Privacy and Security in Disasters or Emergencies

Families searching for loved ones in a presidential-declared disaster, whether a hurricane, tornado, earthquake or unnatural disasters, should not have to also overcome HIPAA privacy roadblocks. As our nation winds down mid-western tornado season and steps up Hurricane season, review the guidance issued by DHHS after hundreds of thousand of Hurricane Katrina and Rita displaced citizens tried to locate loved ones.

Privacy and Security in Disasters or Emergency Guidance

If the president declares an emergency or disaster and the secretary of HHS declares a public health emergency, the secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule, as noted here:

» the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care (45 CFR 164.510(b));

» the requirement to honor a request to opt out of the facility directory (45 CFR 164.510(a));

» the requirement to distribute a notice of privacy practices (45 CFR 164.520);

» the patient’s right to request privacy restrictions (45 CFR 164.522(a)); and

» the patient’s right to request confidential communications (45 CFR 164.522(b)).

When and to what entities does the waiver apply?

If the secretary issues such a waiver, it only applies:

» in the emergency area and for the emergency period identified in the public health emergency declaration.

» to hospitals that have instituted a disaster protocol. The waiver would apply to all patients at such hospitals.

» for up to 72 hours from the time the hospital implements its disaster protocol.

When the presidential or secretarial declaration terminates, a hospital must then comply with all requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

Regardless of the activation of an emergency waiver, the HIPAA Privacy Rule permits disclosures for treatment purposes and certain disclosures to disaster relief organizations. For instance, the Privacy Rule allows covered entities to share patient information with the American Red Cross so it can notify family members of the patient’s location. See 45 CFR 164.510(b)(4). This guidance is available online at

Need help with Emergency Planning?

The following websites offer federally-developed planning tools.

1. Office for Civil Rights (OCR) the agency named to oversee privacy of confidential health information. This is HHS’s primary site for assisting you in emergency preparedness and disaster recovery planning and response. At its Web site,, OCR provides links to its own planning documents and also provides links to other agencies inside and outside of HHS that have developed disaster recovery guidance tools (see number 2 in this list); other links will take you to the National Aging Network.

2. Agency for Healthcare Research and Quality. At AHRQ’s Web site,, you will find links to multiple tools and resources to assist in response and recovery efforts. Those that are most likely to affect a physician practice include

a. Personal protective equipment, decontamination, isolation/quarantine, and laboratory capacity

b. Computer staffing model for disaster preparedness response

c. Alternate site locator

d. Health Emergency Assistance Line and Triage Hub model

3. Decision tool to help you determine who, when, and how health information can be disclosed in emergencies. That tool is available at

Leave a Reply

Your email address will not be published. Required fields are marked *