Selected Legal Authorities
The federal legal framework for all-hazards emergency preparedness and response includes laws, regulations, and executive orders. This Web site provides only a brief overview of some of the federal laws that may apply to older adults, public health, and preparedness and response activities. Individual organizations and entities should consult their legal counsel for specific guidance on any legal issue that may arise in their jurisdiction.
The purpose of Pandemic and All-Hazards Preparedness Act (PAHPA) is “to improve the nation’s public health and medical preparedness and response capabilities for emergencies, whether deliberate, accidental, or natural.” The act provides new authorities for developing countermeasures and establishing mechanisms and grants to continue strengthening the public health security infrastructure at state and local levels. The act also permits the Secretary of Health and Human Services to require that entities receiving cooperative agreement awards describe how they will include state units on aging in their public health emergency preparedness plans.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, it permits the disclosure of personal health information needed for patient care and other important purposes.
Because of uncertainty about how this rule should be applied during an emergency, service providers may have concerns about their liability if they share the names of older adults who need help. In 2001, HHS released a guidance memo to the Administration on Aging (AoA) that states that programs that operate under the Older Americans Act (OAA) do not meet the criteria for a covered entity as a health plan. However, because they may meet the criteria for a health care provider and collect the type of individually identifiable health information covered under the OAA, they may be subject to the HIPAA Privacy Rule.
Examples of covered entities include the following:
- Health plans, such as company health plans, government programs that pay for health care (e.g., Medicare, Medicaid, health care programs for military personnel and veterans), health insurance companies, and health maintenance organizations.
- Health care clearinghouses, including entities that process nonstandard health information received from another entity into a standard format or vice versa.
- Health care providers, such as chiropractors, clinics, dentists, nursing homes, pharmacies, physicians, and psychologists.
The following types of agencies are not covered entities under the Privacy Rule if they do not meet the criteria as covered entities: social service agencies, centers for independent living, paratransit authorities, protection and advocacy organizations, and public agencies that perform public health activities. The terms discussed in this section (e.g., health plan, health care provider) are specifically defined in the HIPAA Privacy Rule. Local and state organizations should consult their legal counsel to determine if their operations meet the criteria for a covered entity.
If the President of the United States declares an emergency or disaster and the Secretary of Health and Human Services declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule. However, the Privacy Rule remains in effect, and waivers apply for limited periods only.
For more complete information, visit the Legal Information section of the Emergency Preparedness for Older Adults Web Portal on the CDC Healthy Aging Program Web site.
Get email updates
To receive email updates about this page, enter your email address:
- Centers for Disease Control and Prevention
Healthy Aging Program
4770 Buford Highway, N.E., Mailstop F-78
Atlanta, GA 30341-3717
TTY: (888) 232-6348
- Contact CDC-INFO