07/09/2026 | Press release | Distributed by Public on 07/09/2026 17:50
Severe disasters impose additional challenges on healthcare providers. Often questions arise about the ability of entities covered by the HIPAA regulations to share individuals' health information, including with friends and family, public health officials, and emergency personnel. As summarized in more detail below, the HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need. In addition, while the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Secretary of HHS may waive certain provisions of the Privacy Rule under section 1135(b)(7) of the Social Security Act.
President Donald J. Trump signed an Emergency Declaration for the Northern Mariana Islands and the Territory of Guam, and Secretary Robert F. Kennedy, Jr. has declared a public health emergency to address the consequences of Typhoon Bavi. Under these circumstances, the Secretary has also exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
When the Secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency period identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.
More on HIPAA Privacy and Disclosures in Emergency Situations
Even without a waiver, the HIPAA Privacy Rule always allows patient information to be shared for the following purposes and under the following conditions.
Treatment Under the Privacy Rule, covered entities may disclose, without a patient's authorization, protected health information about the patient as necessary to treat the patient or to treat another person (who might be, for example, affected by the same emergency situation). Treatment includes the coordination or management of healthcare and related services by one or more healthcare providers and others, consultation between providers, and the referral of patients for treatment. See 45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and 164.501 (the definition of "treatment").
Public Health Activities The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed protected health information without individual authorization, for example:
Disclosures to Family, Friends, and Others Involved in an Individual's Care and for Notification A covered entity may share protected health information with a patient's family members, relatives, friends, or other persons identified by the patient as involved in the patient's care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient's care, of the patient's location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large. See 45 CFR 164.510(b).
Imminent Danger Healthcare providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public - consistent with applicable law (such as state statutes, regulations, or case law) and the provider's standards of ethical conduct. Thus, providers may disclose a patient's health information to anyone who is in a position to prevent or lessen the threatened harm, including family, friends, caregivers, and law enforcement, without a patient's permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health or safety. See 45 CFR 164.512(j).
Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification Upon request for information about a particular patient by name, a hospital or other healthcare facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient's condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient. See 45 CFR 164.510(a). In general, except in the limited circumstances described elsewhere in this bulletin, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results, or details of a patient's illness, may not be done without the patient's written authorization (or the written authorization of a personal representative, who is a person legally authorized to make healthcare decisions for the patient). See 45 CFR 164.508 for the requirements for a HIPAA authorization.
Minimum Necessary For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the "minimum necessary" to accomplish the purpose. (Minimum necessary requirements do not apply to disclosures to healthcare providers for treatment purposes.) Covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose. Internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties. See 45 CFR §§ 164.502(b), 164.514(d).
Business Associates A business associate of a covered entity (including a business associate that is a subcontractor) may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.
Safeguarding Patient Information
In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.
HIPAA Applies Only to Covered Entities and Business Associates
The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity's or business associate's workforce. Covered entities are health plans, healthcare clearinghouses, and those healthcare providers that conduct one or more covered healthcare transactions electronically, such as transmitting healthcare claims to a health plan. Business associates generally are persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate. The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates (although such persons or entities are free to follow the standards on a voluntary basis if desired). Thus, for instance, the HIPAA Privacy Rule does not restrict the American Red Cross from sharing patient information. There may be other state or federal rules that apply.
Other HIPAA Resources
For more information on HIPAA and Public Health, please visit: https://www.hhs.gov/hipaa/for-professionals/special-topics/public-health/index.html
For more information on HIPAA and Emergency Preparedness and Response, please visit: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html
General information on understanding the HIPAA Privacy Rule may be found at: https://www.hhs.gov/hipaa/index.html