HIPAA and Compliance News

OCR Issues HIPAA Guidance Surrounding Extreme Risk Protection Orders

HIPAA covered healthcare providers can disclose PHI to support an extreme risk protection order, which prevents patients in crisis from accessing firearms.

OCR Issues HIPAA Guidance Surrounding Extreme Risk Protection Orders

Source: Getty Images

By Jill McKeon

- HHS’s Office for Civil Rights (OCR) released new guidance to clarify how HIPAA permits covered healthcare providers to disclose protected health information (PHI) without a patient’s consent to support applications for extreme risk protection orders (ERPOs). ERPOs can temporarily prevent a person in crisis from accessing firearms if they are perceived to pose a danger to themselves or others.

The US Department of Justice (DOJ) published model legislation on June 7, 2021 to provide a framework for state legislators. Concerned family members, law enforcement, healthcare providers, and others may seek an ERPO if they are concerned that an individual may be suicidal or may use a firearm to injure themselves or another person.

"Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country," Xavier Becerra, HHS secretary, explained in an accompanying press release.

"Today's guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing firearms."

The new guidance aimed to help healthcare providers support ERPOs while complying with HIPAA by providing specific use cases. It is important to note that ERPO legislation can significantly vary state-by-state, usually concerning the categories of petitioners applying for an ERPO.

The HIPAA Privacy Rule permits a covered healthcare provider to disclose PHI without the patient’s authorization when the disclosure is in response to a court order, administrative tribunal, subpoena, discovery request, or other lawful process.

For example, the guidance explained, if a covered healthcare provider receives a court order compelling them to produce an individual’s medical records to support its determination as to whether to issue an ERPO, HIPAA permits a healthcare provider to disclose only the PHI that is authorized by the court order.

In a second example, “A petitioner applies for an ERPO in state court alleging, in an affidavit, that her partner has threatened to shoot her with his firearm and has been receiving care from a mental health professional. The state’s attorney issues a subpoena compelling the partner’s covered mental health care provider to disclose medical records to determine whether there is a sufficient legal basis to issue the ERPO.”

In this case, HIPAA permits the mental healthcare provider to disclose the minimum necessary PHI to comply with the subpoena not accompanied by a court order or administrative tribunal if one of three conditions is met.  

The provider must either receive assurances from the state’s attorney that reasonable efforts have been made to notify the patient of the request, receive assurances that efforts have been made to secure a qualified protective order prohibiting the use of the PHI for any other purpose, or ensure that the disclosure is necessary to lessen a serious threat to the health or safety of the patient or the public.

Most importantly, healthcare providers should make sure to only provide the minimum necessary PHI, follow varying state ERPO laws, and above all else, ensure the safety of both the patient and the public.

"HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis," Lisa J. Pino, OCR’s director, explained in the press release.

"Today's guidance helps clarify legal requirements and to better support individuals in crisis."