In July 2026, the US Department of Health and Human Services (HHS) temporarily waived HIPAA Privacy Rule sanctions and penalties for hospitals in Guam and the Northern Mariana Islands responding to Typhoon Bavi.

 

What happened

The action followed emergency declarations by President Donald Trump and a public health emergency declaration by HHS Secretary Robert F. Kennedy Jr. The waiver did not suspend HIPAA as a whole. Instead, it applied only to hospitals that had activated disaster protocols in the emergency area and only for up to 72 hours after those protocols began. During that limited period, HHS stated that it would not impose sanctions or penalties if a hospital failed to meet specific Privacy Rule requirements, including obtaining a patient’s agreement before speaking with family or friends involved in the patient’s care, honoring a request to opt out of a facility directory, distributing a notice of privacy practices, or complying with requests for privacy restrictions and confidential communications.

Once the emergency declaration ended, or once the 72-hour period expired, hospitals were again required to comply with those provisions. HHS also emphasized that the waiver did not remove broader obligations to protect patient information. Covered entities and business associates still had to use reasonable safeguards, apply HIPAA Security Rule protections to electronic protected health information (ePHI), and limit disclosures to the minimum necessary. The agency further clarified that HIPAA already permits certain disclosures without patient authorization for treatment, public health activities, disaster relief, notifications to family members, and situations involving a serious and imminent threat.

 

In the know

Section 1135 of the Social Security Act, codified at 42 U.S.C. § 1320b-5, gives the Secretary of the HHS limited emergency powers to waive or modify certain federal healthcare requirements temporarily. The authority generally becomes available when a qualifying presidential emergency or disaster declaration and an HHS public health emergency declaration are both in effect.

Section 1135(b)(7) does not suspend the Privacy Rule or authorize unrestricted disclosure of patient information. Instead, it allows HHS to waive sanctions and penalties for noncompliance with a narrow list of requirements, such as obtaining a patient’s agreement before discussing care with family members, honoring facility-directory opt-outs, distributing notices of privacy practices, and responding to requests for privacy restrictions or confidential communications.

 

What was said

According to the Administration for Strategic Preparedness & Response determination of the emergency, “As a result of the consequences of Typhoon Bavi on the Commonwealth of the Northern Mariana Islands and the Territory of Guam, on this date and after consultation with public health officials as necessary, I, Robert F. Kennedy, Jr., Secretary of Health and Human Services, pursuant to the authority vested in me under section 319 of the Public Health Service Act, do hereby determine that a public health emergency exists and has existed since July 2, 2026, in the Commonwealth of the Northern Mariana Islands and the Territory of Guam.”

 

Why it matters

Hospitals should therefore treat the 72-hour waiver as a narrow compliance measure rather than a general relaxation of HIPAA. Earlier this year, ⁠Gastro Health disclosed two phishing incidents that occurred just five days apart after employees responded to phishing emails. The attacks resulted in unauthorized access to patient files containing protected health information, demonstrating how quickly routine email-based attacks can escalate when staff are working under pressure. Even during an emergency, organizations must continue verifying recipients, protecting electronic PHI, and following Security Rule safeguards to reduce the risk of preventable breaches.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

 

FAQs

Can healthcare organizations use ordinary email during an emergency?

An emergency does not create a general exception allowing organizations to disregard Security Rule safeguards. Healthcare organizations must assess the risks of their communication methods and apply reasonable and appropriate protections to ePHI, including access controls, recipient verification, secure configurations, and encryption where appropriate under their risk analysis.

 

Are business associates still responsible for protecting ePHI during an emergency?

Business associates remain directly subject to applicable HIPAA Security Rule requirements during an emergency.

 

Does HIPAA require an emergency contingency plan?

The Security Rule requires covered entities and business associates to establish contingency procedures for emergencies and other events that damage systems containing electronic protected health information.