Aside from other restrictions under state and federal law, if a medical provider sends PHI in error to an individual's employer, is the employer's use of such PHI subject to any restrictions under the HIPAA privacy regulations? If so, where is this addressed in the regs. or other DHHS authority?

HIPAA privacy regs. state that participant authorizations must state the specific purpose(s) for which disclosure is permitted. May an authorization state that the specific purpose is any reason desired by the covered entity? If not, where is this addressed in the regs. or other DHHS authorit? Thanks.

If a medical provider sends PHI in error to the employer, the medical provider is in trouble. However, at that point, the medical information is outside the HIPAA box, and no longer technically subject to HIPAA rules. However, as you have alluded, there are state law considerations. Misuse of health information received by "accident" would be a very bad idea, in my opinion. There have already been state court rulings that hold that the HIPAA rules are the standard of care for common law breach of privacy claims against non-covered entities involving health information.

As for your second question, see 164.508©(1)(iv).