By Lee Kim JD CISSP CIPP/US, Senior Principal, Cybersecurity and Privacy, HIMSS

Under the HIPAA Privacy Rule, healthcare providers may disclose protected health information to participants in value-based care arrangements, such as accountable care organizations, for treatment purposes without needing a HIPAA authorization, according to a new Frequently Asked Question published Aug. 11 by the U.S. Department of Health and Human Services Office for Civil Rights.

Key Takeaways

• Date of guidance: OCR published this FAQ on Aug. 11, 2025.
• Permitted protected health information disclosures: A covered entity, such as a healthcare provider or health plan, may disclose PHI in value-based arrangements for treatment purposes without needing to have a HIPAA patient authorization.
• Broader context: The clarification complements CMS’s July 30 digital health ecosystem initiative.
• Enhanced interoperability: The update accelerates appropriate PHI exchange to support patient-centered, value-based care.

What the Office of Civil Rights FAQ Says

Does the HIPAA Privacy Rule permit a covered health care provider to disclose protected health information to value-based care arrangements, such as accountable care organizations, for treatment purposes without the individual’s authorization?

Yes, the Privacy Rule permits a covered entity to disclose protected health information for the treatment activities of a health care provider without an individual’s authorization.According to 45 C.F.R. § 164.506(c)(2), “A covered entity may disclose protected health information for treatment activities of a health care provider.”The Privacy Rule generally allows protected health information to be used or disclosed without restriction for treatment purposes.This includes disclosures of protected health information to participants in value-based care arrangements, such as accountable care organizations.

According to 45 C.F.R. § 164.501, “treatment” is defined as the “provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.”

This definition incorporates the necessary interaction of more than one entity. As a result, a covered entity is permitted to disclose the protected health information, regardless of to whom the disclosure is made, as long as the disclosure is made for the treatment activities of a health care provider.

Examples from OCR:

1. A covered health care provider may disclose protected health information for the treatment activities of another health care provider without the individual’s authorization where both providers are treating the individual through a value-based care arrangement (e.g., an accountable care organization).
2. A health plan may disclose protected health information to a health care provider without the individual’s authorization to enable the health care provider to provide treatment as part of a value-based care arrangement.

While authorization is not required for these disclosures, OCR notes that covered entities may, if they wish, obtain patient consent, but this is optional and different from a HIPAA authorization.

Why Now?

This clarification aligns with the Centers for Medicare & Medicaid Services (CMS) initiative announced July 30 during a White House event highlighting efforts to advance a patient-centric, digital health care ecosystem. CMS introduced a voluntary Interoperability Framework to improve secure data exchange and empower patients, backed by commitments from major healthcare and technology organizations.

Enhanced Interoperability

OCR’s clarification helps to promote interoperability, resulting in positive impacts for those participating in value-based care arrangements (such as accountable care organizations).

• Less friction in care coordination
• Faster data exchange across organizations
• Stronger collaboration between providers and plans
• The potential for improved patient outcomes through timely and expedient information sharing.