Emergency care settings must provide workforce training on the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule, and that training must be adapted to address the additional permissions, conditions, and contingency obligations that apply specifically when care is delivered under emergency conditions. The HIPAA Privacy Rule requires Covered Entities to train all workforce members on applicable privacy policies, and the HIPAA Security Rule requires a security awareness and training program for everyone who accesses electronic Protected Health Information. For emergency care settings, including emergency departments, urgent care centers, EMS organizations, and other facilities that respond to time-sensitive medical situations, satisfying these requirements means training staff on the standard regulatory framework as well as the distinct rules that govern disclosure, contingency planning, and enforcement during emergencies.
Contingency Planning Requirements for Emergency Care Organizations
HIPAA Security Officers are required to establish contingency plans that address how an organization will maintain the confidentiality, integrity, and availability of electronic Protected Health Information during manmade or natural emergencies, including localized structural or environmental incidents. For healthcare providers and suppliers that participate in Medicare or Medicaid, these contingency plans must also account for the Centers for Medicare and Medicaid Services Emergency Preparedness requirements, and training on HIPAA contingency planning is often provided alongside CMS emergency preparedness training to ensure consistency across both frameworks. Emergency care settings need workforce training that addresses this dual obligation directly, since staff in these environments are the ones most likely to encounter a contingency plan activation in practice.
How the HIPAA Privacy Rule Accommodates Routine Emergency Disclosures
The HIPAA Privacy Rule is designed to accommodate the realities of emergency care, and training must explain how its general disclosure permissions apply in these situations. An emergency medical responder working for one Covered Entity may disclose Protected Health Information to staff at a different Covered Entity, such as an emergency department receptionist, to coordinate a patient’s treatment. Minimum necessary disclosures to public health agencies are also permitted to support disease prevention, injury surveillance, and public health interventions, and disclosures to law enforcement are permitted under defined circumstances. When a patient is not present, the HIPAA Privacy Rule allows staff to infer that the patient would not object to sharing information with family members, friends, or disaster relief organizations for the purpose of identification, location, or treatment, particularly when seeking permission in advance would interfere with the response. These permissions apply in routine daily operations and are not limited to situations where formal emergency protocols have been activated, a distinction that training must make clear.
Disclosures to Address Imminent Danger
Beyond reactive disclosures made during an active emergency, the HIPAA Privacy Rule also permits healthcare providers to disclose Protected Health Information ahead of a suspected emergency when there is reason to believe a person or the public faces imminent danger. This permission depends on the provider having actual knowledge of the danger, obtained either directly or from a credible source. When these conditions are satisfied, a limited disclosure may be made in good faith to any person or agency positioned to avert the danger or reduce its consequences, including the individual or individuals who are the target of the threat. Training must require that staff document both the disclosure and the reasoning behind it, and must clarify that any disclosure exceeding what this standard permits requires a valid HIPAA authorization from the patient.
Understanding Enforcement Discretion During Widespread Emergencies
When a hurricane, flood, wildfire, or similar widespread emergency is declared, the Office for Civil Rights has the authority to exercise enforcement discretion for specific standards of the HIPAA Privacy Rule within the affected area. Training must be explicit that enforcement discretion does not mean HIPAA requirements no longer apply. Staff must continue following standard procedures unless their organization specifically communicates which standards are affected and for how long. The HIPAA Journal’s HIPAA Training for Emergency Staff includes a dedicated module covering all of these requirements as part of the mandatory curriculum that leads to certification, alongside the core regulatory content and optional state medical privacy modules for Texas and California.

