HIPAA and Emergency Declarations: What Changes, What Doesn’t, and How to Stay Compliant

Overview of HIPAA Emergency Waivers

When federal authorities declare an emergency, HIPAA does not disappear. Instead, the Secretary of Health and Human Services (HHS) may issue a targeted Section 1135 Waiver that temporarily relaxes a few Privacy Rule requirements so hospitals can prioritize life-saving care. Most HIPAA obligations, including the Security Rule and Breach Notification Rule, remain fully in effect.

Think of emergency waivers as narrow adjustments to documentation and patient-facing formalities. Core Privacy Rule protections, the Security Rule’s safeguard standards, and long-standing Privacy Rule Exceptions for treatment, public health reporting, and averting serious threats still govern how you use and disclose protected health information (PHI).

These waivers operate within a broader federal emergency framework that can also involve tools like the Project Bioshield Act and other public health authorities. Your compliance posture should anticipate how these frameworks intersect with HIPAA so your teams can move quickly without compromising patient privacy.

Specific Provisions Subject to Waiver

Privacy Rule items commonly waived under a Section 1135 Waiver

• Patient right to request privacy restrictions (you may defer honoring new restrictions while crisis care is active).
• Patient right to request confidential communications by alternative means or locations.
• Requirements to distribute a Notice of Privacy Practices at the point of care.
• Opportunity for patients to agree or object to inclusion in a facility directory.
• Patient agreement before speaking with family, friends, or others involved in care or payment.

These limited waivers reduce administrative friction; they do not authorize blanket disclosures. Uses and disclosures must still align with HIPAA allowances (for example, treatment, public health reporting, or serious threat scenarios) and with your existing policies as adapted for emergency operations.

Importantly, the Security Rule is not waived. You must maintain reasonable and appropriate safeguards for electronic PHI (ePHI), even while you triage patients and reconfigure operations under pressure.

Limits and Duration of Waivers

Triggering conditions

A HIPAA waiver is not automatic. HHS must issue it, and it applies only to covered entities in the declared emergency area and under the conditions outlined by HHS. Many of these waivers are specifically framed for hospitals actively operating in disaster conditions.

Time limits tied to Disaster Protocol Implementation

Under a typical Section 1135 Waiver, the relief for the waived Privacy Rule items lasts up to 72 hours from the moment your hospital initiates Disaster Protocol Implementation. The relief ends sooner if the emergency declaration terminates. Outside that window, or if your facility is not operating under disaster protocols, the standard HIPAA requirements resume in full.

Keep careful records: document when disaster protocols start and stop, which locations are affected, and what specific provisions you relied on. That documentation underpins your ability to demonstrate that any waived practices were time-bound and necessary.

Continuing Application of the Minimum Necessary Rule

The Minimum Necessary Standard still applies during emergencies for most uses and disclosures—such as operations, payment, media inquiries, and many public health reports. You should share only the PHI reasonably needed for the purpose at hand and adopt practical steps (for example, role-based access and “need-to-know” prompts) to enforce that limit in real time.

Some disclosures are not subject to minimum necessary, including those for treatment, those made directly to the patient, and those to HHS for compliance oversight. For all other scenarios, train staff to apply a quick, structured judgment: identify the goal, select the smallest data set that satisfies it, and document any deviations you must take due to situational constraints.

Safeguarding PHI During Emergencies

Administrative Safeguards to anchor Security Rule Compliance

• Activate your emergency mode operations plan with clear decision rights, on-call privacy and security leads, and a just-in-time briefing for frontline teams.
• Reinforce workforce training on permitted disclosures, Minimum Necessary Standard, and patient conversations in high-traffic areas.
• Stand up an incident command privacy desk to answer questions fast and log determinations for after-action review.
• Reconfirm Business Associate workflows for telehealth, cloud collaboration, and emergency data exchanges; ensure you can track any nonroutine disclosures.
• Use sanctioned scripts for family updates, public health reports, and media inquiries to keep messaging consistent and compliant.

Technical and physical controls under pressure

• Require unique credentials, enforce timeouts, and use “break-glass” access with audit trails for emergency lookups.
• Encrypt ePHI at rest and in transit; route remote access through VPN or equivalent secure channels.
• Harden mobile devices with MDM, remote wipe, and minimal local storage; issue loaners configured for emergency roles.
• Protect paper PHI: limit printing, secure temporary work areas, and set up labeled bins for prompt shredding or secure return.
• Maintain resilient backups and power contingencies so ePHI remains available and intact despite outages or facility moves.

Security Rule Compliance is achievable during crises when you emphasize essentials: access control, transmission security, activity logs, contingency planning, and rapid user provisioning and deprovisioning tied to response roles.

Compliance Strategies for Covered Entities

Before an emergency

• Pre-map emergency disclosures: treatment coordination, public health, law enforcement, and other Privacy Rule Exceptions you may invoke.
• Run tabletop exercises that stress-test Minimum Necessary decision-making and surrogate decision-maker communications.
• Stage compliant telehealth and collaboration platforms; pre-clear Business Associates and escalation paths.
• Prepare surge-ready Notices of Privacy Practices and signage that explain temporary processes.
• Track evolving federal frameworks—such as the Project Bioshield Act mechanisms for emergency medical countermeasures—so you can align PHI flows with those operations if activated.

During response

• Formally record Disaster Protocol Implementation start/stop times and the locations it covers.
• Apply the Section 1135 Waiver only to the listed Privacy Rule elements and only within the permitted window.
• Use role-based access, checklists, and quick-reference matrices so staff share the minimum data needed for each task.
• Centralize public health reporting to avoid duplication and ensure consistent data minimization.
• Continuously monitor logs for unusual access patterns and remediate promptly.

After the event

• Deactivate emergency protocols, announce the return to full HIPAA procedures, and retrain staff as needed.
• Conduct an after-action review: reconcile disclosures, validate audit trails, and remediate any control gaps.
• Update policies, vendor agreements, and training materials to reflect lessons learned and strengthen future readiness.

Role of HHS in Emergency Declarations

HHS leads the federal health response. The Secretary may declare or recognize public health emergencies, issue targeted HIPAA waivers under Section 1135, and publish guidance that clarifies how covered entities can share PHI for treatment, public health activities, and serious threat mitigation. The Office for Civil Rights (OCR) enforces HIPAA, issues bulletins, and may exercise enforcement discretion to remove barriers that do not affect patient privacy fundamentals.

HHS also coordinates with partners across the federal enterprise. Its work can intersect with authorities that expedite medical countermeasures (for example, those supported by the Project Bioshield Act), necessitating clear channels for timely, minimum-necessary data sharing with public health and response agencies.

Conclusion

In emergencies, HIPAA remains firmly in place with a narrow, time-limited waiver for a few Privacy Rule formalities. Your path to compliance is straightforward: confirm whether a Section 1135 Waiver applies, document Disaster Protocol Implementation, keep using the Minimum Necessary Standard, and maintain Security Rule safeguards. With prepared processes, trained teams, and disciplined documentation, you can deliver urgent care while protecting patient privacy.

FAQs.

What HIPAA provisions can be waived during emergency declarations?

Under a Section 1135 Waiver, HHS may waive sanctions and penalties for five Privacy Rule items: honoring requests for restrictions, honoring requests for confidential communications, distributing the Notice of Privacy Practices at the point of care, obtaining patient agreement or objection to inclusion in a facility directory, and obtaining patient agreement before speaking with family or friends involved in care. The waiver is narrow; other HIPAA requirements, including the Security Rule and core Privacy Rule standards, remain in effect.

How long do HIPAA waivers last in a public health emergency?

For hospitals operating under disaster conditions, the waiver for the specified Privacy Rule provisions typically lasts up to 72 hours from the time Disaster Protocol Implementation begins. It ends sooner if the applicable emergency declaration terminates. Outside that window—or if your facility is not operating under disaster protocols—standard HIPAA rules fully apply.

What safeguards must covered entities maintain during emergencies?

You must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect ePHI. Prioritize access controls, secure remote connectivity, encryption, logging, contingency planning, and rapid workforce training. Continue to apply the Minimum Necessary Standard for most non-treatment disclosures, and centralize high-volume activities like public health reporting to keep data sharing consistent and controlled.