The US Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) issued guidance on how the Health Insurance Portability and Accountability Act (HIPAA) permits covered healthcare facilities and providers to use health information exchanges (HIEs) to disclose protected health information (PHI) to a public health authority (PHA) for public health purposes. A HIE is an organisation that enables the sharing of electronic protected health information (ePHI) among more than two unaffiliated entities. The guidance provides examples of how the HIPAA permits covered health entities to disclose PHI to a PHA during the COVID-19 pandemic. Disclosure of PHE to PHA is permitted when: (a) it is required by the law; (b) when a HIE is an affiliated association of the covered entity that wishes to provide PHI to a PHA for public health purposes; (c) when a HIE is acting under a grant of authority or contract with a PHA for a public health.