OCR Issues Guidance on HIPAA and Disclosures of PHI for Extreme Risk Protection Orders
The Department of Health and Human Services’ Office for Civil Rights (OCR) has published new guidance to explain how the HIPAA Privacy Rule applies to disclosures of protected health information (PHI) to support applications for extreme risk protection orders.
In June 2021, the U.S. Department of Justice published model legislation to provide states with a framework for creating their own extreme risk protection order (ERPO) laws. Extreme risk protection orders temporarily prevent a person in crisis, who poses a danger to themselves or others, from accessing firearms. ERPOs are intended to improve public safety and reduce the risk of firearm injuries and deaths.
ERPO legislation permits certain entities such as law enforcement officers, family members, and healthcare providers to apply to the courts for an ERPO. Part of that process involves obtaining affidavits or sworn oral statements from petitioners and witnesses. If healthcare providers are involved in ERPOs, the HIPAA Privacy Rule applies and places restrictions on any disclosures of PHI.
The HIPAA Privacy Rule permits disclosures of PHI when those disclosures are required by law, such as in relation to statutes, regulations, court orders, and subpoenas when the disclosures comply with and are limited to the relevant requirements of such laws. OCR has confirmed that healthcare providers are permitted to disclose information about an individual to support an application for an ERPO against that individual and, in such situations, the individual will not be required to authorize the disclosure under certain conditions.
- If required by a court order to make a disclosure of a patient’s medical records in support of an ERPO, a healthcare provider is only permitted to disclose the PHI that is specifically authorized by the court order.
- If a state’s attorney issues a subpoena for medical records that is not accompanied by an order of a court or administrative tribunal, the requested PHI can only be provided if one of the following conditions are met:
- The provider receives satisfactory assurances from the state’s attorney that reasonable efforts have been made to notify the subject of the PHI request about the request for access to his/her PHI
- The provider receives satisfactory assurances state’s attorney that reasonable efforts have been made to secure a qualified protective order prohibiting use or disclosure of the PHI for purposes other than the proceeding and requiring the return to the provider or destruction of the PHI at the end of the proceeding.
- When the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public
In all cases, HIPAA-regulated entities should make reasonable efforts to limit disclosures of PHI to the minimum necessary amount to achieve the purpose for which the PHI is being disclosed. It is also important to consult state laws, as laws may exist at the state level that provide more stringent privacy protections for individuals than those of the HIPAA Privacy Rule and not all states allow healthcare providers to apply for an ERPO.
OCR reminds HIPAA-regulated entities that federal laws such as 42 U.S.C. § 290dd-2 and 42 CFR part 2, and the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99 may apply in a situation where they have information indicating a threat to public safety.
“Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country,” said HHS Secretary Xavier Becerra. “Today’s guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing firearms.”