What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit?

What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit?

What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit?

This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.

If a covered entity discovers that the PHI was breached in transit to the designated third party, and the PHI was “unsecured PHI” as defined at 45 CFR 164.402, the covered entity generally is obligated to notify the individual and HHS of the breach and otherwise comply with the HIPAA Breach Notification Rule at 45 CFR 164, Subpart D. However, if the individual requested that the covered entity transmit the PHI in an unsecure manner (e.g., unencrypted), and, after being warned of the security risks to the PHI associated with the unsecure transmission, maintained her preference to have the PHI sent in that manner, the covered entity is not responsible for a disclosure of PHI while in transmission to the designated third party, including any breach notification obligations that would otherwise be required. Further, a covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.

Where the PHI that was breached is “secured” as provided for in the HHS Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html), the covered entity does not have reporting obligations under the Breach Notification Rule.



 TYLER, Texas — U.S. Attorney John M. Bales announced today that a former employee of an East Texas hospital has pleaded guilty to criminal HIPAA charges in the Eastern District of Texas. Joshua Hippler, 30, formerly of Longview, Texas, was indicted on March 26, 2014, on charges of Wrongful Disclosure of Individually Identifiable Health Information.  Hippler pleaded guilty on August 28, 2014 during a hearing before United States Magistrate Judge John D. Love.  The indictment alleged that from December 1, 2012, through January 14, 2013, Hippler, who was then an employee of a covered entity under HIPAA, obtained protected ...read more



Private Practice Revises Process to Provide Access to Records Covered Entity: Private Practices Issue: Access A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. OCR's investigation determined that the private practice had relied on state regulations that permit a covered entity to provide a summary of the record. OCR provided technical assistance to the covered entity, explaining that the Privacy Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary ...read more



Health Sciences Center Revises Process to Prevent Unauthorized Disclosures to Employers Covered Entity: General Hospitals Issue: Impermissible Uses and Disclosures; Authorizations A state health sciences center disclosed protected health information to a complainant's employer without authorization. Among other corrective actions to resolve the specific issues in the case, including mitigation of harm to the complainant, OCR required the Center to revise its procedures regarding patient authorization prior to release of protected health information to an employer. All staff was trained on the revised procedures. ...read more



Private Practice Revises Access Procedure to Provide Access Despite an Outstanding Balance Covered Entity: Private Practice Issue: Access A complainant alleged that a private practice physician denied her access to her medical records, because the complainant had an outstanding balance for services the physician had provided. During OCR’s investigation, the physician confirmed that the complainant was not given access to her medical record because of the outstanding balance. OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual access to their medical record within 30 days of ...read more

July 2026
SuMoTuWeThFrSa
1234
567891011
12131415161718
19202122232425
262728293031

Blog Home

Newest Blog Entries
1/21/25 Understanding Business Associate Agreements

11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims

11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme

11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges

11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6

11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach

11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth

11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations

11/12/22 May a covered entity use or disclose protected health information for litigation?

11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?

Blog Archives
January 2025 (1)
November 2022 (54)

Blog Labels
HIPAA (2)
EHR Fraud (1)
HIPAA Enforcement (3)
BAA (4)
Telehealth (1)
PPP Fraud (1)
Data Breach (1)
ePHI (2)
Covered Entity (40)