The annual HIPAA training I was subjected to for nearly a decade on the EMR provider side of things never brought up these scenarios, but the Privacy Rule does have carve-outs that allow PHI to be transmitted to entities that would not be considered Business Associates, if the patient consents.