The NPRM would have allowed covered entities to disclose protected health information without
individual authorization to: (1) A public health authority
authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or
disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; (2) a public health authority or other appropriate authority
authorized by law to receive reports of child abuse or neglect; (3) a person or entity other than a governmental authority that could demonstrate or demonstrated that it was acting to comply
with requirements or direction of a public health authority; or (4) a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition and was
authorized by law to be notified as necessary in the conduct of a public health intervention or investigation.
One comment suggested that the final rule explicitly allows disclosures
authorized by the Americans
with Disabilities Act without an
individual's authorization, because this law, in the commenter's view, provides more than adequate protection for the confidentiality of medical records in the employment context.