ABConnect
Human Resources

The Washington Report

September 24, 2025

While we do our best to provide timely updates, it is possible that the information shared in the newsletter may change after our publication deadline.

Health

 

Updated HIPAA FAQ Guidance Issued by HHS
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) released updated Frequently Asked Question (FAQ) guidance on individuals’ rights to access their protected health information (PHI) from their health care providers and group health plans (see (a) below for details). An additional FAQ was issued on the disclosure of PHI to value-based care arrangements, such as accountable care organizations, without the individual’s authorization (see (b) below for details). Employer-sponsoring group health plans should review their HIPAA policies and procedures for compliance with the OCR’s latest FAQ guidance.

(a) FAQ on individuals’ right to PHI access: The HIPAA Privacy Rule gives individuals the right to request and obtain access to their PHI in designated record sets, which are maintained by or for health care providers and group health plans (i.e., HIPAA “covered entities”) to make decisions about individuals. These include medical records, billing records, payment and claims records, health plan enrollment records, and case management records. Conversely, individuals do not have a right to access PHI that is not part of a designated record set. This can include certain quality assessment or improvement records; patient safety activity records; or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals. For example, peer review files, practitioner or provider performance evaluations, quality-control records used to improve customer service, and formulary development records may be generated from and include an individual’s PHI but may not be in the covered entity’s designated record set(s) to which the individual has access. However, the underlying PHI from the individual’s medical or payment records used to generate such information remains part of the designated record set and subject to access by the individual.

(b) FAQ on value-based care arrangements and disclosure of PHI: Under the HIPAA Privacy Rule, a covered entity may disclose an individual’s PHI for its own treatment activities, without the individual’s authorization. The rule generally allows PHI to be used or disclosed for treatment purposes; this includes disclosures to participants in value-based care arrangements, such as accountable care organizations. The definition of “treatment” incorporates the necessary interaction of more than one entity; therefore, a covered entity is permitted to disclose PHI, regardless of to whom the disclosure is made, when the disclosure is made for the treatment activities of a health care provider. For example, a health plan may disclose PHI to a health care provider without the individual’s authorization to enable the health care provider to provide treatment as part of a value-based care arrangement.

Resources
The updated HIPAA FAQ guidance is available here and here.

 

Find office locations

Washington Report Archive

2025 Aon Washington Report Index

2024 Aon Washington Report Index

2023 Aon Washington Report Index

2022 Aon Washington Report Index

2021 Aon Washington Report Index

2020 Aon Washington Report Index

2019 Aon Washington Report Index

About Aon

Do Not Sell or Share My Personal Information | Cookie Preferences |Careers | Investor Relations | Legal | Privacy | Cookie Notice | © 2025 Aon plc