Still only true if personal identification information is removed.
We are allowed to get med device data from the hospitals by agreement to monitor and improve equipment, but it must have the personal information stripped and if it is not it must immediately be reported and deleted. Not sure the final end steps on the back end, but I think the patient ends up getting informed of the breach.
Doesn’t this apply, tho? https://www.hhs.gov/hipaa/for-professionals/faq/482/does-hipaa-permit-a-doctor-to-share-patient-information-for-treatment-over-the-phone/index.html
Seems like all they have to claim is “this facilitates treatment” and “we put the recommended safeguards in place” and then they can transfer the data, including the protected data, however they see fit. Which, of course, they’re doing regardless of what they “have” to do.