Disclosures for Emergency Preparedness - A Decision Tool: Is the Public Health Authority Authorized to Collect Information?

A covered entity may disclose PHI for public health activities and purposes to a public health authority (PHA) that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including the conduct of public health interventions.

A covered entity can disclose PHI to a PHA if there is legal authority, such as in a statute or regulation, permitting or requiring the PHA to request or receive such information. The PHA should be able to provide the covered entity with a statement describing its legal authority to receive the information and conduct the public health activity.

Example: Pursuant to federal law, hospitals regularly report health statistics to the CDC, consistent with the Privacy Rule.

A particular PHA will not be authorized by law to collect or receive information for all public health activities. It must be determined whether the PHA has authority for the activity.

Example: If a local public health agency only has authority to collect information regarding births and deaths, a covered entity could not honor a request by that agency for the names and severity of medical conditions of all persons with disabilities.