.

1. The designated record set is broader than many organizations assume.

It is not limited to the neat little packet that lives in the core electronic medical record. Designated record sets can include billing files, claims information, enrollment records, case management files, laboratory data, images, and other records used to make decisions about the individual. If the information helps shape a decision about the patient, chances are it deserves serious review before being excluded from an access response.

2. Old records still count.

OCR makes clear that the age of the information does not eliminate the patient’s access right. Archived records, remote storage, and older data are still part of the analysis. Dust does not destroy legal obligations.

3. Business associates do not make records disappear.

If a business associate maintains PHI in a designated record set on behalf of a covered entity, the covered entity remains responsible for ensuring access. Outsourcing storage or data management does not outsource accountability. That means contracts, workflows, and response procedures all need to work together before the patient request arrives, not three weeks later when everyone starts searching old email threads in a mild panic.

4. There are exceptions, but they are limited.

HIPAA does not require access to everything under the sun. Psychotherapy notes maintained separately from the rest of the medical record remain excluded, and information compiled in reasonable anticipation of litigation is also treated differently. Certain internal quality assessment or business planning records may fall outside the designated record set if they are not used to make decisions about the individual. But those exceptions are not blanket permission to hold back underlying PHI that is part of the designated record set.

Why Compliance Teams Should Pay Attention Right Now

OCR’s guidance lands in an environment where privacy compliance is not theoretical. Enforcement remains active, particularly around patient access and operational failures. OCR has continued to bring actions against entities that do not respond properly or on time to medical records requests. The lesson is not subtle: a right on paper is expected to function in practice.

For health care organizations, the updated guidance means policy language, training materials, and workflows may need a tune-up. Staff who handle treatment disclosures should understand when PHI can be shared within value-based arrangements without authorization. Staff who process access requests should understand that the patient’s right is broader than the face sheet, discharge summary, and one lonely PDF somebody finds first.

Technology teams should pay attention too. A legal right is only as good as the organization’s ability to retrieve and produce the information. If records are spread across an EHR, imaging archive, claims system, patient portal, population health tool, and a vendor-hosted document repository, then the access process needs to reflect that reality. OCR’s guidance makes it harder to pretend the only records that matter are the ones sitting in the most convenient folder.

Do Not Confuse Guidance With a Brand-New Rule

One of the trickiest parts of HIPAA compliance is separating actual rule changes from guidance clarifications. OCR’s FAQ updates did not create a brand-new Privacy Rule. Instead, they explain how OCR reads the existing framework. That distinction matters because organizations should not panic and behave as though the sky has fallen into the compliance manual. But they also should not shrug and assume nothing changed. Guidance can still alter risk, enforcement posture, and day-to-day expectations.

This point is especially important because the broader HIPAA privacy landscape has been busy. The 2024 final rule on reproductive health care privacy created additional protections for certain PHI disclosures, but most of that rule was later vacated by a federal court in June 2025. At the same time, some Notice of Privacy Practices updates tied to the rule and to 42 CFR Part 2 alignment remained relevant, and OCR released revised model notices in February 2026. Translation: the legal backdrop is moving, and organizations that rely on old summaries are asking for trouble.

That broader context makes OCR’s FAQ strategy even more interesting. Rather than waiting for a giant all-in-one privacy rewrite, OCR is using guidance to sharpen how the current rule should be applied now. For regulated entities, that means the safest move is not to wait for a mythical future moment when compliance becomes simpler and everybody suddenly agrees on everything. That day is not on the calendar.

What Covered Entities and Business Associates Should Do Next

Review treatment-disclosure policies.

Policies should reflect that PHI may be disclosed for treatment activities within legitimate value-based care arrangements without patient authorization, while still requiring appropriate safeguards and role-based judgment.

Map the full designated record set.

If the organization cannot clearly identify what records are used to make decisions about individuals, it is not really ready to respond to access requests. A designated record set inventory is no longer optional in spirit, even if some organizations still act like it is.

Test your access workflow.

Run a mock patient request. See how long it takes to collect records from multiple systems, including vendor-managed repositories. If the process feels like assembling a spaceship with a butter knife, improvements are overdue.

Update business associate arrangements.

Contracts and operational procedures should support timely access when the business associate maintains responsive PHI. Finger-pointing is not a compliance framework.

Refresh staff training.

Front-line staff, health information management teams, legal counsel, privacy officers, and IT personnel all need to understand the updated guidance in practical terms. The best policy in the world does very little if the person answering the patient request still says, “We do not release that kind of record,” when the law says otherwise.

Final Thoughts

OCR’s updated HIPAA Privacy Rule guidance may look like a modest FAQ refresh, but it delivers a sharper message than its format suggests. For treatment, OCR is clearing space for appropriate information sharing in value-based care. For patient access, OCR is reminding organizations that the right of access is broad, enforceable, and not limited to whatever is easiest to print on a Tuesday afternoon.

The practical takeaway is simple. HIPAA compliance in 2026 is not just about avoiding breaches or posting a notice on the wall. It is about building systems and habits that allow lawful data sharing for care while also giving patients meaningful access to their own information. Organizations that understand both sides of that balance will be in a much better position than those still treating HIPAA as either a magical barrier or a dusty binder on a shelf.

In other words, OCR has updated the guidance, and the subtext is clear: coordinate care intelligently, honor access rights completely, and stop pretending the patient record ends where your convenience begins.

Real-World Experiences With OCR’s Updated HIPAA Guidance

In real-world health care settings, OCR’s updated guidance feels less like abstract policy and more like a mirror held up to everyday operations. Compliance officers often say the hardest part of HIPAA is not understanding the regulation in theory; it is getting busy departments to apply it consistently when the phones are ringing, the portal is down, and someone is asking for records “as soon as humanly possible,” which usually means five minutes ago.

Take the experience of many mid-sized provider groups that participate in value-based care programs. Before OCR’s FAQ, teams sometimes hesitated to share PHI with care coordination partners even when the disclosure was clearly connected to treatment. Privacy staff worried about over-disclosure, operations staff worried about slowing patient care, and clinicians wondered why a useful referral workflow suddenly felt like an escape room challenge. The updated FAQ gives those organizations something they badly needed: clearer federal language they can point to when building practical workflows. It does not eliminate judgment calls, but it reduces the tendency to overcorrect and block lawful treatment communications out of fear.

On the patient access side, the lived experience is often even more revealing. Many organizations discover, sometimes painfully, that their “records request process” is really just a patchwork of habits. One department releases chart notes, another sends billing records only if someone asks twice, and a third quietly forgets that images, archived files, or vendor-held data exist at all. OCR’s access guidance forces a more mature approach. Health information management teams are increasingly realizing that a patient’s request is not a scavenger hunt. If the organization uses data to make decisions about the individual, that data needs to be identified, tracked, and produced when required.

Patients feel this difference immediately. When access works well, the experience is empowering. People can move to a new specialist faster, understand their own treatment history more clearly, challenge inaccuracies, and coordinate care for family members without unnecessary delays. When access works badly, frustration builds fast. Patients do not care that one vendor hosts the archive, another runs imaging, and a third controls a portal export function. To them, it is all one health care system. OCR’s guidance reflects that reality.

Business associates are having their own learning moment too. Vendors that store, process, or manage PHI are being pulled more directly into access planning, not because the law suddenly changed overnight, but because OCR’s message is harder to ignore. Covered entities are asking sharper contract questions, requesting clearer turnaround expectations, and paying more attention to whether vendors can support access rights in practice instead of just nodding politely during onboarding.

The most useful experience-based lesson is this: organizations that treat OCR guidance as an operational document do better than organizations that treat it as a legal memo. The winners are the ones that translate federal language into checklists, response timelines, staff scripts, and tested workflows. Everyone else eventually learns the same lesson the hard way, usually with more email, more meetings, and much less joy.

SEO Metadata