Let’s suppose, for the sake of this discussion, that I had contacted an internet site about ED medicine. They took relevant medical history, they have a doctor on staff who can write prescriptions, and they both wrote and filled a prescription. Part of the information they gathered about me was my email address.
Now let’s say that, a few days later, I started getting spammed from several other companies offering to sell me ED remedies, and that I have never received these kinds of emails before.
Under these (imaginary) circumstances, is there any way that a case could be made that the internet site which prescribed and sold me the ED remedy then sold that information about me to third parties, and that this was a violation of HIPAA?
eta: as part of the suppositions for this thread, suppose that there was no communication about nor offer to opt in or out of them selling my information to other companies.