HIPAA and Emergencies – How to Respond

First, I hope that all of you and your loved ones are safe. Fiona and Ian have affected many places, and many have suffered so much. Prayers for all…

HIPAA Applies Only to Covered Entities and Business Associates

The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate. The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates. The HIPAA Privacy Rule does not restrict the American Red Cross from sharing patient information. Keep in mind, there may be other state or federal rules that apply.

HIPAA requires every healthcare facility and business associate to have a Contingency plan in place. Disasters come in a variety of circumstances and additional challenges on health care providers. Questions often arise about the HIPAA regulations to share PHI with friends and family, public health officials, and emergency personnel. The HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need. Keep in mind the HIPAA Privacy Rule is not suspended during a public health or other emergency, however, the Secretary of Health and Human Services may waive certain provisions of the Privacy Rule under section 1135(b)(7) of the Social Security Act.

Under these circumstances, the Secretary also has the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • the requirement to honor a request to opt out of the facility directory.
  • the requirement to distribute a notice of privacy practices.
  • the patient’s right to request privacy restrictions.
  • the patient’s right to request confidential communications.

When the Secretary issues such a waiver, it only applies:

(1) in the emergency area and for the emergency period identified in the public health emergency declaration

(2) to hospitals that have instituted a disaster protocol

(3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

HIPAA Privacy and Disclosures in Emergency Situations

Under the HIPAA Privacy Rule, a waiver is not required to share protected health information (PHI) for the following purposes and under the following conditions.


Covered entities may disclose, without a patient’s authorization, PHI about the patient as necessary to treat the patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.

Public Health Activities

The HIPAA Privacy Rule recognizes the need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed PHI without an authorization, for example:

  • To a public health authority, A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. For example: Centers for Disease Control and Prevention (CDC) or a state or local health department.
  • At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority.
  • To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.

Minimum Necessary

A covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish thepurpose.

Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification

A covered entity may share PHI with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care.

  • The covered entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible.
  • If the person is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.
  • For patients who are unconscious or incapacitated: A health care provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care, if the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient.

A covered entity may share PHI with disaster relief organizations such as the American Red Cross, that are authorized by law to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care. A patient’s permission is not required in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

Imminent Danger

HIPAA expressly defers to the professional judgment of health care professionals in making determinations about the nature and severity of the threat to health or safety. Covered entities may share PHI with anyone to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct.

Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification

Upon request for information about a particular patient by name, a hospital or other health care facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient. Reports to the media about an specific patient, or the disclosure of specific information about treatment of a specific patient, such as tests, test results, or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative, who is a person legally authorized to make health care decisions for the patient).

Business Associates

A business associate of a covered entity (including a business associate that is a subcontractor) may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.

Safeguarding Patient Information

In an emergency, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information. Safeguard all patient information as if it were your own.

If there are other areas that you have questions, please do not hesitate to contact us!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:


Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

HIPAA Privacy Facts for Medical Offices

September 1, 2022

Healthcare Cyber-Attacks on the Rise

November 1, 2022
©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC