On July 8, 2025, HHS Secretary Robert F. Kennedy Jr. mentioned the declaration of a Public Health Emergency in Texas due to severe storms, flooding, and straight-line winds starting July 2, 2025. The HHS Secretary also reported a limited waiver of HIPAA sanctions and penalties for HIPAA-covered hospitals in some Texas locations under the PHE for a period. The PHE statement and HIPAA waiver were issued by President Donald Trump following the Major Disaster Declaration for Kerr County, Texas, on July 6, 2025.
Serious natural disasters like hurricanes and floods make compliance with HIPAA more challenging for healthcare companies. This is true for certain terms of the HIPAA Rules, such as those associated with the disclosure of individuals’ protected health information (PHI) to friends and family members, emergency personnel, and public health officials.
The HIPAA Rules aren’t suspended in times of a PHE. However, for hospitals in areas under a PHE, the HHS Secretary usually proclaims a limited waiver of HIPAA sanctions and penalties for certain provisions of the HIPAA Privacy Rules.
Like in the case of other PHEs, the HHS Secretary announced to waive sanctions and penalties on a HIPAA-covered hospital that fails to comply with the conditions of the HIPAA Privacy Rule listed below:
- The requirements to secure a patient’s consent to talk to members of the family or friends concerned with the patient’s care – 45 CFR 164.510(b).
- The requirement to respect a request to be excluded from the facility directory – 45 CFR 164.510(a).
- The requirement to deliver a notice of privacy standards- 45 CFR 164.520.
- The patient’s right to ask for privacy restrictions – 45 CFR 164.522(a).
- The patient’s right to ask for private communications – See 45 CFR 164.522(b).
The waiver is only applicable to the above-mentioned provisions of the HIPAA Privacy Law, only in locations under the PHE, only during the PHE, and only for hospitals with a disaster standard protocol. The waiver is only applicable for approximately 72 hours after the hospital deploys its disaster procedures, and if the Presidential or Secretarial declaration ends, the same is true for the waiver, even for individuals still cared for by a hospital, and even though the 72-hour period is not yet over.
It must be noted that the HIPAA Privacy Law allows PHI disclosure in emergency cases for treatment reasons, for informing family members, friends, and other individuals concerned in a person’s care, and for public health activities. PHI could likewise be disclosed to any individual, as needed, to avoid or minimize a serious and impending risk to the safety and health of an individual or the public.
When requested, sharing with the media or other people are allowed with regards to a certain patient when the name of the person is given, in that case minimal facility directory data may be given, for example recognizing that the person is a patient within the facility, and general information may be provided about the patient’s condition, e.g. critical or stable, dead, treated and discharged, considering the patient did not object to this disclosure. In case the patient is disabled, expert judgment must be exercised as to whether sharing the information is beneficial to the patient.
In all instances, the minimum required standard is applicable, where the data shared must be restricted to the minimum required information to achieve the purpose of the disclosure.