Do your Staff need Training on HIPAA in Emergency Situations?

Posted by PJ Murray

Emergencies in healthcare are not limited to extreme weather, wildfires, or other natural disasters. Today’s most disruptive incidents are just as likely to be cyberattacks, EHR downtime, system outages, and infrastructure failures. On a more localized level, organizations also face disruptive, aggressive, or violent patients and visitors that create immediate safety risks and require rapid, compliant decision‑making. Across all these scenarios, HIPAA continues to apply and staff must know how to act quickly while protecting patient privacy.

Effective HIPAA training equips staff to make permitted disclosures for treatment and care coordination during urgent situations without guessing. It helps staff understand when information may be shared with family or friends involved in a patient’s care, how to communicate with public health authorities, and when disaster relief organizations may receive limited information to help locate or notify individuals. It also clarifies that the minimum necessary standard does not limit disclosures for treatment, while guiding staff to limit other disclosures to what is reasonably needed.

HIPAA in Emergency Situations

HIPAA compliance officers must navigate a wide spectrum of emergencies that challenge normal operations and require staff to apply HIPAA under pressure. These events fall into two broad categories. The first involves system‑wide operational disruptions, which can halt access to ePHI, interrupt clinical workflows, or compromise critical infrastructure.

Natural disasters, cyberattacks, EHR downtime, system outages, and infrastructure failures can all force organizations into contingency mode. These situations often require coordinated action across clinical, IT, and compliance teams and activate HIPAA’s contingency planning requirements.

The second category involves localized safety emergencies, which occur far more frequently and demand immediate, on‑the‑ground decision‑making. Disruptive, aggressive, or violent patients, threatening or unstable visitors, and behavioral health crises that escalate into safety risks can all create urgent situations where staff must balance safety with privacy obligations.

Although this second category of incidents rarely triggers organization‑wide emergency preparedness plans, they do require personnel to make rapid HIPAA decisions, particularly around the imminent danger standard, the minimum necessary requirement, and appropriate communication boundaries.

Across both categories, whether the disruption affects the entire organization or a single unit, staff must understand how HIPAA applies when normal operations are disrupted and quick judgment is essential.

HIPAA Training for System‑Wide Disruptions

During natural disasters, cyberattacks, outages, and infrastructure failures, staff must know how to:

  • Access essential information during downtime
  • Permissibly disclose PHI to emergency services personnel
  • Document care using approved paper or downtime workflows
  • Secure temporary records and re‑enter data safely once systems are restored
  • Avoid insecure workarounds such as using personal or unapproved tools and services.
  • Verify patient identity when electronic tools are unavailable

Training should reinforce that HIPAA’s Privacy and Security Rules remain fully in effect, even when systems are compromised.

HIPAA Training for Localized Safety Emergencies

Disruptive or violent behavior creates immediate risks to staff, patients, and visitors. HIPAA training should prepare personnel to:

  • Recognize when the imminent danger standard permits disclosure of limited PHI
  • Share only the information necessary to protect individuals on site
  • Document what was disclosed, to whom, and why
  • Avoid unnecessary post‑incident discussion or over‑disclosure
  • Understand when behavioral information is PHI and when it is not
  • Coordinate with security teams without violating privacy boundaries

These scenarios are among the most common sources of privacy lapses because staff act quickly, often without clear guidance. Training must close that gap.

Contingency Planning, Emergency Preparedness, and HIPAA Expectations

Effective emergency readiness requires strong HIPAA contingency planning supported by clear HIPAA Privacy Rule guidance. HIPAA Security Officers must ensure that the confidentiality, integrity, and availability of ePHI can be maintained during any disruption, and staff should understand how backup and recovery processes work, what emergency mode operations look like in practice, and their specific responsibilities during downtime.

HIPAA Training must also clarify how permissible uses and disclosures function in emergencies. Staff must understand that disclosures for treatment may proceed without delay, the minimum necessary standard still applies to most non‑treatment disclosures, and that patient authorization is still required for uses and disclosures not otherwise permitted by the Privacy Rule, even during emergencies. Staff should also know how to escalate suspected breaches or unusual system behavior and how these expectations apply during both system‑wide and localized incidents.

For Medicare and Medicaid participants, integrating HIPAA contingency planning with CMS Emergency Preparedness requirements creates a unified response framework. This alignment reduces confusion during incident command activation, clarifies communication channels and decision‑making authority, and ensures staff understand how HIPAA’s Privacy and Security Rules operate within broader emergency operations, particularly during incidents where coordinated action is essential.

HIPAA Flexibilities and Expectations in Emergencies

HIPAA provides important flexibilities that support emergency response, but these flexibilities operate within clear boundaries that staff must understand. During widespread events such as major natural disasters, the HHS Office for Civil Rights may announce temporary enforcement discretion for specific provisions of the HIPAA Privacy Rule, but this discretion is always limited, temporary, and formally communicated. Staff must continue following HIPAA as usual unless leadership explicitly advises otherwise.

Key Takeaways for HIPAA Compliance Officers

  • HIPAA continues to apply during system-wide or localized emergencies.
  • Staff must be trained to make rapid, lawful disclosures for treatment and safety.
  • Cyberattacks and outages now trigger HIPAA contingency plans more often than natural disasters.
  • Disruptive patients and visitors create high‑frequency safety emergencies that require clear HIPAA guidance.
  • Training must address downtime workflows, secure communication, and re‑entry procedures.
  • Aligning HIPAA contingency plans with CMS Emergency Preparedness strengthens organizational readiness.
  • HIPAA flexibilities support emergency response but require clear understanding. Enforcement discretion must never be assumed.

A well‑trained workforce is your strongest asset during emergencies. When staff understand how HIPAA operates under pressure, they protect patients, support continuity of care, and reduce organizational risk.

The post Do your Staff need Training on HIPAA in Emergency Situations? appeared first on The HIPAA Journal.

Data Breach Settlements Agreed by Centrelake Medical Group & Des Moines Orthopaedic Surgeons

Posted by Steve Alder

Class action lawsuits over data breaches at Centrelake Medical Group and Des Moines Orthopaedic Surgeons have been resolved with settlements.

Centrelake Medical Group Settlement

Centrelake Medical Group, the operator of 8 medical imaging and oncology centers in California, has agreed to settle a class action lawsuit stemming from a 2019 cybersecurity incident that affected 197,661 patients. Centrelake Medical Group experienced a ransomware attack in February 2019. The hackers had access to its servers from January 9 to February 19, 2019, and potentially obtained information such as names, phone numbers, addresses, Social Security numbers, health insurance information, diagnoses, services performed, dates of service, medical record numbers, referring provider information, and driver’s license numbers.

A lawsuit was filed in response to the data breach – April Kay Moore, et al. v. Centrelake Medical Group, Inc. – in the Superior Court of California, County of Los Angeles Civil Division, which asserted claims of breach of express and/or implied contractual promise, breach of covenant of good faith and fair dealing, violation of Civil Code § 56, et seq., and violation of California Business and Professions Code § 17200, et seq.

Centrelake Medical Group denies all claims of liability and wrongdoing but determined that the litigation would likely be protracted and expensive, and agreed to a settlement. Centrelake Medical Group has agreed to pay $525,000 for attorneys’ fees and expenses, $2,500 for each of the class representatives, and will cover notice and settlement costs.

Class members are entitled to enroll in two years of free medical and credit monitoring services, and claims may be submitted for documented, unreimbursed losses due to the data breach. A cap of $500 has been placed on ordinary losses due to the data breach, and a cap of $3,500 has been placed on extraordinary losses. Individuals who were California residents at the time of the data breach may also claim an additional $50 cash payment. The deadline for submitting a claim is June 12, 2026, and the final fairness hearing has been scheduled for July 14, 2026.

Des Moines Orthopaedic Surgeons Settlement

Des Moines Orthopaedic Surgeons in Iowa has agreed to settle class action litigation over a 2023 data breach. Des Moines Orthopaedic Surgeons experienced a data security incident in February 2023 that impacted its computer systems and resulted in the theft of the protected health information of 307,864 current and former patients. Data compromised in the incident included names, Social Security numbers, dates of birth, driver’s license numbers, state identification numbers, passports, direct deposit bank information, medical information, and health insurance information.

Three class action lawsuits were filed in response to the data breach, which were consolidated – Rogers, et al., v. Des Moines Orthopaedic Surgeons, P.C. – in the Iowa District Court for Dallas County. The plaintiffs alleged that the data breach was due to the failure to implement appropriate cybersecurity measures to protect patient data. Des Moines Orthopaedic Surgeons denies all claims of liability and wrongdoing; however, opted to settle the litigation to avoid the costs, expense, distraction, burden, and disruption to business operations from continuing with the litigation.

The settlement includes monetary relief for the class members, which has been capped at $1,000,000. Class members are entitled to claim three years of three-bureau credit monitoring and identity theft protection services. In addition, a claim may be submitted for reimbursement of losses due to the data breach and compensation for lost time. A claim may be submitted for reimbursement of documented, unreimbursed ordinary out-of-pocket losses up to a maximum of $400 per class member, up to four hours of lost time at $25 an hour, and reimbursement of documented, unreimbursed extraordinary losses up to a maximum of $5,000 per class member.

If a claim for reimbursement of losses and lost time is not submitted, class members may claim an alternative cash payment. Those payments are $25 if their Social Security number was not compromised, and $100 if their Social Security number was compromised. The deadline for submitting a claim is March 23, 2026, and the final fairness hearing has been scheduled for April 2, 2026. Individuals wishing to object to the settlement or exclude themselves have until February 23, 2026, to do so.

The post Data Breach Settlements Agreed by Centrelake Medical Group & Des Moines Orthopaedic Surgeons appeared first on The HIPAA Journal.

February 16, 2026: Compliance Deadline for Part 2 Final Rule

Posted by Steve Alder

The deadline for compliance with the 42 CFR Part 2 Confidentiality of Substance Use Disorder (SUD) Patient Records (Part 2) Final Rule was February 16, 2026. Entities subject to the Part 2 regulations must ensure compliance with the new requirements, which are now in effect and being actively enforced. The Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records was announced by the HHS’ Office for Civil Rights (OCR) on February 13, 2026. In that announcement, OCR confirmed that, from February 16, 2026, OCR will accept complaints alleging violations of the regulation that protects the confidentiality of SUD patient records and alleged breach notification violations.

The final rule was issued by OCR and the Substance Abuse and Mental Health Services Administration (SAMHSA) on February 8, 2024, to better align the Part 2 regulations with the Health Insurance Portability and Accountability Act (HIPAA). The final rule took effect on April 16, 2024, and entities covered by the Part 2 regulations were given 11 months to comply with the new requirements.

Aligning the Part 2 regulations more closely with HIPAA removes barriers to information sharing and should improve care coordination, without eliminating important privacy protections. The final rule expanded patient rights regarding uses and disclosures of SUD records and has made compliance less complex for entities subject to both sets of regulations.

Some of the key new requirements are detailed below:

  • A single patient consent for all future uses and disclosures of SUD records for treatment, payment, and healthcare operations is permitted
  • HIPAA-regulated entities may redisclose SUD records received under that consent in accordance with the HIPAA Privacy Rule
  • Part 2 records no longer need to be segregated
  • SUD records may be disclosed to public health authorities if de-identified in accordance with HIPAA standards
  • Patients may obtain an accounting of disclosures of their SUD records
  • Patients may request restrictions on certain disclosures of their SUD records
  • Patients may file complaints with the HHS about potential Part 2 violations
  • Covered entities must establish a complaints program
  • Restrictions on the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order
  • A safe harbor requires investigative agencies to take steps if they discover they have received Part 2 records without having first obtained the required court order
  • The HIPAA Breach Notification Rule requirements apply to Part 2 records. Entities experiencing a breach of Part 2 records must self-report the data breaches to the HHS and issue individual notifications

A final rule issued under the Biden administration in December 2024HIPAA Privacy Rule to Support Reproductive Health Care Privacy – to prohibit disclosures of reproductive health information related to criminal, civil, or administrative investigations was overturned by a Texas judge last year. The final rule included a section relating to 45 C.F.R. 164.520 (notice of privacy practices – NPP), concerning SUD records, which remains in place. The deadline for updating and distributing NPPs to reflect the heightened protections for SUD records is also February 16, 2026.

The requirements under HIPAA for NPPs are detailed in this post – HIPAA Notice of Privacy Practices. Before the February 16, 2026, deadline, entities subject to the Part 2 regulations must update their NPPs. The NPP must notify individuals about the permitted uses and disclosures of Part 2 records, explain the legal rights of individuals with respect to their Part 2 records, explain the more stringent limits on Part 2 records and how they differ from HIPAA, how the use of SUD records in civil, criminal, administrative, or legislative proceedings against an individual are limited, and notify individuals that the use or disclosure of Part 2 records for treatment, payment, and health care operations generally requires the individual’s written consent.

If SUD records are created or maintained by the entity, the additional elements that must be included in the NPP are explained below:

  • Notice about rights with respect to SUD records – Individuals must receive “adequate notice of the uses and disclosures of such records, and of the individual’s rights and the covered entity’s legal duties with respect to such records.” While HIPAA permits certain uses and disclosures of protected health information without authorization, the rules are different for SUD records. If the HIPAA NPP and the Part 2 NPP are combined, then the NPP must contain all of the required elements under 42 CFR 2.22.
  • Limits on the Use of SUD Records – Covered entities must state the difference between Part 2 and HIPAA. A statement must be included with respect to SUD treatment records to explain that “[SUD Records] received from programs subject to 42 CFR part 2, or testimony relaying the content of such records, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed.”
  • Notice about other laws that are more restrictive than HIPAA – The permitted uses and disclosures explained in the NPP are limited by laws more restrictive than HIPAA, such as Part 2, and the description of uses and disclosures must reflect the more stringent law. If another law permits or requires disclosures, the description in the NPP about uses and disclosures must include sufficient detail to place the individual on notice of uses and disclosures permitted or required by HIPAA, along with any other applicable law, including Part 2.
  • Notice about redisclosure of Part 2 records – The NPP must contain a statement advising patients about the potential redisclosure of records. If information is disclosed pursuant to the HIPAA Privacy Rule, the records could potentially be redisclosed and will no longer be protected under the HIPAA Privacy Rule.
  • Fundraising – If an entity that creates or maintains Part 2 records intends to use that information for fundraising purposes for the benefit of the covered entity, individuals must be presented with a clear and conspicuous opportunity to choose not to receive fundraising communications.

In August 2025, HHS Secretary Robert F. Kennedy Jr. delegated the authority for enforcing compliance with the Part 2 regulations to OCR. Enforcement of compliance with the Part 2 regulations will follow the same process as enforcement of HIPAA compliance, meaning OCR can enter into resolution agreements, monetary settlements, and corrective action plans with entities subject to the Part 2 regulations and can also impose civil monetary penalties for noncompliance. The financial penalties for noncompliance also align with HIPAA, increasing from $500 for a first offense and $5,000 for subsequent offenses to the current HIPAA penalties, which in 2025, range from $141 to $2.1 million, with criminal penalties also possible. The penalty amounts are subject to annual increases in line with inflation.

The post February 16, 2026: Compliance Deadline for Part 2 Final Rule appeared first on The HIPAA Journal.