Article Updated: July 11, 2026

How the HIPAA Privacy Rule Applies During Emergencies?

by | February 05, 26 | HIPAA Training for Emergencies

The HIPAA Privacy Rule applies during emergencies through a set of permissions that allow healthcare workers to disclose Protected Health Information without patient authorization when doing so supports treatment, public health, or patient safety, and many of these permissions apply to routine daily operations regardless of whether a formal emergency has been declared. These provisions exist because the HIPAA Privacy Rule was written to accommodate the realities of emergency care, where seeking advance permission from a patient is often impractical or impossible. Understanding how these permissions function, and where their limits sit, is necessary for any workforce member who may be called on to share patient information quickly during an urgent situation.

Treatment Disclosures Between Different Covered Entities

The HIPAA Privacy Rule permits disclosures of Protected Health Information between workforce members of different Covered Entities when the purpose is to organize a patient’s treatment. An emergency medical responder employed by one organization may share information with an emergency department receptionist employed by a separate hospital system in order to coordinate the patient’s care as they move between settings. This permission reflects the fact that emergency care frequently involves multiple organizations working together on the same patient within a short window of time, and the HIPAA Privacy Rule does not require a formal data sharing agreement to be in place before this kind of treatment-related coordination can occur.

Disclosures to Public Health and Law Enforcement Agencies

Minimum necessary disclosures of Protected Health Information to public health agencies are permitted under the HIPAA Privacy Rule, including disclosures made to prevent the spread of disease or injury, to support public health surveillance, or to assist with public health interventions. State law may also require certain disclosures to public health authorities beyond what HIPAA permits on its own. Disclosures to law enforcement agencies are permitted, though not required, under specific circumstances defined by the HIPAA Privacy Rule. These categories of disclosure are not unique to emergencies and apply in standard clinical operations, but they are especially relevant in emergency care because of how frequently public health and safety concerns arise in that setting.

Sharing Information When the Patient Is Not Present

When a patient cannot be present to grant permission, the HIPAA Privacy Rule allows healthcare workers to infer that the patient would not object to having their information shared with family members, friends, or disaster relief organizations for the purpose of identifying, locating, or treating the patient. This inference is permitted specifically because requiring prior consent in these circumstances would interfere with the organization’s ability to respond effectively. A workforce member assisting with patient identification after a mass casualty event, for example, may rely on this provision to share limited information with a relief organization working to reunite patients with family members. This permission, like the treatment and public health provisions described above, is available in everyday clinical practice and is not contingent on the activation of formal emergency protocols.

Limits on These Permissions and the Need for Documentation

These emergency-related disclosure permissions under the HIPAA Privacy Rule are not unlimited. Each one is tied to a specific purpose, and disclosures must remain consistent with that purpose rather than expanding into a general license to share information freely during an emergency. Workforce members should understand that these flexibilities coexist with the broader protections established by the HIPAA Security Rule and HIPAA Breach Notification Rule, both of which continue to apply during emergency response. The HIPAA Journal’s HIPAA Training for Emergency Staff addresses all of these provisions through its HIPAA in Emergency Situations module, which is included as a required part of the certification curriculum alongside the core HIPAA modules and optional state medical privacy training for Texas and California.

Author: PJ Murray

PJ Murray is the founder and publisher of The HIPAA Journal. He has more than 10 years of experience writing about HIPAA, healthcare compliance, patient privacy, and the protection of medical records. Through The HIPAA Journal, PJ helps healthcare organizations, business associates, and their employees better understand HIPAA regulations, reduce compliance risks, and strengthen the safeguards used to protect patient information.

PJ has a background in software development, holds an engineering degree, and specializes in the cybersecurity aspects of HIPAA compliance, including data security, medical record protection, and workforce training. He has also played a leading role in the development and launch of The HIPAA Journal Training, which provides HIPAA and cybersecurity training for healthcare organizations, business associates, students, and healthcare-related workforces.

PJ's work focuses on making complex regulatory and technical requirements easier for healthcare professionals and organizations to understand and apply in practice.
Connect on LinkedIn.