The Hurricane That Exposed More Than a Hospital's Roof

In 2017, Hurricane Harvey flooded a major Texas hospital system. Staff scrambled to evacuate patients, share medical records with shelters, and coordinate with first responders. In the chaos, patient charts ended up in the hands of volunteers who had zero HIPAA training. Laptops with ePHI sat in standing water for days. And nobody could find the facility's emergency operations plan — because it was stored on a server in the flooded basement.

I've consulted with organizations that lived through exactly this kind of disaster. And the question I hear most often is the same one you're probably asking right now: does HIPAA really apply during an emergency?

The short answer is yes. Healthcare emergency management doesn't give your organization a pass on protecting PHI. But HHS does offer specific flexibilities — if you know the rules before the crisis hits.

What HHS Actually Says About HIPAA During Emergencies

HHS has published detailed guidance on how the HIPAA Privacy Rule applies during national and public health emergencies. The guidance is clear: the Privacy Rule is not suspended during a disaster. However, the Secretary of HHS can waive certain provisions under a declared emergency.

Under Section 1135 of the Social Security Act, the HHS Secretary can waive specific requirements — like the obligation to obtain a patient's written acknowledgment of the Notice of Privacy Practices, or certain patient rights related to facility directories. These waivers are narrow in scope and time-limited, typically lasting 72 hours from the moment a hospital activates its emergency protocol.

You can read the official HHS bulletin on HIPAA and emergencies at HHS.gov's emergency preparedness page.

Here's the part most people miss: even during a waiver period, you can't just hand PHI to anyone who asks. Disclosures still need to follow the "minimum necessary" standard wherever practical.

The PHI Disclosures You Can Make — and the Ones That Get You Fined

During a declared emergency, covered entities can disclose PHI without individual authorization in several specific scenarios. Knowing these categories before a disaster strikes is the backbone of smart healthcare emergency management.

Disclosures That HIPAA Already Permits

  • Treatment purposes: Sharing PHI with other healthcare providers for treatment — including providers at shelters or temporary facilities — is already allowed under the HIPAA Privacy Rule, emergency or not.
  • Public health activities: Disclosures to public health authorities like the CDC or state health departments are permitted for disease surveillance, injury reporting, and similar functions.
  • To prevent serious and imminent threat: If a provider believes in good faith that disclosure is necessary to prevent or lessen a serious threat to a person or the public, HIPAA permits it.
  • Disaster relief organizations: Covered entities can share limited PHI with organizations like the American Red Cross to coordinate notifications to family members. The patient should be given the chance to object if they're conscious and able to do so.

Disclosures That Still Violate HIPAA

  • Sharing full medical records with untrained volunteers without a legitimate treatment or operations purpose.
  • Posting patient names and conditions on public bulletin boards or social media to "help families reconnect."
  • Leaving devices containing ePHI unsecured in evacuation zones without encryption or remote-wipe capability.

I've seen organizations assume that a disaster declaration means open season on patient data. It doesn't. OCR has made clear that enforcement discretion during emergencies isn't the same as enforcement amnesty.

OCR's Track Record: Enforcement Doesn't Take Snow Days

OCR has never issued a blanket promise to look the other way during emergencies. In fact, some of the largest enforcement actions in OCR history stemmed from failures that were worsened by poor emergency planning.

Consider the case of Advocate Medical Group, which paid a $5.55 million settlement in 2016 after multiple breaches — including the theft of unencrypted laptops from a physician's vehicle. One of OCR's key findings was the organization's failure to conduct a thorough, enterprise-wide risk analysis. That same failure is what makes emergencies catastrophic for PHI security. When you don't know where your ePHI lives, you can't protect it when a building floods or a wildfire forces an evacuation.

You can review OCR's enforcement highlights on the HHS breach settlement page.

Your Emergency Operations Plan Needs a HIPAA Chapter

Most healthcare facilities have some kind of emergency operations plan. CMS requires it for participation in Medicare and Medicaid. But in my experience, these plans rarely address PHI with any specificity.

Here's what a solid healthcare emergency management plan should include from a HIPAA perspective:

1. Device and ePHI Inventory

You cannot protect what you haven't mapped. Every laptop, tablet, portable drive, and server that stores or transmits ePHI needs to be on a list — with its physical location and encryption status. During an evacuation, your team needs to know exactly which devices to grab, lock down, or remotely wipe.

2. Delegation of Authority for PHI Decisions

When the Privacy Officer is unreachable, who makes the call on a borderline PHI disclosure? Your plan needs a clear chain of command for privacy decisions during a crisis. I've watched facilities freeze because no one had the authority — or the confidence — to approve sharing records with a receiving hospital during a patient transfer.

3. Pre-Positioned Workforce Training

This is where most plans fail completely. Your staff can't learn HIPAA emergency protocols during the emergency. They need scenario-based training before the disaster hits. Our HIPAA training catalog includes modules that cover workforce obligations during emergencies — the kind of preparation that keeps your organization off OCR's radar.

4. Business Associate Contingency Coordination

Your cloud EHR vendor, your billing company, your shredding service — what happens to PHI in their custody during a regional disaster? Your Business Associate Agreements should include provisions for emergency notification and data recovery. If they don't, you've got a gap that OCR will find.

What Exactly Is Healthcare Emergency Management Under HIPAA?

Healthcare emergency management under HIPAA refers to the policies, procedures, and workforce training a covered entity or business associate maintains to protect PHI before, during, and after an emergency event — whether it's a natural disaster, a cyberattack, a pandemic, or a mass casualty incident. It encompasses the HIPAA Security Rule's required contingency plan (45 CFR § 164.308(a)(7)), the Privacy Rule's provisions for emergency disclosures, and the Breach Notification Rule's obligations that remain in effect even during declared emergencies. You can review the Security Rule's administrative safeguard requirements at law.cornell.edu.

The Cyberattack Scenario Nobody Wants to Talk About

When people think healthcare emergency management, they picture hurricanes and earthquakes. But the fastest-growing emergency scenario in healthcare is ransomware.

In 2024, the Change Healthcare breach affected an estimated 100 million individuals — making it the largest healthcare data breach in U.S. history. The attack crippled claims processing nationwide and forced providers to operate on paper for weeks. Organizations that had robust contingency plans — including offline backups and documented manual workflows — recovered faster. Those that didn't faced weeks of operational paralysis and massive PHI exposure.

Your HIPAA contingency plan under the Security Rule must include a data backup plan, a disaster recovery plan, and an emergency mode operation plan. These aren't optional. They're required administrative safeguards.

Three Steps to Take This Week

You don't need a six-month project to start closing gaps. Here's what I tell every client:

  • Run a tabletop exercise. Pick a scenario — a ransomware attack, a tornado, an active shooter. Walk through it with your privacy officer, IT lead, and department managers. Document every point where PHI decisions come up.
  • Audit your device encryption. If any device that stores ePHI isn't encrypted, you have an urgent problem — not just an emergency management problem. Encryption is your single biggest shield against reportable breaches.
  • Train your workforce now. Not next quarter. Not after the next survey. Now. Explore our full HIPAA training catalog to find scenario-based courses that prepare your team for the decisions they'll face when the power goes out and the phones go down.

Emergencies Reveal What Your Compliance Program Is Made Of

I've been in enough post-disaster debriefs to know this: emergencies don't create compliance failures. They expose the ones that were already there. The missing risk analysis. The unencrypted laptop. The workforce that never got trained beyond a checkbox orientation video.

Healthcare emergency management isn't a separate discipline from HIPAA compliance. It's the ultimate test of it. The organizations that survive emergencies with their patients' trust intact — and without an OCR investigation — are the ones that did the hard work when the skies were still clear.

Your patients are counting on that. Start building the plan today.