The costs of non-compliance during natural disasters

The Secretary of the U.S. Department of Health and Human Services (HHS) can waive certain HIPAA penalties during a public health emergency but only for specific provisions, only within a limited geographic area, and only for up to 72 hours in most cases. As healthcare compliance writer Torrey Kim put it when analyzing the response to Hurricanes Helene and Milton, "your commitment to maintaining patient privacy does not subside during weather events.”

In its official guidance issued during the 2024 public health emergency for North Carolina in response to Hurricane Helene, HHS confirmed that while the Secretary exercised authority to waive certain sanctions and penalties, those waivers covered only a specific and limited list of provisions including, "the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care… the requirement to honor a request to opt out of the facility directory… the requirement to distribute a notice of privacy practices… the patient's right to request privacy restrictions… [and] the patient's right to request confidential communications."

Even those waivers came with conditions. According to HHS, the waiver "only applies: (1) in the emergency area and for the emergency period identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol." The guidance further specifies that "when the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol."

These waivers apply only to hospitals. Physician practices and other medical providers must operate under full HIPAA requirements throughout any emergency. That means when staff resort to texting patient information over personal smartphones, using unsecured email platforms, or verbally sharing protected health information (PHI) in open evacuation centers, they are creating legal exposure.

What HIPAA does allow

On treatment, HHS states that "covered entities may disclose, without a patient's authorization, protected health information about the patient as necessary to treat the patient or to treat another person… Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment."

On imminent threats, the guidance states, "Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public… providers may disclose a patient's health information to anyone who is in a position to prevent or lessen the threatened harm, including family, friends, caregivers, and law enforcement, without a patient's permission."

On coordination with disaster relief organizations, HHS confirms that covered entities "may share protected health information with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient's care, of the patient's location, general condition, or death. It is unnecessary to obtain a patient's permission to share the information in this situation if doing so would interfere with the organization's ability to respond to the emergency."

However, the HHS is clear that "in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information."

The financial consequences

HIPAA violations carry penalties that range from $100 to $50,000 per violation. Furthermore, when a data breach occurs affected patients can have legal standing to pursue civil action. Class-action suits following healthcare data breaches have resulted in settlements in the tens of millions of dollars. Legal fees, discovery costs, and settlement payouts can also be additional costs.

There are also the costs of remediation. Post-breach, organizations face mandatory investments in upgraded security infrastructure, staff retraining programs, and independent audits. According to Park and Lim's study, "The Impact of Healthcare Data Breaches on Patient Hospital Visit Behavior", the average post-breach cost in healthcare reaches $10.1 million, more than double the $4.35 million average across other industries. IBM's figures, cited in the Paubox report, reinforce that healthcare breaches carry the highest average cost of any industry at $7.4 million per incident, with vendor-related breaches averaging $4.9 million on their own.

Then there are the indirect costs such as increased cyber insurance premiums, higher staff turnover due to post-incident stress and scrutiny, and lost contracts from partners and payers who question the organization's security posture.

Furthermore, Park and Lim note that the number of healthcare data breaches in the United States more than tripled, from 199 to 744, between 2010 and 2023, with more than 500 million medical records exposed during that period.

Reputational damage

Research by Park and Lim found that patients who experience a healthcare data breach are less likely to visit hospitals in the months that follow, with breaches producing "a 4.65% decrease in the number of subsequent hospital visits" on average. Scheduled visits declined by roughly 9.55% while emergency visits dropped by around 4.63%, reflecting the fact that patients will delay discretionary or planned care before they'll avoid the emergency room. The impact was also greater when the breach was caused by a hospital employee or insider rather than an external actor, and when larger numbers of records were involved.

Importantly, Park and Lim found that the behavioral effect tends to diminish after about one year, suggesting that patients do eventually return to prior patterns. But in the short term avoidance behavior can result in delayed care, missed follow-up appointments, and worsened outcomes for patients who genuinely need treatment. For healthcare organizations, this translates directly into lost revenue at exactly the moment when operational and recovery costs are highest.

Common points of failure in disaster response

The most common compliance breakdowns occur in communication. Staff under pressure turn to whatever tools are at hand because the approved systems either aren't accessible or haven't been integrated into disaster response workflows.

Email is a vulnerability. The Paubox 2025 report found that 28% of all email-related breaches that year involved a vendor or business associate and in many of those cases, the covered entity experienced no direct technical failure of its own. PHI was simply transmitted through email assumed to be secure but left unencrypted. As EY research cited by Paubox noted, healthcare organizations report limited visibility into third-party cybersecurity controls, despite increasing reliance on vendors for core operations.

Impersonation attacks also add risk during natural disasters. As Microsoft's research, cited in the Paubox report, observed, attackers increasingly exploit trust in familiar identities rather than relying on malicious attachments or links. When disaster response teams are fielding urgent, high-volume communications from unfamiliar contacts and improvised channels, the conditions for successful impersonation increase.

The insider threats also play a role. According to Park and Lim, healthcare was historically the only sector where internal actors caused more data breaches than external ones, accounting for 59% of incidents in one major industry analysis. Their research found that breaches caused by employees had a greater impact on patient behavior than those caused by outside actors, meaning that the staff shortcuts taken during a chaotic disaster response carry consequences for patient trust and retention.

Third-party coordination also creates risk. HHS is explicit that Business Associate obligations do not pause during emergencies: "A business associate of a covered entity (including a business associate that is a subcontractor) may make disclosures permitted by the Privacy Rule… to the extent authorized by its business associate agreement." Sharing PHI with disaster partners without appropriate Business Associate Agreements in place, or without verifying adequate safeguards, remains a HIPAA violation.

HHS also reminds providers that the "minimum necessary" standard continues to apply: "For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the 'minimum necessary' to accomplish the purpose." This means even legitimate emergency disclosures should be done carefully.

Integrating compliance into emergency preparedness

Healthcare organizations should invest in HIPAA-compliant communication platforms such as Paubox. As the Paubox 2025 report makes clear, the majority of email-related breaches stem from phishing, impersonation, and third-party exposure, all of which are addressable through technical controls that don't rely on users making the right call under pressure.

Practices of all sizes should also establish a formal HIPAA disaster plan before any emergency occurs. HHS offers an Emergency Preparedness Decision Tool as a starting point, though organizations should work alongside a healthcare privacy attorney to ensure the plan reflects applicable local, state, and federal guidance.

Pre-executed BAAs with likely disaster partners, pre-configured device encryption and remote-wipe capabilities, and clearly documented emergency access procedures are compliance necessities.

FAQs

Can small physician practices get any HIPAA relief during a disaster?

Unlike hospitals, physician practices and other medical providers receive no HIPAA waivers during emergencies and must maintain full compliance at all times.

What happens if a staff member uses their personal phone to share patient data during a disaster and no breach actually occurs?

The act of transmitting PHI through an unsecured personal device is itself a violation, regardless of whether the information is ever accessed by an unauthorized party.

Are verbal disclosures of patient information in evacuation centers treated the same as digital breaches?

Yes, spoken disclosures of PHI in unsecured public settings constitute HIPAA violations and carry the same potential penalties as digital breaches.