When information comes out of a relationship with a healthcare provider, it's PHI.
That information is tainted with the restrictions and keeps them regardless of where it goes. If it gets disclosed outside of that it becomes a violation.
So nobody working for a hospital you get care for can disclose things. Nobody the hospital hires to provide services or handle your data, etc.
You can sign away those rights or give your own information away.
If the data doesn't come up through a relationship with a healthcare provider, it's not PHI.
Yes, lots of data storage companies are - that's why these companies sign BAAs (Google HIPAA BAA for info).
There are some carve outs. For example, financial services companies don't have any additional privacy requirements if you buy a prescription with your Visa instead of cereal. That carve out was specifically added to the HIPAA legislation.
The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form... covered entities...
I think this just means health care industry and those who build systems for health care information?
Going to keep researching, but I don't think that it applies to literally every workplace.
Any working professional that is handles PHI is bound by it and not just health care professionals. This could also be managers in a hospital. An individual is not.
That information is tainted with the restrictions and keeps them regardless of where it goes. If it gets disclosed outside of that it becomes a violation.
So nobody working for a hospital you get care for can disclose things. Nobody the hospital hires to provide services or handle your data, etc.
You can sign away those rights or give your own information away.
If the data doesn't come up through a relationship with a healthcare provider, it's not PHI.