The Department of Health and Human Services’ Office for Civil Rights has issued guidance for healthcare providers on how the Health Insurance Portability and Accountability Act (HIPAA) applies to disclosures of protected health information (PHI) to support applications for extreme risk protection orders (ERPOs).
Earlier this year, the United States Department of Justice published model legislation that serves as a framework for states considering implementing ERPO laws. ERPOs are court orders that prevent people in crisis – who may pose a threat to themselves or the public – from accessing firearms. An ERPO is a temporary measure for improving the public’s safety by helping to prevent firearm injuries and deaths.
ERPO applications can be submitted by certain categories of petitioners, such as law enforcement, healthcare providers, or family members. The applications involve sworn oral statements and affidavits from petitioners and witnesses to support the applications, which may involve disclosures of protected health information.
When healthcare providers submit applications or receive subpoenas or court orders, there is often a requirement to disclose PHI, and the HIPAA Privacy Rule places restrictions on PHI disclosures. The guidance confirms that, in limited circumstances, the HIPAA Privacy Rule permits a covered healthcare provider to disclose PHI to support an ERPO application.
“HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis,” said OCR Director Lisa J. Pino. “Today’s guidance helps clarify legal requirements and to better support individuals in crisis.”
OCR explains in the guidance that covered healthcare providers are permitted to disclose PHI to support an ERPO application when the disclosure is required by law, for example, due to statutes and regulations or in response to a court order, administrative tribunal, subpoena, discovery request, or another lawful process in the course of a judicial or administrative proceeding.
In such cases, the covered healthcare provider is only permitted to disclose the PHI that is authorized by the court order, subpoena, etc. If a subpoena is received that is not accompanied by a court order or administrative tribunal, PHI, which includes mental health care information, may only be disclosed if at least one of the following conditions is met:
- Satisfactory assurances are received from the state’s attorney that reasonable efforts have been made to ensure that the individual who is the subject of the PHI request has been given notice of the request; or
- Satisfactory assurances are received from the state’s attorney that reasonable efforts have been made to secure a qualified protective order prohibiting use or disclosure of the PHI for purposes other than the proceeding, and requiring the return to the provider or destruction of the PHI at the end of the proceeding; or
- When a covered healthcare provider believes an individual poses a serious and imminent threat to the health or safety of a person, including the individual, and the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. The disclosure is determined to be in good faith if the belief is based on the provider’s actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority.
When disclosures of PHI are permitted by the HIPAA Privacy Rule, covered healthcare providers should comply with the HIPAA Minimum Necessary Standard, and should make reasonable efforts to limit most uses, disclosures, and requests to the minimum necessary PHI to accomplish the intended purpose of the use, disclosure, or request.
It is also important to ensure compliance with state ERPO laws, which can differ from state to state in significant ways. In some states, for example, it is not permitted for healthcare providers to make applications for ERPOs. State laws should be consulted before disclosing any PHI to support an ERPO application.
OCR also explains that other laws may be applicable, which may have stricter privacy protections for healthcare data, and to consider federal laws such as 42 U.S.C. § 290dd-2 and 42 CFR part 2, which concerns substance use disorder treatment records, and the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99), which covers school education and treatment records.
“Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country,” said HHS Secretary Xavier Becerra. “Today’s guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing firearms.”
Click here to access OCR’s Guidance on the HIPAA Privacy Rule and Disclosures of Protected Health Information for Extreme Risk Protection Orders.