HIPAA lessons from recent natural disasters

According to FEMA data cited in How Many Disasters Are Declared in the US?, an average of 164 disasters are declared every year, with fires, severe storms, floods, and hurricanes accounting for the vast majority. California and Texas have each declared more than 350 disasters since 1980, averaging over seven per year. For healthcare providers, that frequency means HIPAA compliance during a natural disaster is an operational challenge that every health system will face.

Below are some of the most recent cases where HIPAA waivers were activated in response to natural disasters.

Texas, 2025

Severe storms, straight-line winds, and flooding struck Kerr County, Texas in 2025, overwhelming local hospitals with trauma patients and leaving family members unable to locate or receive updates on loved ones. President Trump issued a Major Disaster Declaration for Kerr County, and HHS Secretary Robert F. Kennedy, Jr. declared a public health emergency. Together, these triggered a limited waiver of specific HIPAA Privacy Rule provisions, temporarily relieving hospitals that had activated their disaster protocols of the requirement to obtain a patient's agreement before speaking with family members, to distribute notices of privacy practices, and to honor requests to opt out of facility directories.

These waivers are not automatic. They require both a formal federal declaration and a hospital's own activation of its disaster protocol. Organizations that had documented and rehearsed protocols in place could act immediately. Those that did not faced delays at the worst possible time. Every hospital should have a disaster protocol ready to activate before an emergency occurs, not drafted in response to one.

California Wildfires, 2025

California has declared more disasters than any other state since 1980 and the 2025 wildfires and straight-line winds added to that record. Entire communities evacuated overnight, leaving patients with chronic conditions separated from their medications, their doctors, and their medical histories. President Biden's emergency declaration and Secretary Becerra's public health emergency declaration activated the standard HIPAA waivers. Hospitals could speak with family members without prior patient consent, and the usual administrative requirements were temporarily suspended.

What California made equally clear, however, is that many critical permissions were already available without any waiver at all. Providers could share information freely with other treating providers, and with public health authorities tracking injury patterns and disease risk among displaced populations with no declaration required. Disaster relief organizations like the American Red Cross, which are not covered entities under HIPAA, could share patient location and condition information with families even more freely than hospitals could. Healthcare providers and relief organizations working side by side in the same shelter operate under different rules.

Washington State, 2025

Severe storms and catastrophic mudslides struck Washington State in early 2025, activating emergency declarations and HIPAA waivers. Washington has declared between 167 and 225 disasters since 1980, placing it among the most frequently affected states in the country. Yet the 2025 event highlighted a constraint that even experienced health systems can overlook, the waivers run on a strict clock.

The HIPAA sanctions waiver applies only in the declared emergency area, only to hospitals that have formally activated a disaster protocol, and only for up to 72 hours from the moment that protocol is implemented. When the declaration ends or when the 72-hour window closes full HIPAA compliance resumes immediately for every patient still in care. A patient admitted during the waiver period who remains hospitalized two weeks later is entitled to full privacy protections from that point forward, including the right to restrict who receives information about them. Healthcare facilities in Washington had to manage that transition while still responding to an active disaster. Organizations need a plan not just for entering emergency mode, but for exiting it cleanly and that plan must exist before any emergency is declared.

Hurricane Helene, 2024

Hurricane Helene triggered separate federal emergency declarations for North Carolina, South Carolina, and Tennessee simultaneously. Three states managing the same disaster, each with its own HIPAA waiver activated. Hospitals across all three states faced a shared challenge; patients transported unconscious from flooded areas, with no identification and no family present. Under the Privacy Rule, providers may share relevant information with family or others when a patient is incapacitated, provided they determine in their professional judgment that doing so is in the patient's best interest. That authority existed before the waiver and was independent of it.

Helene's scale exposed a gap that many healthcare organizations had not fully considered. Providers receiving transferred patients from neighboring states, relief workers crossing state lines, and public health authorities sharing data across jurisdictions all needed to know which rules applied where.

Hurricane Milton, 2024

Hurricane Milton struck Florida weeks after Helene, triggering its own emergency declaration and HIPAA waiver. Florida ranks among the most disaster-affected states in the country, and Milton tested its healthcare system. With hospital evacuations underway and patient transfers occurring under severe time pressure, the imminent danger provision of the Privacy Rule became the operative standard. Providers may share patient information with anyone necessary to prevent or lessen a serious and imminent threat to health or safety, and HIPAA explicitly defers to the professional judgment of health staff in making that determination.

The practical implication is that clinicians do not need to wait for administrative sign-off or legal review when a patient's life is at immediate risk. The law already grants them that authority.

What these disasters tell us

Across Texas, California, Florida, North Carolina, South Carolina, Tennessee, and Washington, the same pattern emerges, that is disaster overwhelms normal operations, emergency declarations unlock limited flexibility, and healthcare providers are left to make difficult judgments under pressure. With an average of 164 federal disaster declarations every year and 115 recorded through October 2025 alone, this is not a scenario healthcare organizations can treat as exceptional. It is, statistically, a near-certainty.

The legal framework governing HIPAA in emergencies is flexible but that flexibility is only accessible to organizations that understand it in advance. Knowing which provisions are waived and which are not, understanding the permissions that apply regardless of any declaration, having protocols ready to activate, and planning for the return to full compliance is a necessity.

FAQs

Does HIPAA apply differently to private hospitals versus public hospitals during a disaster?

Both private and public hospitals are subject to the same HIPAA Privacy Rule requirements and benefit equally from emergency waivers, as long as they qualify as covered entities and have activated a disaster protocol.

Can a patient's employer request health information about them during a declared emergency?

No, an employer is not a covered entity under HIPAA and has no special right to access a patient's health information, even during a disaster.

What happens if a hospital shares too much patient information during the waiver period and later faces a complaint?

The waiver protects hospitals from sanctions only for the specific provisions listed, disclosures that fall outside those provisions remain subject to normal enforcement.

Are mental health records treated differently from general medical records during a disaster?

Mental health records, particularly psychotherapy notes, carry additional protections under HIPAA that are not lifted by emergency waivers.

Can patients request a copy of their medical records during a declared emergency?

Patients retain the right to access their records during a disaster, though healthcare facilities may experience practical delays in fulfilling those requests.