HIPAA Privacy Rule Exceptions Checklist: Public Health, Law Enforcement, Emergencies

If you handle Protected Health Information (PHI) as a covered entity or business associate, you need clear guardrails for urgent scenarios. Use this checklist to apply the HIPAA Privacy Rule exceptions for public health, law enforcement, and emergencies while staying aligned with the minimum necessary standard, Privacy Rule Waivers, and facility directory rules.

Public Health Disclosures

You may disclose PHI to Public Health Authorities authorized by law to collect or receive such information to prevent or control disease, injury, or disability. This includes reporting of diseases, vital events, and conducting public health surveillance, investigations, or interventions.

• Report notifiable conditions, exposures, and adverse events required by law.
• Provide data to entities overseeing product safety and quality (for example, to monitor adverse events or recalls).
• Notify individuals who may have been exposed or are at risk when authorized by law to protect public health.
• Share limited PHI with employers for workplace medical surveillance or work-related illness/injury, when conditions are met and with appropriate employee notice.

Document the legal authority for each disclosure and limit the PHI to what the public health purpose requires. The minimum necessary standard applies to these disclosures.

Law Enforcement Disclosures

Disclosures to law enforcement are permitted without authorization in narrowly defined circumstances. Always verify the identity and authority of the requester and disclose only the information permitted for the stated purpose.

• Respond to a court order, warrant, or summons; or to an administrative request that is specific, limited in scope, and relevant and material to a legitimate inquiry.
• Provide limited identifiers to locate or identify a suspect, fugitive, material witness, or missing person (for example, name, address, date and place of birth, Social Security number).
• Share information about a crime victim with the person’s agreement; if the individual is incapacitated, limited disclosures may be made when law enforcement needs the information and it is not against the person’s best interests.
• Report information about a decedent when death may have resulted from criminal conduct.
• Disclose PHI that is evidence of a crime on the premises.
• Report a crime in an emergency, including the location of the crime or victims and the identity, description, or location of the perpetrator.

Minimum necessary applies to law enforcement disclosures (except where a court order or law requires specific information). Consider state law that may be more protective and document your rationale.

Emergency Situations

During emergencies, you may use or disclose PHI for treatment, payment, and health care operations. For treatment, the minimum necessary standard does not apply, enabling timely care coordination and information sharing among providers.

You may share PHI with a patient’s family, friends, or others involved in care or payment when the patient agrees, or—if the patient is incapacitated—when, in your professional judgment, it is in the patient’s best interests. You may also disclose to disaster relief organizations to coordinate notification of family or others responsible for the patient’s care.

When feasible, give the patient the opportunity to agree or object once the emergency subsides, and record the decision-making that supported your disclosures.

Minimum Necessary Standard

The minimum necessary standard requires you to limit PHI uses, disclosures, and requests to the least amount needed to accomplish the purpose. Adopt role-based access, standard request forms, and data segmentation to enforce this principle.

• Applies to: most routine public health and law enforcement disclosures, health plan operations, and internal uses not related to treatment.
• Does not apply to: disclosures for treatment, disclosures to the individual, uses or disclosures pursuant to an authorization, disclosures required by law, and disclosures to the Secretary of Health and Human Services for compliance investigations.

When the standard applies in emergencies, share only what responders or officials need to act effectively. If a law or court order specifies the information, disclose what is required and no more.

Waiver of HIPAA Sanctions

During a declared emergency, the Secretary of Health and Human Services may issue Privacy Rule Waivers under Section 1135 of the Social Security Act. These waivers suspend sanctions and penalties for specific provisions for providers in the emergency area that have activated disaster protocols.

• Provisions that may be waived: obtaining a patient’s agreement to speak with family/friends; honoring Facility Directory Restrictions (patient opt-out); distributing the Notice of Privacy Practices; honoring a patient’s request for restrictions; and honoring a request for confidential communications.
• Time limits: generally up to 72 hours from when a hospital implements its disaster protocol, and only while the emergency declaration is in effect.

Waivers are narrow and temporary. All other Privacy Rule requirements remain in force, and full compliance resumes once the waiver period ends.

Facility Directory Information

Hospitals and similar facilities may maintain a directory with a patient’s name, location, general condition, and religious affiliation. You may disclose directory information to those who ask for the patient by name and to clergy, consistent with the patient’s preferences.

Give the patient the opportunity to agree, object, or restrict what appears in the directory. If the patient is incapacitated, use professional judgment to decide what is in the patient’s best interests. Facility Directory Restrictions (including a patient’s opt-out) normally must be honored, unless a valid Privacy Rule Waiver is in effect during an emergency.

Serious Threats to Health or Safety

The HIPAA Privacy Rule allows disclosures to prevent or lessen a serious and imminent threat to health or safety—the Imminent Threat Exception. You may share PHI, in good faith, with persons reasonably able to reduce the threat, including law enforcement, family members, or others.

Ensure the disclosure is consistent with applicable law and your ethical obligations, and limit the PHI to what the recipient needs to act. Document your assessment and the parties who received the information.

FAQs

What are the main exceptions to the HIPAA Privacy Rule?

Key exceptions permit PHI disclosures for public health activities, certain law enforcement purposes, emergencies and disaster relief, averting a serious and imminent threat, facility directories, and as required by law or court order. Some patient rights and obligations may be temporarily eased under Privacy Rule Waivers during declared emergencies.

How can PHI be disclosed during public health emergencies?

You may disclose PHI to Public Health Authorities for surveillance, investigation, and intervention; to disaster relief organizations for notifications; and to individuals at risk when authorized by law. If the Secretary of Health and Human Services issues a waiver, specified obligations (such as honoring certain restrictions or obtaining agreement to speak with family) may be temporarily relaxed, but all disclosures should still be targeted to the minimum necessary.

When can law enforcement access PHI without authorization?

Access is allowed when responding to a court order or warrant, meeting strict conditions for administrative requests, locating a suspect or missing person with limited identifiers, assisting a crime victim, reporting a death potentially due to crime, addressing evidence of a crime on the premises, or reporting a crime in an emergency. Disclosures to avert a serious and imminent threat are also permitted when consistent with law.

What does the minimum necessary standard require during emergencies?

It requires you to share only the PHI needed for the purpose, even in urgent situations. The standard does not apply to treatment, disclosures to the individual, authorized disclosures, disclosures required by law, or disclosures to HHS for compliance. For all other emergency-related uses or disclosures, limit the information to what recipients need to act safely and effectively.