In theory, a patient can indicate what information can/cannot be divulged to individual 3rd parties.
What counts for a patient are items of information (show symptoms/do not show symptoms) per 3rd party recipient. Some agencies have 200 forms with 50 data items per form (many of which are duplicated across forms) and 400 trading partners. Fortunately, only a few of these have links to any individual patient.
So,the first cut is whether a particular trading partner has an established relationship with a patient.
To implement data sharing, you would basically have to do pick an eligible 3rd party recipient, pick a form and then do 50 lookups – if any one of these is a no-show data element, you would have to mask it or not send the form.
It gets worse for “documents” which, in some cases, will be narratives consolidating data items from multiple forms /structured data collection devices with no way of telling where the data elements came from – each word in the document other than language constructs would need a hyperlink back to the item that contributed that word. Then we have pictures/images etc.
It would take hours with a patient to record the data elements they are willing to share with all possible 3rd party recipients and you would then need to set up a complex masking matrix.
Accordingly, the only safe course of action when a request for a form/document comes in from some 3rd party is
1) contact the patient
2) ship the patient via a secure data channel what you plan to send to the identified 3rd party
3) patient signs a one-time release for the material.
4) you log the disclosure
5) you then send the information to the intended recipient.
This becomes very tedious, so most agencies seek general releases of information.