According to HIPAA and Disasters: What Emergency Professionals Need to Know, “The HIPAA Privacy Rule is not suspended during a public health or other emergency; however, under certain conditions the Secretary of the U.S. Department of Health and Human Services may waive certain provisions of the HIPAA Privacy Rule section 1135(b)(7) of the Social Security Act, if such a waiver is deemed necessary for the particular incident when the Secretary declares a public health emergency and the President declares an emergency or disaster under the Stafford Act or National Emergencies Act."
Rather than suspending HIPAA entirely, the government can modify specific requirements to carry out emergency response while preserving privacy protections. The framework remains intact, but certain procedural requirements may be temporarily adjusted to enable healthcare providers to focus on saving lives. As healthcare attorney Matt Fisher explains in TechTarget's article on HIPAA compliance during emergencies, "Just because there's an emergency doesn't mean that HIPAA should be fully disregarded. Obviously, you're going to be running and operating under more stressful circumstances. If you prepare ahead of time, then you're not going to be figuring things out on the fly and you'll be ready to hit the ground running."
Read also: How does HIPAA define an emergency?
According to the HHS bulletin, "When the Secretary issues such a waiver, it only applies in three specific circumstances: first, in the emergency area and for the emergency period identified in the public health emergency declaration; second, to hospitals that have instituted a disaster protocol; and third, for up to 72 hours from the time the hospital implements its disaster protocol.
The waivers operate within four boundaries:
These limitations ensure that privacy waivers serve their intended purpose without creating unnecessary or prolonged vulnerabilities in patient privacy protection. As the HHS bulletin notes, when the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.
According to the HHS, “If the President declares an emergency or disaster and the Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule:
However, the core privacy protections remain in place, including:
Learn more: What PHI can be shared in an emergency?
Under normal circumstances, 45 CFR 164.510(a) requires that a covered health care provider must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures. However, during declared emergencies, this requirement may be waived to allow healthcare facilities to maintain directories and share basic patient information without obtaining explicit consent.
The regulation also provides for emergency circumstances even outside of declared public health emergencies. According to 45 CFR 164.510(a)(3), if the opportunity to object to uses or disclosures required by paragraph (a)(2) of this section cannot practicably be provided because of the individual's incapacity or an emergency treatment circumstance, a covered health care provider may use or disclose some or all of the protected health information permitted by paragraph (a)(1) of this section for the facility's directory. This provision recognizes that unconscious or critically injured patients cannot provide consent, yet their families need to be able to locate them.
Another area affected by emergency waivers involves communication with family members. Under 45 CFR § 164.510(b), a covered entity may, in accordance with paragraphs (b)(2), (b)(3), or (b)(5) of this section, disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person's involvement with the individual's health care. During emergencies, the requirements for obtaining agreement before such disclosures may be waived, allowing healthcare providers to communicate more freely with family members about their loved ones' conditions.
According to TechTarget, healthcare attorney Matt Fisher notes that "HIPAA allows pretty broad use of PHI for treatment purposes or healthcare operations. Obviously, coordination of care in the instance of a hurricane or other natural disaster can be a big issue that needs the attention of healthcare organizations."
However, the privacy protections remain in place, including safeguarding patients' medical records, protecting against unauthorized disclosures, maintaining the minimum necessary standard for information sharing, and ensuring secure transmission of protected health information. The foundation of patient privacy protection persists even when procedural requirements are temporarily modified. As attorney Melissa Markey emphasizes in the TechTarget article, "If it is possible to accommodate patient privacy rights, it's best practice to still honor them. The waiver is intended to help hospitals that are in the middle of the emergency. But we still need to respect privacy as much as we possibly can."
Even without special emergency waivers, the HIPAA Privacy Rule already includes built-in provisions for public health activities. These permissions establish that protecting public health sometimes requires information sharing that serves the broader community interest. Healthcare providers can share protected health information without individual authorization for reporting to public health authorities, tracking disease exposure, preventing or controlling disease spread, supporting public health surveillance, and implementing intervention measures.
According to 45 CFR 164.510(b)(4), a covered entity may use or disclose protected health information to a public or private entity authorized by law or by its charter to assist in disaster relief efforts, for the purpose of coordinating with such entities the notification and location of patients. This provision allows healthcare providers to work with organizations like the Red Cross to help families locate and reunite with loved ones during disasters.
Healthcare organizations should adopt several best practices to navigate HIPAA compliance during public health emergencies effectively:
According to TechTarget's article, "Planning is the best approach for healthcare organizations to ensure HIPAA compliance during an emergency. Organizations should develop and implement an emergency preparedness and response plan that contains instructions on how to comply with the HIPAA Privacy Rule and what to do if HHS issues a waiver."
Organizations that have rehearsed emergency protocols and educated their workforce can respond more effectively while maintaining appropriate privacy protections. Staff should understand not only which requirements may be waived, but also which protections remain in place regardless of the emergency situation.
Emergency preparedness plans should include clear decision-making protocols, designated privacy officers for emergency situations, communication templates for notifying families, and procedures for documenting all privacy-related decisions made during the crisis. Post-emergency review processes should evaluate how privacy was handled and identify opportunities for improvement in future responses.
As healthcare attorney Dave Gacioch advises in TechTarget, "HIPAA doesn't go away during disasters, but organizations are well-served if they plan and prepare for disasters before they occur and act during disasters in a way that puts their patients' and communities' needs first."
No, waivers only apply to covered entities that have activated their disaster protocols and are within the designated emergency area.
Waivers are temporary and typically last for the duration of the emergency period, as determined by HHS.
Yes, the HIPAA Privacy Rule already allows the sharing of protected health information for public health reporting, disease tracking, and intervention efforts.