Hypothetically, they can ask for consent from patients, with some form that allows investigative agencies to access contact information of patients for such cases. I think there are other options other than sending it without consent and even the knowledge of the patients.

Awesome, thank you for pointIng out the issue with the previous one!

Changed the title, not sure how to balance “meant to make it easier to share between organizations (gov included)” and the misconception thay it is a privacy oriented regulation

From what I understand from the video and the regulation definition under Health Care Operations there are many ways for the provider to share the data without consent (page 2: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/sharingfortpo.pdf).

“Health care operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities, which are limited to the activities listed in the definition of “health care operations” at 45 CFR 164.501, include: < Conducting quality assessment and improvement activities, population- based activities relating to improving health or reducing health care costs, and case management and care coordination; < Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities; < Underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims; < Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs; Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and Business management and general administrative activities, including those related to implementing and complying with the Privacy Rule and other Administrative Simplification Rules, customer service, resolution of internal grievances, sale or transfer of assets, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.

Is that the first hurdle you were mentioning? I’m just trying to understand where is the restriction of the second hurdle if in 164.506 it says an entity can use the data:

“Use or disclose protected health information for its own treatment, payment, and health care operations activities”

Trying to understand the distinction add have another TIL moment, not aeguing against the comment

I guess there’s some deminishing returns if the data gets distributed to too many entities