Emergency Management in Hospital: HIPAA Rules Apply

The Hurricane That Exposed a Hospital's HIPAA Blind Spot

In the aftermath of Hurricane Katrina, hospitals across the Gulf Coast scrambled to reunite patients with family members. Staff shared patient locations over open phone lines. Whiteboards with patient names appeared in hallways. Volunteers without training accessed medical records to coordinate transfers. Nobody stopped to ask whether any of it was legal.

Emergency management in hospital settings creates a dangerous illusion: that HIPAA pauses when disaster strikes. It doesn't. And I've watched organizations learn that lesson the hard way — sometimes years after the crisis has passed.

This post breaks down exactly how HIPAA applies during hospital emergencies, what you can and can't share, and the specific steps your facility needs to take before the next disaster hits your door.

HIPAA Doesn't Have a Pause Button During Emergencies

I hear this myth constantly: "HIPAA gets waived during emergencies." It's a half-truth that causes real damage. The HHS Secretary can issue a limited waiver under the PREP Act or Section 1135 of the Social Security Act. But that waiver is narrow — it only covers specific provisions, only for specific hospitals in the emergency area, and only for a limited time.

Even when a waiver is active, it doesn't suspend the entire Privacy Rule. It typically covers requirements like obtaining patient acknowledgment of the Notice of Privacy Practices, patient requests to restrict disclosures, and the requirement to distribute the Notice of Privacy Practices. That's it. The core obligation to protect PHI remains fully intact.

HHS published detailed guidance on this exact topic, available on their emergency preparedness page. If you haven't read it, bookmark it now.

What You Can Share — and With Whom — During a Hospital Emergency

Here's the part that actually matters for your clinical and administrative staff. Even without a waiver, HIPAA already permits several types of disclosures during emergencies. You don't need new authority. You need your workforce to understand the authority they already have.

Disclosures for Treatment

Sharing PHI with other healthcare providers for treatment purposes is always permitted under HIPAA. During a mass casualty event, this means your ER team can share patient information with receiving facilities, EMS, and specialists without a specific patient authorization. This doesn't change during a disaster — it's business as usual.

Disclosures to Family Members and Friends Involved in Care

Under 45 CFR § 164.510(b), a covered entity can share relevant PHI with a family member, relative, or close friend involved in the patient's care — or with someone identified by the patient. If the patient is incapacitated, the provider can use professional judgment to determine whether the disclosure is in the patient's best interest.

Disclosures to Disaster Relief Organizations

This is the one that surprises people. HIPAA permits covered entities to share PHI with organizations like the American Red Cross that are authorized by law or by their charter to assist in disaster relief. The patient doesn't have to consent, but the disclosure must be limited to the purpose of coordinating relief efforts — things like location, general condition, and death status.

Disclosures Required by Law

State emergency management statutes, public health reporting requirements, and law enforcement requests backed by legal authority all still apply. When a state declares a public health emergency, your facility may be legally required to report certain information to public health authorities. HIPAA explicitly permits disclosures required by other law.

The $2.2 Million Lesson From Overlooking the Basics

In 2018, OCR settled with Cottage Health for $3 million after the organization suffered multiple breaches affecting thousands of patients. The root cause wasn't a natural disaster — it was a fundamental failure to implement security controls and conduct risk analyses. But the lesson translates directly to emergency management in hospital settings.

Disasters amplify every weakness in your compliance program. If your staff doesn't understand minimum necessary standards on a quiet Tuesday, they won't suddenly remember them during a flood evacuation. If your portable devices aren't encrypted today, they'll be unencrypted when staff grab them on the way out the door during a fire.

OCR's enforcement history makes one thing clear: ignorance of the rules is never a defense, and chaos is never an excuse. You can review the full list of enforcement actions on the OCR Resolution Agreements page.

What Does Emergency Management in Hospital Settings Actually Require Under HIPAA?

The HIPAA Security Rule at 45 CFR § 164.308(a)(7) requires every covered entity to establish a contingency plan. That plan must include five elements:

• Data backup plan — retrievable exact copies of ePHI
• Disaster recovery plan — procedures to restore lost data
• Emergency mode operation plan — procedures to protect ePHI while operating during an emergency
• Testing and revision procedures — periodic testing of contingency plans
• Applications and data criticality analysis — identifying which systems are most critical

That third element — emergency mode operations — is the one most hospitals underinvest in. It's not enough to have a plan for getting systems back online after a disaster. You need a plan for protecting patient data during the disaster, while staff are improvising and systems are down.

Your Disaster Plan Means Nothing Without Workforce Training

I've reviewed emergency operations plans that were beautifully written and completely useless. Binders full of procedures that no one had read. Policies that referenced job titles that no longer existed. Contact lists with phone numbers that had been disconnected for years.

The gap is almost always training. Your workforce needs to know what they're allowed to disclose during an emergency, who they can disclose it to, and how to document those disclosures after the fact. They need to practice these scenarios before the real thing happens.

This isn't optional. The HIPAA Privacy Rule requires workforce training on policies and procedures, and the Security Rule requires security awareness training. Both apply to emergency scenarios. If your last training session didn't cover disaster-related PHI disclosures, you have a gap.

Our HIPAA training catalog includes modules designed specifically for clinical staff who need to understand PHI handling during high-pressure situations. If your current training program skips emergency scenarios, that's the place to start.

Seven Steps to Get Your Hospital Ready Now

1. Run a Tabletop Exercise Focused on PHI

Most hospital tabletop exercises focus on clinical surge capacity and logistics. Add a PHI scenario. What happens when the EHR goes down and staff start using paper? Who tracks those records? How do you account for them afterward?

2. Encrypt Every Portable Device

Laptops, tablets, USB drives, phones — all of them. Encryption is an addressable specification under the Security Rule, but in the context of disaster preparedness, it's functionally mandatory. A lost encrypted device isn't a reportable breach. A lost unencrypted device is.

3. Pre-Identify Your Disaster Disclosure Team

Designate specific staff who are authorized to respond to inquiries from family members, media, and disaster relief organizations. Train them on the minimum necessary standard. Give them scripts.

4. Document Everything — Even During the Crisis

After the emergency passes, OCR may come knocking. Every disclosure of PHI during the event should be logged. Time, recipient, purpose, and what was shared. If you can't document it in real time, create a process for retroactive documentation within 24-48 hours.

5. Update Your Notice of Privacy Practices

Your NPP should already reference disclosures for disaster relief purposes. If it doesn't, update it. Patients deserve to know their rights, and your organization needs the legal foundation.

6. Test Your Backup and Recovery Systems Quarterly

Annual testing isn't enough. I've seen backup systems that hadn't been tested in 18 months fail completely during a real event. Quarterly tests catch failures before they become catastrophic.

7. Train Staff at Least Annually — and After Every Real Event

After every real emergency, conduct a PHI-specific debrief. What disclosures were made? Were they appropriate? What would you do differently? Then feed those lessons back into your training program. You can explore structured HIPAA workforce training options to build this into your annual cycle.

The Breach Notification Clock Doesn't Stop for Disasters

Here's one more detail that catches hospitals off guard. If a breach of unsecured PHI occurs during an emergency, the breach notification requirements under 45 CFR §§ 164.404-164.408 still apply. You have 60 days from discovery to notify affected individuals. HHS must be notified. If the breach affects 500 or more people, prominent media outlets in the state must be notified too.

Disasters create exactly the kind of chaos where breaches happen — and where they go undetected for weeks. Your incident response team needs to be just as active during emergency operations as your clinical teams.

Stop Treating Compliance and Emergency Management as Separate Programs

The biggest mistake I see hospitals make is siloing their compliance team from their emergency management team. The compliance officer isn't invited to disaster planning meetings. The emergency manager has never read the contingency plan requirements in the Security Rule. They operate in parallel universes until a real event forces them together — usually too late.

Emergency management in hospital settings is a compliance function. Full stop. Your emergency operations plan and your HIPAA contingency plan should reference each other. Your Incident Command System should include a compliance liaison. Your after-action reports should include a PHI section.

Disasters test every system in your hospital simultaneously. The organizations that survive them with their patients' trust intact — and without an OCR investigation — are the ones that built HIPAA into their emergency plans long before the sirens started.

Start with a risk analysis. Update your contingency plan. Train your staff. And do it before the next event forces your hand.