Skip to Content

HHS provides guidance on HIPAA Privacy Rule and emergency situations

The U.S. Department of Health and Human Services (HHS) recently issued guidance on the applicability of HIPAA during emergencies. HIPAA permits the disclosure of protected health information (PHI) without patient authorization to treat the patient and to protect the public's health and explicitly permits disclosure of PHI to disaster relief organizations (e.g., the American Red Cross). The HHS guidance reminds practitioners that any disclosure without authorization must conform to the "minimum necessary" standard, and the requirements of the Privacy Rule still apply, even during a health crisis or national disaster. However, the Secretary of HHS has the discretion to waive penalties and sanctions against a covered entity that fails to comply with certain requirements of the Privacy Rule; the HHS guidance provides more detail about such waivers. 

The guidance is available here.
More information about HIPAA and related resources are available from Health Information & the Law here