Office for Civil Rights

HIPAA Privacy Rule: Disclosures for Emergency Preparedness - A Decision Tool

Disclosures subject to minimum necessary standard

• Covered entities must limit the PHI disclosed for public health and other purposes, including certain treatment purposes, to the amount reasonably necessary to accomplish the purpose.
  
  
• For routine and recurring disclosures, covered entities may develop standard protocols, as part of their minimum necessary policies and procedures that address the types and amount of PHI that may be disclosed for such purposes.
  
  
• Covered entities may reasonably rely on a public official's request as constituting minimum necessary for the stated purpose if the public official states that the information requested is the minimum necessary to accomplish the activity.
  
  
• A provider could release specific PHI to a Public Health Authority (PHA) authorized to receive information if the authority asserts that information is needed to plan a disaster recovery activity. The information requested would vary based on the anticipated activity.
  
  
  • Example: To organize the direct provision of transportation, it may be reasonably necessary for the PHA to request and for the covered entity to disclose the name, address, and physical limitations of individuals.
    
    
  • Example: For more general planning, such as developing procurement estimates of the number of vehicles and types of supportive equipment required for evacuation, the request and disclosure could be reasonably limited to individuals' zip code and physical limitations.