904-794-7830

[email protected]

HIPAA 2025: PHI Sharing & Right of Access

Medical Records rules under HIPAA

HIPAA 2025: PHI Sharing & Right of Access just became easier to follow. On August 11, 2025, OCR updated its FAQs to help care teams share data for treatment and honor patient access rights. These changes also support CMS’s new digital health ecosystem initiative announced in July 2025. This post connects the rules to real-world tasks with plain language, practical examples, and clear steps.

Key Updates at a Glance

  1. PHI Sharing for Value-Based Care — No Authorization Needed

You may disclose PHI for treatment without getting patient authorization. This now explicitly includes sharing with value-based groups, such as ACOs. This is a major compliance relief for care teams.

     Example:

  • A PCP adjusts insulin for a patient with diabetes. The ACO pharmacist and dietitian treat the same patient. You can send labs and notes to those treating providers—no authorization required.
  • A health plan sees a recent CT result in claims data and sends it to the ACO surgeon treating the patient. This supports treatment and does not require patient consent.

     Real-World Impact:

  • Before: Nurses and care managers chased authorizations to share data with ACO partners.
  • After: Now, they can share directly, speeding up care and improving outcomes.

  1. What Counts as “Treatment”?

“Treatment” is broad—it covers providing, coordinating, or managing care, including consultations and referrals between treating providers. If your goal is to help the patient get the right care, it’s treatment.

     Quick Reference Examples:

  • A PCP shares labs with an ACO dietitian.
  • A health plan sends imaging to a surgeon.
  • A pharmacist updates the care team about medication changes. 

  1. Minimum Necessary Rule: Treatment Exemption

The minimum necessary standard does NOT apply to disclosures for treatment. Provider-to-provider sharing for treatment is exempt from this rule. However, always share thoughtfully—send only what the receiving provider needs for care. Train this habit into daily workflows.

      Quick “Do/Don’t” Table:

      Do: Share complete notes if they’re needed for ongoing care.
      Don’t: Send the entire medical record if only labs are needed.

For non-treatment uses, the minimum necessary rule does apply. Limit PHI to the smallest amount needed for the job, and use role-based access and checks to support this.

  1. Designated Record Set (DRS) and Right of Access

The DRS includes all records a provider or plan uses to make decisions about a person. This means:

  • Medical and billing records for providers
  • Enrollment, payment, claims, and case management for plans
  • Any other decision-making records about the individual

     Exclusions:

  • Separate psychotherapy notes
  • Documents created only for legal actions (but related clinical PHI may still be in the DRS)

 Right of Access: Patients have a broad right to access PHI in the DRS—including PHI your business associates hold. This means visit notes, labs, images, billing, and plan data used for decisions.

FAQ Quick Hits:

  • Do I have to send PHI from my billing vendor? Yes.
  • Do I have to include draft notes? If they’re used for decisions, yes.

 Format and Timelines: Provide records in the form and format requested by the patient, when feasible, and meet HIPAA’s deadlines. Train front-line staff to explain options and set expectations.

  1. Aligning with CMS’s Digital Health Push

 These new FAQs are part of CMS’s July 2025 vision for a patient-centered digital health ecosystem—with better tools, lower burden, and stronger outcomes through trusted data exchange. Clear HIPAA guidance helps teams share confidently and efficiently within this future-focused system.

What To Do Now: Action Steps

  1. Map Your Value-Based Arrangements: List all treating providers in each arrangement. Confirm each recipient’s role and document PHI movement for treatment. Use the new OCR FAQ as your training anchor.
  1. Inventory Your DRS Sources: Include EHR, imaging, labs, billing, and plan systems—don’t forget PHI held by business associates. Build a Right of Access checklist and assign one owner to track due dates.
  1. Tune Your Minimum Necessary Policy: Make the treatment exemption clear in your SOPs. Set role-based access for non-treatment tasks, review logs regularly, and retrain as needed.

Why This Matters to Your Daily Work

HIPAA 2025: PHI Sharing & Right of Access helps real teams move faster:

  • Nurses coordinate discharges without extra forms.
  • Care managers loop in pharmacists with the right details.
  • Front desk staff fulfill access requests with fewer delays.

These small wins add up for patients and staff.

Need Help? Taino Consultants and EPICompliance Can Assist

  • Taino Consultants: Can diagram your value-based data flows and refresh your business associate agreements.
  • EPICompliance: Can install a clean Right of Access workflow, with training and logs.

Both focus on simple steps your staff can use the same day.

Frequently Asked Questions

Q: What if a patient requests data in a format we don’t use?
A: Provide it in the requested format if feasible. If not, offer alternatives and document your efforts.

Q: Can we charge fees for access?
A: Yes, but only reasonable, cost-based fees as defined by HIPAA.

Q: How do we handle hybrid provider/plan roles?
A: Apply the DRS and right of access rules to all records used for decision-making, regardless of your role.

Closing Note

When work grows complex, trusted tools help. Many readers keep EPICompliance and Taino Consultants in their bookmarks, so policy turns into practice—without drama.