Critical Areas

HIPAA Security and Privacy


In light of the recent weather disasters that have been hitting the Gulf Coast and beyond, it’s important to keep in mind the application of HIPAA regulations during and after a natural disaster.

The HIPAA Security Rule is not suspended during a national or public health emergency. In other words, covered entities and business associates are required, under the Security Rule, to protect against any reasonably anticipated threats or hazards to the security or integrity of electronic protected health information (e-PHI) that they create, receive, maintain or transmit. Other provisions of the Security Rule require covered entities to implement security measures that specifically contemplate emergency conditions. For example, covered entities must have contingency plans, including disaster recovery and emergency mode operation plans that establish policies and procedures for responding to an emergency or other occurrence (fire, system failure and natural disaster) that damages systems that contain e-PHI.

Parts of the HIPAA Privacy Rule may be waived during a national or public health emergency. If the president declares an emergency or disaster, and the secretary of the U.S. Department of Health and Human Services (HHS) declares a public health emergency, the secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule, including the requirement to distribute a notice of privacy practices and the patient’s right to request privacy restrictions or confidential communications. If the secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency period identified in the public health emergency declaration, and (2) to hospitals that have instituted a disaster protocol for up to 72 hours from the time the hospital implements that protocol. Regardless of the activation of an emergency waiver, the HIPAA Privacy Rule permits disclosures for treatment purposes and certain disclosures to disaster relief organizations. For instance, the Privacy Rule allows covered entities to share patient information with the American Red Cross so it can notify family members of the patient’s location.

The HHS released a bulletin to help guide covered entities through declared emergencies, such as the aftermath of Hurricane Harvey. The full bulletin can be found here:

Learn more about our health care industry here.

back to top