When information comes out of a relationship with a healthcare provider, it's PHI.
That information is tainted with the restrictions and keeps them regardless of where it goes. If it gets disclosed outside of that it becomes a violation.
So nobody working for a hospital you get care for can disclose things. Nobody the hospital hires to provide services or handle your data, etc.
You can sign away those rights or give your own information away.
If the data doesn't come up through a relationship with a healthcare provider, it's not PHI.
That information is tainted with the restrictions and keeps them regardless of where it goes. If it gets disclosed outside of that it becomes a violation.
So nobody working for a hospital you get care for can disclose things. Nobody the hospital hires to provide services or handle your data, etc.
You can sign away those rights or give your own information away.
If the data doesn't come up through a relationship with a healthcare provider, it's not PHI.