HIPAA Guidance for Mass Shootings and Other Tragic and Emergency Situations

HIPAA Guidance for Mass Shootings and Other Tragic and Emergency Situations

In the aftermath of one of the deadliest school shootings in U.S. history, many health care organizations are revisiting their HIPAA policies and procedures to determine exactly what information they are allowed to share and to whom they may share information. 


A health care entity may share a patient’s location, general condition or death with a patient’s family, guardian, or friend who is involved in the patient’s care or who may be responsible for payment of the patient’s treatment. This may occur in a variety of circumstances including, but not limited to, the following:

  • If the patient is present and able to consent to the disclosure, the health care provider must obtain the patient’s consent, provide the patient with the opportunity to object to the disclosure, or based on the professional judgment of the health care professional, they may reasonably conclude that the individual would not object to the disclosure being made.
  • If the patient is not present or unable to consent due to incapacity or emergency, the health care professional may in the exercise of professional judgment determine whether the disclosure to the family, friend or guardian is in the best interest of the patient.
  • If the patient is deceased, the health care provider may disclose information about the patient to the family member, friend or guardian unless the health care professional is specifically aware that the patient expressed that the disclosure not be made prior to their death.
  • Health care providers may also share information about a patient with police, media outlets or the general public when attempting to identify, locate or notify family members, guardians or personal representatives of a patient. Information that may be shared include the patient’s location, general health status or death.
  • PHI may be shared with disaster relief organizations that are legally responsible for assisting with disasters if doing so will assist in the notification of family members or other individuals responsible for the patient’s care. [1]


Hospitals and health care entities may share general information about a patient with media outlets in an effort to identify, locate or notify individuals responsible for the patient’s care. However, if the request is initiated by the media, you must consider the following:

  • If the patient is conscious and does not specifically object, limited facility directory information may be shared as long as the requestor identifies the patient by name. This information includes whether the patient is indeed seeking treatment at the facility, whether they are in critical or stable condition, and whether they sought treatment and are now released.
  • If the patient is unable to consent, the health care provider can determine based on their professional judgment whether notifying the media or general public of the patient’s status or death is in the best interest of the patient.

Specific information about a patient’s care, such as x-rays, tests performed and test results, or details of a patient’s diagnosis may not be disclosed without either the patient’s authorization or the authorization of their personal representative.


Health care entities can provide information to law enforcement with a signed HIPAA authorization from the patient or the patient’s personal representative. However, there are instances in which PHI may be shared with law enforcement without patient consent. Those instances include:

  • When the health care professional reasonably believes that the report would prevent or lessen a serious and imminent threat to the health or safety of an individual or the public;
  • The entity believes in good faith that it is sharing information that may be evidence of a crime that occurred on the premises of the entity;
  • Alerting law enforcement of the death of an individual when there is a suspicion that the death resulted from criminal conduct;
  • When responding to an off-site medical emergency, as necessary to alert law enforcement to criminal activity;
  • When it is required by law to make reports to law enforcement, like in instances of treating gunshot or stab wounds;
  • In compliance with court orders, warrants, subpoenas or summons;
  • In response to a request by law enforcement to identify or locate a suspect, fugitive, material witness or missing person (the information must be limited to basic demographic and identifying information about the person); and
  • Instances of child abuse or neglect reporting when the entity receiving the report is officially authorized by law to receive the report[2].


When law enforcement needs assistance with identifying and locating a suspect, fugitive or material witness to a crime, health care entities are encouraged to cooperate with these requests.  However, those disclosures must be limited to the following information:

  • Name and Address,
  • Date and Place of Birth,
  • Social Security Number,
  • ABO Blood Type and RH Factor,
  • Type of Injury,
  • Date and Time of Treatment,
  • Date and Time of Death, and
  • Description of Distinguishing Physical Characteristics[3] (Ex. Tattoos, mustache, beard).

Any additional disclosures about a suspect’s medical information, such as DNA tests or body fluid analysis, can only be disclosed upon the presentation of a signed authorization, court order, warrant or documented administrative request.


There is no lack of confusion regarding what a HIPAA waiver is and when it may be utilized. Waivers of HIPAA sanctions and penalties occur when the President declares an emergency or disaster and the Secretary of the Department of Health and Human Services (HHS) waives provisions of the Privacy Rule during the emergency or disaster.

If the Secretary issues such a waiver, it only applies:

  • In the emergency area and for the emergency period identified in the public health emergency declaration;
  • To hospitals that have instituted a disaster protocol. The waiver would only apply to patients at such hospital; and
  • For up to 72 hours from the time the hospital implements its disaster protocol.[4] Once the limited waiver terminates, health care entities are required to comply with the HIPAA Privacy Rule.

It is important to know under what circumstances you can disclose information and to whom those disclosures can be offered. Failure to understand these requirements may place you at risk for HIPAA violations and sanctions. If you have specific questions about disclosures of PHI, please contact a health care compliance professional.

[1] 45 CFR 164.510(b)

[2] 45 CFR 164.512

[3] 45 CFR 164.512(f)(2)

[4] 45 CFR 164.510(b)(4)

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala. The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) ↓