NO, the source of the information is not a covered entity. The disclosure may be made. The Privacy Rule applies only to covered entities! The Privacy Rule does not apply to all persons or entities that regularly use, disclose, or store individually identifiable health information. For example, the Privacy Rule does not limit the disclosure of information by social service agencies, Centers for Independent Living, paratransit authorities, Protection & Advocacy Organizations or public agencies that perform public health activities, when those agencies are functioning solely in these capacities. If an agency also performs covered entity functions, see discussion of hybrid entities. Example: A social services agency (that is not a covered entity) that maintains a list of names, addresses and limitations of persons with disabilities in an area may release the information to a transportation contractor without regard to the HIPAA Privacy Rule. Example: The HIPAA Privacy Rule does not restrict the American Red Cross from sharing patient information.