Disclosures for Emergency Preparedness - A Decision Tool: Is the Recipient a Public Health Authority (PHA)?

Additional Information:

Some public agencies perform both covered entity functions (e.g. provider, health plan) and other functions (e.g. public health).

These agencies may choose to be hybrid entities

• Many emergency preparedness activities are public health activities (e.g., those that prevent or control disease, injury or disability)
• Covered entities may disclose certain protected health information (PHI) to appropriate public health authorities for such activities
• An entity that is authorized by law to coordinate disaster relief planning may be a public health authority.

Definitions:

A Public Health Authority is:

• an agency or authority of the United States Government, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, that is responsible for public health matters as a part of is official mandate, or
• a person or entity acting under a grant of authority from or contract with such agency.

Examples of PHAs include:

• Local health departments
• State public health agencies
  • state health departments
  • state cancer registries
  • state vital statistics departments
• Tribal health agencies
• Federal public health agencies
  • Food and Drug Administration (FDA)
  • Centers for Disease Control and Prevention (CDC)
  • Occupational Safety Health Administration (OSHA)

>Note: The Privacy Rule permits several types of disclosures of PHI for public health activities that are not discussed here (for example, covered entities may disclose PHI to a person subject to FDA jurisdiction, for public health purposes related to the quality, safety or effectiveness of an FDA-regulated product or activity for which that person has responsibility). For more information, see OCR guidance on Public Health disclosures and CDC's guidance on the Privacy Rule and Public Health.