§164.512(b) Standard: Uses and disclosures for public health activities.
(1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to:
(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;
(ii) A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect.
(iii) A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated products or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity. Such purposes include:
(A) To collect or report adverse events (or similar activities with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations; (B) To track FDA-regulated products; (C) To enable product recalls, repairs, or replacement, or look back (including locating and notifying individuals who have received products that have been, withdrawn, or are the subject of look back); or (D) To conduct post marketing surveillance; (iv) A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or
(v) An employer, about an individual who is a member of the workforce of the employer, if:
(A) The covered entity is a covered health care provider who provides health care to the individual at the request of the employer:
(1) To conduct an evaluation relating to medical surveillance of the workplace; or
(2) To evaluate whether the individual has a work-related illness or injury;
(B) The protected health information that is disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance;
(C) The employer needs such findings in order to comply with its obligations, under 29 CFR parts 1904 through 1928, 30 CFR parts 50 through 90, or under state law having a similar purpose, to record such illness or injury or to carry out responsibilities for workplace medical surveillance; and
(D) The covered health care provider provides written notice to the individual that protected health information relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer:
(1) By giving a copy of the notice to the individual at the time the health care is provided; or
(2) If the health care is provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care is provided.
(vi) A school, about an individual who is a student or prospective student of the school, if:
(A) The protected health information that is disclosed is limited to proof of immunization;
(B) The school is required by State or other law to have such proof of immunization prior to admitting the individual; and (C) The covered entity obtains and documents the agreement to the disclosure from either:
(1) A parent, guardian, or other person acting in loco parentis of the individual, if the individual is an unemancipated minor; or
(2) The individual, if the individual is an adult or emancipated minor.
(2) Permitted uses. If the covered entity also is a public health authority, the covered entity is permitted to use protected health information in all cases in which it is permitted to disclose such information for public health activities under paragraph (b)(1) of this section.

Audit Inquiry

Are policies and procedures in place that specify how the covered entity uses or disclosures PHI for public health activities consistent with this standard?
Obtain and review policies and procedures in relation to the established performance criterion regarding permitted uses and disclosures for public health activities.

Obtain and review a sample of such uses and disclosures, to include uses and disclosures to an employer about an individual who is a member of the workforce of the employer, and determine whether all criteria were met.