OCR Publishes New and Updated HIPAA Privacy Rule Guidance – The HIPAA Journal
OCR Publishes New and Updated HIPAA Privacy Rule Guidance The HIPAA Journal
OCR Publishes New and Updated HIPAA Privacy Rule Guidance
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published new and updated guidance on certain aspects of the HIPAA Privacy Rule, adding a new FAQ on permitted disclosures of PHI to value-based care arrangements and updating an FAQ on the types of personal health information that individuals can request access to.
The new FAQ relates to disclosures to value-based care arrangements, such as accountable care organizations, for treatment purposes and follows an announcement by the HHS Centers for Medicare and Medicaid Services (CMS) about the steps being taken to improve interoperability and prevent information blocking. At a White House event on July 30, 2025, the Trump Administration explained that commitments had been obtained from several tech firms to work on interoperability and user-friendly apps that empower patients to improve their outcomes and their healthcare experience through seamless sharing of information between patients and providers.
At the event, the CMS unveiled voluntary criteria for trusted, patient-centered, and practical data exchange that will be accessible for all network types—health information networks and exchanges, Electronic Health Records (EHR), and tech platforms. The plan is to create a digital health care ecosystem that will improve patient outcomes, reduce provider burden, and drive value.
The new FAQ explains that “The Privacy Rule generally allows PHI to be used or disclosed without restriction for treatment purposes. This includes disclosures of PHI to participants in value-based care arrangements, such as accountable care organizations.” The FAQ goes on to explain that, “The definition [of treatment] incorporates the necessary interaction of more than one entity. As a result, a covered entity is permitted to disclose PHI, regardless of to whom the disclosure is made, where the disclosure is made for the treatment activities of a health care provider.”
That means that a patient is not required to give their authorization before a covered healthcare provider can disclose PHI for the treatment activities of another healthcare provider, as long as both providers are treating the individual through a value-based care arrangement, such as an accountable care organization. The same applies to disclosures of PHI by health plans to healthcare providers, provided the disclosure enables the healthcare provider to provide treatment as part of a value-based care arrangement.
Change Guidance on Access to Personal Health Information
Under HIPAA, individuals have certain rights over their health records, including the right to obtain a copy of their records (in one or more designated record sets) and request changes to correct inaccuracies. The FAQ on the types of personal health information that individuals can access has been updated to include consent forms for treatment.
Per the updated FAQ, “Individuals have a right to access a broad array of health information about themselves, whether maintained by a covered entity or by a business associate on the covered entity’s behalf, including medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information, consent forms for treatment, and notes (such as clinical case notes or “SOAP” notes (a method of making notes in a patient’s chart)”
The post OCR Publishes New and Updated HIPAA Privacy Rule Guidance appeared first on The HIPAA Journal.
Data Breaches Announced by Doctors’ Memorial & Sabine County Hospitals – The HIPAA Journal
Data Breaches Announced by Doctors’ Memorial & Sabine County Hospitals The HIPAA Journal
Data Breaches Announced by Doctors’ Memorial & Sabine County Hospitals
Data breaches have been announced by Doctors’ Memorial Hospital in Florida, Sabine County Hospital in Texas, Compass Counseling Services in Florida, and Precision Endodontics of Raleigh in North Carolina.
Doctors’ Memorial Hospital, Florida
Doctors’ Memorial Hospital in Florida has recently confirmed that it was affected by the data breach at the debt recovery firm Nationwide Recovery Service (NRS) last year. An unauthorized third party accessed the NRS information technology network between July 5, 2024, and July 11, 2024, and copied files and folders from its systems. The review of the compromised data was completed in February 2025. Based on data breach reports submitted by the affected entities, more than 543,000 individuals were affected.
Doctors’ Memorial Hospital said it only learned about the data breach on February 7, 2024, 7 months after the attack occurred, and was informed at the time that NRS would take full responsibility for issuing notification letters to the affected individuals. NRS changed its position and refused to issue notifications. It took NRS until May 27, 2025, to provide Doctors’ Memorial Hospital with a list of the affected patients. The data has been verified, and Doctors’ Memorial Hospital is sending notification letters to the affected individuals.
The data breach has been reported to the HHS’ Office for Civil Rights as affecting 500 individuals. The total will be amended when all notifications have been issued. Doctors’ Memorial Hospital said the data compromised in the incident included names, dates of birth, financial account numbers, Social Security numbers, and medical information.
Sabine County Hospital, Texas
Sabine County Hospital (SCH) in Hemphill, Texas, has identified unauthorized access to an employee’s email account. The incident was detected on February 12, 2025, and access to the account was immediately blocked. An investigation was launched to determine the nature and scope of the incident, and the account was reviewed to determine if it contained any patient information.
The account audit was time-consuming and has only recently been completed. The review confirmed that patient information contained in internal logs and reports may have been viewed or obtained. For most of the affected patients, the information compromised in the incident was limited to name, date(s) of service, and the service(s) received. For some patients, more detailed demographic information was involved, such as address, date of birth, and gender, along with clinical information such as symptoms and diagnosis. For a small subset of the affected individuals, more detailed clinical information was involved, such as test results, treatment information, financial information, Social Security number, Medicare number, insurance information, and payment information.
While information was exposed, the primary purpose of the attack was to get a fraudulent invoice paid, which was sent from the account to the hospital. “Phishing incidents, like the one that occurred at SCH, are becoming increasingly common, and more sophisticated,” said SCH spokesperson Kaylee McDaniels. “We are very sorry this occurred and will continue to educate our staff about the dangers, and steps they should take to avoid becoming a victim.
Compass Counseling Services, Florida
Compass Counseling Services, in Orlando, Florida, has recently announced a hacking incident that was detected on November 20, 2024. The intrusion was rapidly contained, and an investigation was launched to determine the nature and scope of the unauthorized activity. Following an extensive forensic investigation, Compass discovered on February 2, 2025, that there had been unauthorized access to files containing patient information between November 19, 2024, and November 21, 2024.
The file review has recently been completed and confirmed that the compromised data included first and last names, birth dates, financial account numbers, routing numbers, Social Security numbers, digital signatures, account access credentials, driver’s license numbers and/or other governmental identification numbers, Medicare/Medicaid numbers, medical histories, patient numbers, provider names and locations, medical diagnosis information, medical treatment information, and other health insurance information. Compass said it is reviewing its practices and internal controls to enhance the security and privacy of patient information.
Precision Endodontics of Raleigh, North Carolina
Precision Endodontics of Raleigh in North Carolina has recently notified 4,022 current and former patients about a phishing-related data breach. On June 10, 2025, Precision Endodontics identified unauthorized access to its email account. An investigation was launched, which revealed the account had been used to send phishing emails to a portion of its contact list.
The compromised email account was reviewed and found to contain patients’ first and last names and email addresses; however, no misuse of that information has been identified. Precision Endodontics has implemented additional safeguards to improve data security and its web server infrastructure and will take further actions to reduce the risk of similar breaches in the future.
The post Data Breaches Announced by Doctors’ Memorial & Sabine County Hospitals appeared first on The HIPAA Journal.
New York prosecutors accused of violating HIPAA in Mangione case – HealthExec
After Purl v. HHS: Navigating the Shifting Landscape of Reproductive Health Privacy – The National Law Review
After Purl v. HHS: Navigating the Shifting Landscape of Reproductive Health Privacy The National Law Review
City Hall walks back mayor’s claim that HIPAA protects buildings with Legionella – Crain’s New York Business
City Hall walks back mayor’s claim that HIPAA protects buildings with Legionella Crain's New York Business
Data Breaches Announced by Three Oral Healthcare Practices – The HIPAA Journal
Data Breaches Announced by Three Oral Healthcare Practices The HIPAA Journal