HIPAA Changes 2025
- Katarzyna Celińska
- Oct 16
- 1 min read
The U.S. Department of Health and Human Services (HHS) has issued new and updated guidance on the HIPAA PrivacyRule, bringing clarity to how protected health information can be disclosed and accessed in today’s interconnected healthcare ecosystem.
Key Changes
1️⃣ Disclosures in Value-Based Care Arrangements
Covered entities can disclose PHI without patient authorization if the disclosure is for treatment activities within value-based care frameworks (e.g., Accountable Care Organizations).
This includes PHI sharing between providers and between health plans and providers, as long as it directly supports treatment.
2️⃣ Expanded Patient Access Rights
Individuals can now request a broader range of health information, including:
- Medical records
- Billing and insurance data
- Clinical lab test reports, X-rays, and wellness program info
- Consent forms for treatment
- Clinical case notes (e.g., SOAP notes)
This update empowers patients with easier, more comprehensive access to their own health information.
3️⃣ Interoperability & Digital Health Ecosystem
The changes align with #CMS efforts to promote interoperability and prevent information blocking.
Tech firms are committing to user-friendly apps and digital tools that allow patients to securely share information and improve care outcomes.
This is a good change. It makes it easier for patients to access and share their health information, ultimately improving care. But it’s also a strong reminder: all organizations in the healthcare supply chain must comply with HIPAA security and privacy rules. This includes not only hospitals and health plans but also Business Associates such as cloud providers, SaaS vendors, and consulting firms. Risk analysis, policies, and safe guards remain essential — similar to GDPR and other global regulations.
Author: Sebastian Burgemejster
Comments