What is the liability of a covered entity in responding to an individual’s access request to send the individual’s PHI to a third party?
This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.
Covered entities may rely on the information provided in writing by the individual about the identity of the designated person and where to send the PHI for purposes of verification of the designated third party as an authorized recipient. However, covered entities must implement reasonable safeguards in otherwise carrying out the request, such as taking reasonable steps to verify the identity of the individual making the access request and to enter the correct information into the covered entity’s system. For example, while a covered entity is not required to confirm that the individual provided the correct e-mail address of the third party, the covered entity is required to have reasonable procedures to ensure that it correctly enters the provided e-mail address into the covered entity’s system.
In addition, except in the limited circumstance described below, covered entities must safeguard the information in transit, and are responsible for breach notification and may be liable for impermissible disclosures of PHI that occur in transit. The only exception arises when an individual has requested that the PHI be sent to the third party by unencrypted e-mail or in another unsecure manner, which the individual has a right to request. As long as the individual was warned of and accepted the security risks to the PHI associated with the unsecure transmission, the covered entity is not responsible for breach notification or liable for disclosures that occur in transit.
Further, the covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.