A PHA is an agency or person authorized by law to collect or receive information to prevent or control disease, injury, or disability. This includes: 

• State, Tribal, local, and territorial (STLT) health departments 

• CDC and other federal public health agencies 

• Tribal Epidemiology Centers (TECs), which are designated as PHAs under HIPAA 

No, the HIPAA exception allows the disclosure of PHI without individual authorization when the recipient is a PHA operating under a legal mandate (e.g., for reportable conditions, immunizations, case investigations). 

Providers may share EHI that is relevant to the public health activity, such as: 

• ​​​​​Laboratory orders and results 

• Diagnoses and clinical notes 

• Demographic data 

• Immunization records 

• Hospital discharge data 

• Reportable conditions 

• Syndromic surveillance indicators 

However, disclosures must adhere to the “minimum necessary” standard, only the data needed to fulfill the public health purpose should be shared. 

Covered entities must ensure: 

• The PHA is legally authorized to collect the data 

• Data is transmitted through secure, HIPAA-compliant methods (e.g., encrypted transmission, secure application programming interfaces (APIs) 

• Legal agreements may be established to document roles, responsibilities, and safeguards, including if data is being reshared with others 

Yes.  HIPAA does not limit the technology used for legal disclosures. EHI may be shared via: 

• Secure file transfers 

• Direct interfaces with EHR systems 

• Health information exchanges (HIEs) 

• APIs using FHIR (Fast Healthcare Interoperability Resources) or other standards 

The mode of exchange must comply with HIPAA’s Security Rule requirements. 

Tribal Nations are sovereign governments and may have their own privacy policies and laws in addition to HIPAA. Data sharing with Tribal public health entities must: 

• Align with Tribal law and respect Tribal data governance principles 

• Be legally authorized, especially if data is flowing from a non-Tribal covered entity 

• Often involve consultation and formal agreements 

• TECs are recognized PHAs and can legally receive PHI under HIPAA 

If disclosures are made in accordance with HIPAA’s public health provisions and proper safeguards are used, there is no risk of violation.  

It’s important to: 

• Validate that the recipient is a legally authorized public health authority 

• Limit disclosures to the minimum necessary 

• Use secure and compliant data transmission methods 

• Review the benefits to HCOs of sharing PHI with PHAs here ​​[link to section 3 of the Toolkit]. 

• Educate staff about legal allowances under HIPAA for public health. 

• Collaborate early with PHAs/HCOs to establish shared understanding and workflows. 

• Develop clear documentation (e.g., memorandum of understandings [MOUs], data sharing protocols). 

• Reinforce that public health data sharing is not only legal and permissible — it is essential to protecting community health 

This page is available as a downloadable PDF that can be accessed here. ​​ [Link to the PDF of this section]