Get Permission The agency that enforces HIPAA has issued guidance to clarify how covered entities and business associates are permitted to make patient record disclosures for public health purposes to health information exchange organizations during the COVID-19 pandemic. The Department of Health and Human Services’ Office for Civil Rights said its new guidance gives examples of how organizations may disclose protected health information without patient authorization to an HIE for reporting to a public health authority. But as a matter of routine, covered entities’ notice of privacy practices must reveal that PHI may be shared for public health purposes if the need arises.