HIPAA and Disaster Response: What Patient Privacy Rules Apply During Emergencies

When emergencies strike, you still have to protect Protected Health Information (PHI). This guide explains HIPAA and disaster response: what patient privacy rules apply during emergencies, how waivers work, what you may share with relief groups, and how to keep security and incident response on track.

HIPAA Privacy Rule in Emergencies

Permitted uses and disclosures without authorization

During a disaster, you may use and disclose PHI for treatment, to coordinate care, and to consult with other providers. You may also share PHI with public health authorities, to avert a serious and imminent threat, and for certain law-enforcement purposes allowed by the Privacy Rule.

Caregivers, family, and patient notification

You may disclose a patient’s location, general condition, or death to family, friends, and others involved in the patient’s care or payment. If the patient is present, give an opportunity to agree or object; if the patient is incapacitated, rely on professional judgment to determine if the disclosure is in the patient’s best interests.

Facility directories and media inquiries

If your facility directory is active, you may confirm a patient’s location and general condition to someone who asks for the patient by name, unless the patient objects. Do not share clinical details or lists of patients with the media; keep disclosures limited and purposeful.

Waiver of HIPAA Provisions

Public Health Emergency Waiver under Section 1135

When both a national emergency and a public health emergency are declared, the HHS Secretary may issue a Public Health Emergency Waiver. This is a narrow waiver of sanctions and penalties for specific Privacy Rule provisions and does not suspend HIPAA.

What the limited waiver may cover

• Obtaining a patient’s agreement to speak with family or friends involved in care.
• Honoring a patient’s request to opt out of the facility directory.
• Distributing a Notice of Privacy Practices at the point of service.
• Honoring a patient’s request for privacy restrictions or for confidential communications.

All other HIPAA requirements remain in force. You must still protect PHI, follow the Minimum Necessary Standard where applicable, and document your actions.

Limited Waiver Duration

Time, place, and protocol conditions

A HIPAA limited waiver applies only to covered hospitals in the emergency area that have completed Disaster Protocol Implementation, and it lasts for up to 72 hours from the moment the hospital implements its disaster protocol. When the 72 hours expire—or when the emergency declaration ends—standard HIPAA obligations resume immediately.

If your site never activates its disaster protocol, the waiver does not apply. Business associates are not covered by the limited waiver and must comply with their agreements throughout the emergency.

Disclosure to Disaster Relief Organizations

Coordinating family reunification and assistance

You may share PHI with disaster relief organizations, such as community or national relief agencies, to coordinate notification of family, locate missing persons, or facilitate services. Limit disclosures to what is necessary for the relief effort—typically a patient’s name, general condition, location, or death status. This Disaster Relief Organization Disclosure can be made based on your professional judgment when the patient is unable to agree.

Respecting patient preferences where possible

When feasible, inform the patient and allow an opportunity to object. If the patient objects or it would not be in the patient’s best interests, do not disclose. Document your decision-making and the minimum data shared.

Minimum Necessary Rule

Applying the Minimum Necessary Standard

Outside of treatment disclosures, you must limit PHI uses, disclosures, and requests to the minimum necessary to accomplish the purpose. This Minimum Necessary Standard still applies in emergencies to public health reporting, relief coordination, and most operations.

Practical controls you can use

• Role-based access and emergency access procedures to prevent overexposure of PHI.
• Standardized “disclosure bundles” for relief agencies that contain only location and general condition.
• Redaction and de-identification where full identifiers are unnecessary.
• Quick-reference checklists so staff know what can be shared and with whom.

Security Rule Continuity Requirements

Keep ePHI secure while care continues

The Security Rule does not pause in a disaster. Continue safeguarding ePHI with administrative, physical, and technical measures appropriate to your environment, even when operating in emergency mode or at alternate sites.

Contingency Planning essentials

• Data backup plan, disaster recovery plan, and emergency mode operations plan (test and revise them regularly).
• Emergency access procedures for clinicians, with break-glass auditing.
• Alternate communications, power, and secure remote access for telehealth or offsite triage.
• Device and media controls for rapid deployment (encryption, wipe, chain of custody).
• Vendor and Business Associate continuity, including downtime data exchange and incident reporting.

Documenting Disaster Protocol Implementation

Record when emergency protocols start and end, who authorized them, and which safeguards changed. This evidence supports your legal footing for any waiver period and shows reasonable compliance efforts.

Incident Response and Breach Notification

Respond fast, contain, and investigate

Activate your incident response plan at the first sign of unauthorized access, loss, or disclosure of PHI. Isolate affected systems, preserve logs, and begin a risk assessment that examines the nature of PHI, who received it, whether it was viewed or acquired, and the extent to which risk was mitigated.

Breach Notification Rule duties

If there is a breach of unsecured PHI, notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For breaches affecting 500 or more individuals in a state or jurisdiction, notify HHS and prominent media; for fewer than 500, report to HHS no later than 60 days after the end of the calendar year. Encryption that renders PHI unreadable provides a safe harbor from “unsecured” breach status.

Post-incident improvements

Close the loop with corrective actions: refine access controls, retrain staff, update contingency plans, and test your changes. Track incidents and decisions to demonstrate ongoing compliance.

Summary

In disasters, HIPAA remains largely intact: disclose for treatment and safety, share limited details with relief organizations, and apply the Minimum Necessary Standard. Any Public Health Emergency Waiver is narrow, time-bound, and tied to documented disaster protocols. Keep the Security Rule active through strong Contingency Planning, and if something goes wrong, follow the Breach Notification Rule promptly and thoroughly.

FAQs

What HIPAA rules apply during disasters?

The Privacy Rule still allows disclosures for treatment, public health, serious threat mitigation, certain law-enforcement purposes, and limited facility directory information. Most requirements remain in force; only specific provisions may be waived, and only under narrow, time-limited conditions.

How long do HIPAA waivers last in emergencies?

A limited waiver tied to a declared emergency generally lasts up to 72 hours from a hospital’s Disaster Protocol Implementation and only in the emergency area. When the emergency declaration or the 72-hour window ends, full compliance resumes immediately.

Can PHI be disclosed to relief organizations?

Yes. You may share a patient’s name, location, general condition, or death status with disaster relief organizations to coordinate family notification and assistance. Disclose only what is necessary and, when possible, give the patient a chance to agree or object.

What training is required for HIPAA compliance in emergencies?

Provide role-based training that covers emergency disclosures, the Minimum Necessary Standard, disaster relief coordination, Security Rule contingency procedures, and your incident response and Breach Notification Rule steps. Reinforce with drills, quick-reference guides, and just-in-time refreshers during activation.