OCR Guidance: Designated Third Parties

Sending to Third Parties

As people increasingly manage their health data using smartphone applications, understanding when and how to share information with third parties, like apps, is critical. Read more about the process, requirements and concerns associated with third party access. Once you feel confident, test your knowledge with our quiz.

Ready to Test Your Knowledge? Take the Quiz!

Sending PHI to Designated Third Parties

An individual also has a right to direct the covered entity to transmit the PHI about the individual directly to another person or entity designated by the individual.  The individual’s request to direct the PHI to another person must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI.  A covered entity may accept an electronic copy of a signed request (e.g., PDF), as well as an electronically executed request (e.g., via a secure web portal) that includes an electronic signature.  The same requirements for providing the PHI to the individual, such as the fee limitations and requirements for providing the PHI in the form and format and manner requested by the individual, apply when an individual directs that the PHI be sent to another person. See 45 CFR 164.524(c)(3).”¹

1. HHS: Health Information Privacy Division. (2016, February). 
Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524.”

Requirements Remain

“The same requirements for providing the PHI to the individual, such as the timeliness requirements, fee limitations, prohibition on imposing unreasonable measures, and form and format requirements, apply when an individual directs that the PHI be sent to another person or entity.”

For Example

“For example, just as when the individual requests a copy for herself, a covered entity cannot require that an individual make a separate in person trip to the covered entity’s physical location for the purpose of making the request to transmit the individual’s PHI to a person or entity designated by the individual.  In addition, the individual can designate the form and format of the PHI and how the PHI is to be sent to the third party, and the covered entity must provide access in the requested form and format and manner if the PHI is “readily producible” in such a way. Whether PHI is “readily producible” depends on the capabilities of the covered entity and whether transmission or transfer of the PHI in the requested manner would present an unacceptable level of security risk to the PHI on the covered entity’s systems (based on the covered entity’s Security Rule risk analysis).

Need More?

The following are just a few examples of how these provisions apply:

Direct Address

Direct Address

“A patient requests in writing that the hospital where she recently underwent a surgical procedure use its Certified EHR Technology (CEHRT) to send her discharge summary to her primary care physician, or to her own personal health record, and she supplies the corresponding Direct address (an electronic address for securely exchanging health information using the Direct technical standard).”

Email

Email

“A patient sends a written request to his long-time physician asking the physician to download a copy of the PHI from his electronic medical record, and e-mail it in encrypted form to XYZ Research Institution, at [email protected], so XYZ Research Institution can use his health information for research purposes.”

App

App

A patient requests in writing that her ob-gyn digitally transmit records of her latest pre-natal visit to a new pregnancy self-care app that she has on her mobile phone.  The ob-gyn’s EHR has the ready capability to establish the connection in a manner that does not present an unacceptable level of security risk to the PHI in the EHR or other of the ob-gyn’s systems, based on the ob-gyn’s Security Rule risk analysis.

Smooth Sailing

“In each of these three examples, the covered entity has the capability to transfer the PHI in the requested manner and doing so would not present an unacceptable level of security risk to the PHI in the covered entity’s systems.  Thus, after receiving the patient’s written request, the covered entity has 30 days (or 60 days if an extension is applicable) to send the PHI to the designated recipient as directed by the individual.  However, in most cases, it is expected that the use of technology will enable the covered entity to fulfill the individual’s request in far fewer than 30 days.”

Want More Details?

OCR answers some frequently asked questions:

  • Limits or Exceptions

    Are there any limits or exceptions to the individual’s right to have the individual’s PHI sent directly to a third party?

    The right of an individual to have PHI sent directly to a third party is an extension of the individual’s right of access; consequently, all of the provisions that apply when an individual obtains access to her PHI apply when she directs a covered entity to send the PHI to a third party.

    As a Result

    “This right applies to PHI in a designated record set;

    Covered entities must take action within 30 days of the request;

    Covered entities must provide the PHI in the form and format and manner of access requested by the individual if it is “readily producible” in that manner; and

    The individual may be charged only a reasonable, cost-based fee that complies with 45 CFR 164.524(c)(4).”

    Denying Access

    “Further, the same limited grounds for denial of access that apply when the individual is receiving the PHI directly apply in cases where the individual requests that the PHI be provided to a designated third party.  See 45 CFR 164.524(a)(2) and (a)(3).

    Thus, for example, a covered entity may deny an individual’s request to send PHI to a designated third party when the request is for psychotherapy notes or PHI for which a licensed health care professional has determined, exercising professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.  The provisions of the Privacy Rule providing for review of certain denials of access apply in this circumstance as well.  See 45 CFR 164.524(a)(3) and (a)(4).”

    Worthwhile Third Parties

    “However, a covered entity may not deny an individual’s access request to send PHI to a third party for other purposes. Thus, disagreement with the individual about the worthiness of the third party as a recipient of PHI, or even concerns about what the third party might do with the PHI (except for the express reasons listed in the Privacy Rule, such as in cases where life or physical safety is threatened), are not acceptable reasons to deny an individual’s request.”

  • Personal Representatives & Third Party Access

    Can an individual’s personal representative, through the HIPAA right of access, have the individual’s health care provider or health plan send the individual’s PHI to a third party?

    Yes.  An individual’s personal representative (generally, a person with authority under State law to make health care decisions for the individual) has the right both to receive a copy of PHI about the individual in a designated record set, and to direct the covered entity to transmit a copy of the PHI to another person or entity, upon request, consistent with the scope of such representation and the requirements of 45 CFR 164.524.  See 45 CFR 164.502(g). The same requirements for fulfilling an individual’s request to send the individual’s PHI to a third party (e.g., with respect to timeliness, form and format, bases for denial, fee limitations, etc.) also apply to requests made by an individual’s personal representative.

  • Liability Concerns

    What is the liability of a covered entity in responding to an individual’s access request to send the individual’s PHI to a third party?

    Covered entities may rely on the information provided in writing by the individual about the identity of the designated person and where to send the PHI for purposes of verification of the designated third party as an authorized recipient. However, covered entities must implement reasonable safeguards in otherwise carrying out the request, such as taking reasonable steps to verify the identity of the individual making the access request and to enter the correct information into the covered entity’s system. For example, while a covered entity is not required to confirm that the individual provided the correct e-mail address of the third party, the covered entity is required to have reasonable procedures to ensure that it correctly enters the provided e-mail address into the covered entity’s system.

    In addition, except in the limited circumstance described below, covered entities must safeguard the information in transit, and are responsible for breach notification and may be liable for impermissible disclosures of PHI that occur in transit.  The only exception arises when an individual has requested that the PHI be sent to the third party by unencrypted e-mail or in another unsecure manner, which the individual has a right to request.  As long as the individual was warned of and accepted the security risks to the PHI associated with the unsecure transmission, the covered entity is not responsible for breach notification or liable for disclosures that occur in transit.

    Further, the covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.

  • Breach Notification

    What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit?

    If a covered entity discovers that the PHI was breached in transit to the designated third party, and the PHI was “unsecured PHI” as defined at 45 CFR 164.402, the covered entity generally is obligated to notify the individual and HHS of the breach and otherwise comply with the HIPAA Breach Notification Rule at 45 CFR 164, Subpart D

    However, if the individual requested that the covered entity transmit the PHI in an unsecure manner (e.g., unencrypted), and, after being warned of the security risks to the PHI associated with the unsecure transmission, maintained her preference to have the PHI sent in that manner, the covered entity is not responsible for a disclosure of PHI while in transmission to the designated third party, including any breach notification obligations that would otherwise be required.  Further, a covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.

    Where the PHI that was breached is “secured” as provided for in the HHS Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (available here), the covered entity does not have reporting obligations under the Breach Notification Rule.

  • HIPAA Authorization vs. Right of Access

    Why depend on the individual’s right of access to facilitate the disclosure of PHI to a third party – why not just have the individual execute a HIPAA authorization to enable the covered entity to make this disclosure?

    The PHI that an individual wants to have disclosed to a third party under the HIPAA right of access also could be disclosed by a covered entity pursuant to a valid HIPAA authorization.  However, there are differences between the two methods — the primary difference being that one is a required disclosure and one is a permitted disclosure — that may make the right of access a more favorable choice for most disclosures the individual is initiating on her own behalf.  These differences are illustrated in the following table:

    In addition, the Privacy Rule permits covered entities to disclose PHI for treatment, payment and health care operations without the need to first obtain an individual’s authorization or receive an access request by the individual to have the individual’s PHI directed to a third party for such purposes. See 45 CFR 164.506. As a result, if an individual is seeking to have her PHI shared among her treating providers, the covered entities can and should do so; the individual should not have to facilitate this transmission by submitting an access request (and potentially having to wait up to 30 days for the information to be sent and be charged a fee) or by executing a HIPAA authorization. See the Fact Sheets on Understanding Some of HIPAA’s Permitted Uses and Disclosures.

  • Family / Caregiver Access

    Under HIPAA, when can a family member of an individual access the individual’s PHI from a health care provider or health plan?

    Personal Representatives

    The HIPAA Privacy Rule provides individuals with the right to access their medical and other health records from their health care providers and health plans, upon request.  The Privacy Rule generally also gives the right to access the individual’s health records to a personal representative of the individual.  Under the Rule, an individual’s personal representative is someone authorized under State or other applicable law to act on behalf of the individual in making health care related decisions.  With respect to deceased individuals, the individual’s personal representative is an executor, administrator, or other person who has authority under State or other law to act on behalf of the deceased individual or the individual’s estate.  Thus, whether a family member or other person is a personal representative of the individual, and therefore has a right to access the individual’s PHI under the Privacy Rule, generally depends on whether that person has authority under State law to act on behalf of the individual.  See 45 CFR 164.502(g) and 45 CFR 164.524.”

    Family Members as Third Parties

    “In cases where a family member may not have the requisite authority to be a personal representative, an individual still has the ability, under the HIPAA right of access, to direct a covered entity to transmit a copy of the individual’s PHI to the family member, and the covered entity must comply with the request, except in limited circumstances.  The individual’s request must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI.  See 45 CFR 164.524(c)(3)(ii).

    Provider Disclosures

    Outside of the HIPAA right of access, other provisions in the Privacy Rule address disclosures to family members.  Specifically, a covered entity is permitted to share information with a family member or other person involved in an individual’s care or payment for care as long as the individual does not object.  In cases where the individual is incapacitated, a covered entity may share the individual’s information with the family member or other person if the covered entity determines, based on professional judgment, that the disclosure is in the best interest of the individual.  If the individual is deceased, a covered entity may make the disclosure unless doing so is inconsistent with any prior expressed preference of the individual.  These disclosures are generally limited to the health information that is relevant to the person’s involvement in the individual’s care or payment for care.  See 45 CFR 164.510(b).”

    Written Authorization

    “Finally, a covered entity also is permitted to disclose the health information about an individual to any person, including a family member, if the individual provides a prior written authorization for the disclosure.  See 45 CFR 164.508.

Ready to Test Your Knowledge? Take the Quiz!
Next Section: Timeliness

Patient Stories

Back To Top