The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OCR Issues Guidance on HIPAA and Disclosures of PHI for Extreme Risk Protection Orders

Posted By on Dec 21, 2021

The Department of Health and Human Services’ Office for Civil Rights (OCR) has published new guidance to explain how the HIPAA Privacy Rule applies to disclosures of protected health information (PHI) to support applications for extreme risk protection orders.

In June 2021, the U.S. Department of Justice published model legislation to provide states with a framework for creating their own extreme risk protection order (ERPO) laws. Extreme risk protection orders temporarily prevent a person in crisis, who poses a danger to themselves or others, from accessing firearms. ERPOs are intended to improve public safety and reduce the risk of firearm injuries and deaths.

ERPO legislation permits certain entities such as law enforcement officers, family members, and healthcare providers to apply to the courts for an ERPO. Part of that process involves obtaining affidavits or sworn oral statements from petitioners and witnesses. If healthcare providers are involved in ERPOs, the HIPAA Privacy Rule applies and places restrictions on any disclosures of PHI.

The HIPAA Privacy Rule permits disclosures of PHI when those disclosures are required by law, such as in relation to statutes, regulations, court orders, and subpoenas when the disclosures comply with and are limited to the relevant requirements of such laws. OCR has confirmed that healthcare providers are permitted to disclose information about an individual to support an application for an ERPO against that individual and, in such situations, the individual will not be required to authorize the disclosure under certain conditions.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

  • If required by a court order to make a disclosure of a patient’s medical records in support of an ERPO, a healthcare provider is only permitted to disclose the PHI that is specifically authorized by the court order.
  • If a state’s attorney issues a subpoena for medical records that is not accompanied by an order of a court or administrative tribunal, the requested PHI can only be provided if one of the following conditions are met:
    • The provider receives satisfactory assurances from the state’s attorney that reasonable efforts have been made to notify the subject of the PHI request about the request for access to his/her PHI
    • The provider receives satisfactory assurances state’s attorney that reasonable efforts have been made to secure a qualified protective order prohibiting use or disclosure of the PHI for purposes other than the proceeding and requiring the return to the provider or destruction of the PHI at the end of the proceeding.
    • When the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public

In all cases, HIPAA-regulated entities should make reasonable efforts to limit disclosures of PHI to the minimum necessary amount to achieve the purpose for which the PHI is being disclosed. It is also important to consult state laws, as laws may exist at the state level that provide more stringent privacy protections for individuals than those of the HIPAA Privacy Rule and not all states allow healthcare providers to apply for an ERPO.

OCR reminds HIPAA-regulated entities that federal laws such as 42 U.S.C. § 290dd-2 and 42 CFR part 2, and the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99 may apply in a situation where they have information indicating a threat to public safety.

“Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country,” said HHS Secretary Xavier Becerra. “Today’s guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing firearms.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist