YES, the source of the information is a covered entity.
Is the recipient of the information a public health authority (PHA)?
Some public agencies perform both covered entity functions (e.g. provider, health plan) and other functions (e.g. public health).
These agencies may choose to be hybrid entities
- Many emergency preparedness activities are public health activities (e.g., those that prevent or control disease, injury or disability)
- Covered entities may disclose certain protected health information (PHI) to appropriate public health authorities for such activities
- An entity that is authorized by law to coordinate disaster relief planning may be a public health authority.
A Public Health Authority is:
- an agency or authority of the United States Government, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, that is responsible for public health matters as a part of is official mandate, or
- a person or entity acting under a grant of authority from or contract with such agency.
Examples of PHAs include:
- Local health departments
- State public health agencies
- state health departments
- state cancer registries
- state vital statistics departments
- Tribal health agencies
- Federal public health agencies
>Note: The Privacy Rule permits several types of disclosures of PHI for public health activities that are not discussed here (for example, covered entities may disclose PHI to a person subject to FDA jurisdiction, for public health purposes related to the quality, safety or effectiveness of an FDA-regulated product or activity for which that person has responsibility). For more information, see OCR guidance on Public Health disclosures and CDC's guidance on the Privacy Rule and Public Health.