Yes. The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment or payment purposes, as well as to another covered entity for certain health care operations of that entity. See 45 CFR 164.506 and the definitions of “treatment,” “payment,” and “health care operations” at 45 CFR 164.501.