A Decision Tool: Is the Recipient a Public Health Authority (PHA)

Disclosures for Emergency Preparedness - A Decision Tool: Is the Recipient a Public Health Authority (PHA)?

YES, the source of the information is a covered entity.

Is the recipient of the information a public health authority (PHA)?

Additional Information:

Some public agencies perform both covered entity functions (e.g. provider, health plan) and other functions (e.g. public health).

These agencies may choose to be hybrid entities

Many emergency preparedness activities are public health activities (e.g., those that prevent or control disease, injury or disability)
Covered entities may disclose certain protected health information (PHI) to appropriate public health authorities for such activities
An entity that is authorized by law to coordinate disaster relief planning may be a public health authority.

Definitions:

A Public Health Authority is:

an agency or authority of the United States Government, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, that is responsible for public health matters as a part of is official mandate, or
a person or entity acting under a grant of authority from or contract with such agency.

Examples of PHAs include:

Local health departments
State public health agencies
- state health departments
- state cancer registries
- state vital statistics departments
Tribal health agencies
Federal public health agencies
- Food and Drug Administration (FDA)
- Centers for Disease Control and Prevention (CDC)
- Occupational Safety Health Administration (OSHA)

>Note: The Privacy Rule permits several types of disclosures of PHI for public health activities that are not discussed here (for example, covered entities may disclose PHI to a person subject to FDA jurisdiction, for public health purposes related to the quality, safety or effectiveness of an FDA-regulated product or activity for which that person has responsibility). For more information, see OCR guidance on Public Health disclosures and CDC's guidance on the Privacy Rule and Public Health.