Skip to main content
U.S. flag

An official website of the United States government

Return to Search

FAQ 1068 Is the HIPAA Privacy Rule suspended during a national or public health emergency?

This is information regarding HIPAA during national or public health emergencies.

Final

Issued by: Office for Civil Rights (OCR)

Is the HIPAA Privacy Rule suspended during a national or public health emergency? Answer: No; however, the Secretary of HHS may waive certain provisions of the Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act. What provisions may be waived If the President declares an emergency or disaster and the Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule: the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care (45 CFR 164.510(b)) the requirement to honor a request to opt out of the facility directory (45 CFR 164.510(a)) the requirement to distribute a notice of privacy practices (45 CFR 164.520) the patient's right to request privacy restrictions (45 CFR 164.522(a)) the patient's right to request confidential communications (45 CFR 164.522(b)) When and to what entities does the waiver apply If the Secretary issues such a waiver, it only applies: In the emergency area and for the emergency period identified in the public health emergency declaration. To hospitals that have instituted a disaster protocol. The waiver would apply to all patients at such hospitals. For up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol. Regardless of the activation of an emergency waiver, the HIPAA Privacy Rule permits disclosures for treatment purposes and certain disclosures to disaster relief organizations. For instance, the Privacy Rule allows covered entities to share patient information with the American Red Cross so it can notify family members of the patient’s location. See 45 CFR 164.510(b)(4). Learn More: See the Hurricane Katrina Bulletin: HIPAA Privacy and Disclosures in Emergency Situations - PDFfor more about sharing information in emergency situations.

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.