Do your Staff need Training on HIPAA in Emergency Situations?

Posted by PJ Murray

Emergencies in healthcare are not limited to extreme weather, wildfires, or other natural disasters. Today’s most disruptive incidents are just as likely to be cyberattacks, EHR downtime, system outages, and infrastructure failures. On a more localized level, organizations also face disruptive, aggressive, or violent patients and visitors that create immediate safety risks and require rapid, compliant decision‑making. Across all these scenarios, HIPAA continues to apply and staff must know how to act quickly while protecting patient privacy.

Effective HIPAA training equips staff to make permitted disclosures for treatment and care coordination during urgent situations without guessing. It helps staff understand when information may be shared with family or friends involved in a patient’s care, how to communicate with public health authorities, and when disaster relief organizations may receive limited information to help locate or notify individuals. It also clarifies that the minimum necessary standard does not limit disclosures for treatment, while guiding staff to limit other disclosures to what is reasonably needed.

HIPAA in Emergency Situations

HIPAA compliance officers must navigate a wide spectrum of emergencies that challenge normal operations and require staff to apply HIPAA under pressure. These events fall into two broad categories. The first involves system‑wide operational disruptions, which can halt access to ePHI, interrupt clinical workflows, or compromise critical infrastructure.

Natural disasters, cyberattacks, EHR downtime, system outages, and infrastructure failures can all force organizations into contingency mode. These situations often require coordinated action across clinical, IT, and compliance teams and activate HIPAA’s contingency planning requirements.

The second category involves localized safety emergencies, which occur far more frequently and demand immediate, on‑the‑ground decision‑making. Disruptive, aggressive, or violent patients, threatening or unstable visitors, and behavioral health crises that escalate into safety risks can all create urgent situations where staff must balance safety with privacy obligations.

Although this second category of incidents rarely triggers organization‑wide emergency preparedness plans, they do require personnel to make rapid HIPAA decisions, particularly around the imminent danger standard, the minimum necessary requirement, and appropriate communication boundaries.

Across both categories, whether the disruption affects the entire organization or a single unit, staff must understand how HIPAA applies when normal operations are disrupted and quick judgment is essential.

HIPAA Training for System‑Wide Disruptions

During natural disasters, cyberattacks, outages, and infrastructure failures, staff must know how to:

  • Access essential information during downtime
  • Permissibly disclose PHI to emergency services personnel
  • Document care using approved paper or downtime workflows
  • Secure temporary records and re‑enter data safely once systems are restored
  • Avoid insecure workarounds such as using personal or unapproved tools and services.
  • Verify patient identity when electronic tools are unavailable

Training should reinforce that HIPAA’s Privacy and Security Rules remain fully in effect, even when systems are compromised.

HIPAA Training for Localized Safety Emergencies

Disruptive or violent behavior creates immediate risks to staff, patients, and visitors. HIPAA training should prepare personnel to:

  • Recognize when the imminent danger standard permits disclosure of limited PHI
  • Share only the information necessary to protect individuals on site
  • Document what was disclosed, to whom, and why
  • Avoid unnecessary post‑incident discussion or over‑disclosure
  • Understand when behavioral information is PHI and when it is not
  • Coordinate with security teams without violating privacy boundaries

These scenarios are among the most common sources of privacy lapses because staff act quickly, often without clear guidance. Training must close that gap.

Contingency Planning, Emergency Preparedness, and HIPAA Expectations

Effective emergency readiness requires strong HIPAA contingency planning supported by clear HIPAA Privacy Rule guidance. HIPAA Security Officers must ensure that the confidentiality, integrity, and availability of ePHI can be maintained during any disruption, and staff should understand how backup and recovery processes work, what emergency mode operations look like in practice, and their specific responsibilities during downtime.

HIPAA Training must also clarify how permissible uses and disclosures function in emergencies. Staff must understand that disclosures for treatment may proceed without delay, the minimum necessary standard still applies to most non‑treatment disclosures, and that patient authorization is still required for uses and disclosures not otherwise permitted by the Privacy Rule, even during emergencies. Staff should also know how to escalate suspected breaches or unusual system behavior and how these expectations apply during both system‑wide and localized incidents.

For Medicare and Medicaid participants, integrating HIPAA contingency planning with CMS Emergency Preparedness requirements creates a unified response framework. This alignment reduces confusion during incident command activation, clarifies communication channels and decision‑making authority, and ensures staff understand how HIPAA’s Privacy and Security Rules operate within broader emergency operations, particularly during incidents where coordinated action is essential.

HIPAA Flexibilities and Expectations in Emergencies

HIPAA provides important flexibilities that support emergency response, but these flexibilities operate within clear boundaries that staff must understand. During widespread events such as major natural disasters, the HHS Office for Civil Rights may announce temporary enforcement discretion for specific provisions of the HIPAA Privacy Rule, but this discretion is always limited, temporary, and formally communicated. Staff must continue following HIPAA as usual unless leadership explicitly advises otherwise.

Key Takeaways for HIPAA Compliance Officers

  • HIPAA continues to apply during system-wide or localized emergencies.
  • Staff must be trained to make rapid, lawful disclosures for treatment and safety.
  • Cyberattacks and outages now trigger HIPAA contingency plans more often than natural disasters.
  • Disruptive patients and visitors create high‑frequency safety emergencies that require clear HIPAA guidance.
  • Training must address downtime workflows, secure communication, and re‑entry procedures.
  • Aligning HIPAA contingency plans with CMS Emergency Preparedness strengthens organizational readiness.
  • HIPAA flexibilities support emergency response but require clear understanding. Enforcement discretion must never be assumed.

A well‑trained workforce is your strongest asset during emergencies. When staff understand how HIPAA operates under pressure, they protect patients, support continuity of care, and reduce organizational risk.

The post Do your Staff need Training on HIPAA in Emergency Situations? appeared first on The HIPAA Journal.

HHS Office for Civil Rights Establishes Part 2 Enforcement Program

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has established a civil enforcement program for the 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records (Part 2) regulations.

The Coronavirus Aid, Relief, and Economic Security (CARES) Act, an economic stimulus bill signed into law on March 27, 2020, included a section (Section 3221) related to the confidentiality and disclosure of substance use disorder (SUD) records. The CARES Act directed the HHS to implement changes to align the Part 2 regulations more closely with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, to enhance protections and improve patient rights, while allowing a more flexible approach to the sharing of SUD records with patient consent to improve care coordination.

In February 2024, the HHS issued a final rule that modified the Part 2 regulations by implementing the changes mandated by Section 3221 of the CARES Act. The final rule improves coordination among providers treating patients for SUD, aligns certain Part 2 requirements with the HIPAA Privacy Rule and HIPAA Breach Notification Rule, and enhances integration of behavioral health information with other medical records to improve patient health outcomes.

The final rule also implemented a new penalty structure, mirroring that of HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. OCR has been granted authority to enforce compliance, and if violations are identified, they will be subject to the same range of enforcement mechanisms as HIPAA. Violations of the Part 2 regulations can be resolved with civil monetary penalties, resolution agreements, monetary settlements, and corrective action plans to address areas of noncompliance.

The enforcement program uses newly established mechanisms of civil enforcement to protect the confidentiality of SUD records by covered SUD programs. “At President Trump’s direction, HHS is aggressively enforcing federal safeguards to protect substance use disorder patient records as part of the Great American Recovery Initiative,” said HHS Secretary Robert F. Kennedy, Jr. “Americans seeking treatment for substance use disorder deserve comprehensive care without sacrificing their privacy or legal protections.”

This is the first time that mechanisms have been established and will help to ensure that the privacy of Americans seeking treatment for substance use disorder is protected. “OCR’s civil enforcement program will instill confidence in patients and encourage them to seek SUD treatment from covered SUD providers. At the same time, compliance with the updated Part 2 regulation will improve care coordination and reduce administrative burdens,” said OCR Director Paula M. Stannard. “OCR is uniquely positioned to enforce patient rights and the regulated community’s obligations given our extensive experience administering compliance and enforcement programs for health information privacy, security, and breach notification under HIPAA.”

OCR must be notified about any breach of SUD records, and the agency will investigate breaches to determine if they were the result of noncompliance. On February 16, 2026, OCR started accepting complaints about potential violations of the Part 2 regulations, including civil rights and breach notifications related to SUD records.

Complaints about potential Part 2 violations should be submitted via the OCR breach portal. Individuals are encouraged to file a complaint if they believe that their civil rights or health information privacy have been violated, but also if they suspect that the civil rights or health information privacy of other individuals have been violated. Complaints will be investigated, and if substantiated, violations will be resolved through the newly established enforcement mechanisms.

The OCR breach portal has been updated to show entities and individuals that have experienced breaches of Part 2 records. As with the section of the OCR breach portal for HIPAA breach reports, a summary of each breach of Part 2-covered records is listed. The listings include basic information about the breach – The name of the Part 2 Program, state, individuals affected, breach submission date, type of breach, and the location of breached information. When OCR has completed its investigation of the breach, the complaints will be moved to the archive, with brief notes added from OCR’s investigation. The breach portal only includes large breaches of SUD records – those affecting 500 or more individuals. Smaller breaches are not made public, although the breach reporting requirements are the same, irrespective of the size of the breach.

The post HHS Office for Civil Rights Establishes Part 2 Enforcement Program appeared first on The HIPAA Journal.

Data Breach Settlements Agreed by Centrelake Medical Group & Des Moines Orthopaedic Surgeons

Posted by Steve Alder

Class action lawsuits over data breaches at Centrelake Medical Group and Des Moines Orthopaedic Surgeons have been resolved with settlements.

Centrelake Medical Group Settlement

Centrelake Medical Group, the operator of 8 medical imaging and oncology centers in California, has agreed to settle a class action lawsuit stemming from a 2019 cybersecurity incident that affected 197,661 patients. Centrelake Medical Group experienced a ransomware attack in February 2019. The hackers had access to its servers from January 9 to February 19, 2019, and potentially obtained information such as names, phone numbers, addresses, Social Security numbers, health insurance information, diagnoses, services performed, dates of service, medical record numbers, referring provider information, and driver’s license numbers.

A lawsuit was filed in response to the data breach – April Kay Moore, et al. v. Centrelake Medical Group, Inc. – in the Superior Court of California, County of Los Angeles Civil Division, which asserted claims of breach of express and/or implied contractual promise, breach of covenant of good faith and fair dealing, violation of Civil Code § 56, et seq., and violation of California Business and Professions Code § 17200, et seq.

Centrelake Medical Group denies all claims of liability and wrongdoing but determined that the litigation would likely be protracted and expensive, and agreed to a settlement. Centrelake Medical Group has agreed to pay $525,000 for attorneys’ fees and expenses, $2,500 for each of the class representatives, and will cover notice and settlement costs.

Class members are entitled to enroll in two years of free medical and credit monitoring services, and claims may be submitted for documented, unreimbursed losses due to the data breach. A cap of $500 has been placed on ordinary losses due to the data breach, and a cap of $3,500 has been placed on extraordinary losses. Individuals who were California residents at the time of the data breach may also claim an additional $50 cash payment. The deadline for submitting a claim is June 12, 2026, and the final fairness hearing has been scheduled for July 14, 2026.

Des Moines Orthopaedic Surgeons Settlement

Des Moines Orthopaedic Surgeons in Iowa has agreed to settle class action litigation over a 2023 data breach. Des Moines Orthopaedic Surgeons experienced a data security incident in February 2023 that impacted its computer systems and resulted in the theft of the protected health information of 307,864 current and former patients. Data compromised in the incident included names, Social Security numbers, dates of birth, driver’s license numbers, state identification numbers, passports, direct deposit bank information, medical information, and health insurance information.

Three class action lawsuits were filed in response to the data breach, which were consolidated – Rogers, et al., v. Des Moines Orthopaedic Surgeons, P.C. – in the Iowa District Court for Dallas County. The plaintiffs alleged that the data breach was due to the failure to implement appropriate cybersecurity measures to protect patient data. Des Moines Orthopaedic Surgeons denies all claims of liability and wrongdoing; however, opted to settle the litigation to avoid the costs, expense, distraction, burden, and disruption to business operations from continuing with the litigation.

The settlement includes monetary relief for the class members, which has been capped at $1,000,000. Class members are entitled to claim three years of three-bureau credit monitoring and identity theft protection services. In addition, a claim may be submitted for reimbursement of losses due to the data breach and compensation for lost time. A claim may be submitted for reimbursement of documented, unreimbursed ordinary out-of-pocket losses up to a maximum of $400 per class member, up to four hours of lost time at $25 an hour, and reimbursement of documented, unreimbursed extraordinary losses up to a maximum of $5,000 per class member.

If a claim for reimbursement of losses and lost time is not submitted, class members may claim an alternative cash payment. Those payments are $25 if their Social Security number was not compromised, and $100 if their Social Security number was compromised. The deadline for submitting a claim is March 23, 2026, and the final fairness hearing has been scheduled for April 2, 2026. Individuals wishing to object to the settlement or exclude themselves have until February 23, 2026, to do so.

The post Data Breach Settlements Agreed by Centrelake Medical Group & Des Moines Orthopaedic Surgeons appeared first on The HIPAA Journal.