OCR Announces Limited Waiver of HIPAA Sanctions & Penalties in Texas
On July 8, 2025, HHS Secretary Robert F. Kennedy Jr. declared a Public Health Emergency exists in the State of Texas as a result of severe storms, straight-line winds, and flooding, and has done so since July 2, 2025. The HHS Secretary has also announced a limited waiver of HIPAA sanctions and penalties for covered hospitals in the areas of Texas covered by the PHE for a limited period. The PHE declaration and HIPAA waiver follow President Donald Trump’s July 6, 2025, Major Disaster Declaration for Kerr County, Texas.
Severe natural disasters such as hurricanes and floods place additional challenges on healthcare providers, which can make compliance with certain provisions of the HIPAA Rules difficult, such as those related to the sharing of individuals’ protected health information with friends and family, public health officials, and emergency personnel.
During a PHE, the HIPAA Rules are not suspended; however, to ease the burden on covered hospitals in the area covered by a PHE, the HHS Secretary often announces a limited waiver of HIPAA sanctions and penalties for specific HIPAA Privacy Rule provisions.
As has been the case with other PHEs, the HHS Secretary has agreed to waive sanctions and penalties against a covered hospital that does not comply with the following specific provisions of the HIPAA Privacy Rule:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care – 45 CFR 164.510(b).
- The requirement to honor a request to opt out of the facility directory – 45 CFR 164.510(a).
- The requirement to distribute a notice of privacy practices – 45 CFR 164.520.
- The patient’s right to request privacy restrictions – 45 CFR 164.522(a).
- The patient’s right to request confidential communications – See 45 CFR 164.522(b).
The waiver only applies to the above provisions of the HIPAA Privacy Rule, only in the area covered by the PHE, only for the duration of the PHE, and only for hospitals that have instituted a disaster protocol. The waiver only applies for up to 72 hours after the hospital implements its disaster protocol, and when the Presidential or Secretarial declaration terminates, so does the waiver, even for patients still under a hospital’s care and even if the 72-hour period has not yet elapsed.
It should be noted that the HIPAA Privacy Rule permits disclosure of PHI in emergency situations for treatment purposes, for public health activities, and disclosures to family members, friends, and others involved in an individual’s care. PHI may also be shared with anyone, as necessary, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
Upon request, disclosures to the media or others are permitted about a particular patient if the name of the individual is provided, in which case limited facility directory information can be disclosed, such as acknowledging that the individual is a patient at the facility, and basic information can be shared on the patient’s condition in general terms, e.g. critical or stable, deceased, treated and released, provided the patient has not objected to such a disclosure. If the patient is incapacitated, professional judgment should be used as to whether the disclosure is in the best interest of the patient.
In all cases, the minimum necessary standard applies, where the information disclosed should be limited to the minimum necessary information to accomplish the purpose of the disclosure.
