The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued new guidance to discuss how the HIPAA Privacy Rule is applicable to disclosures of protected health information (PHI) to support applications for extreme risk protection orders.
In June 2021, the U.S. Department of Justice published model legislation to offer states a framework for creating their own extreme risk protection order (ERPO) regulations. Extreme risk protection orders momentarily prevent a person in crisis, who poses a risk to themselves or other people, from accessing firearms. ERPOs are meant to boost public safety and decrease the threat of firearm injuries and fatalities.
ERPO regulation grants selected entities like law enforcement officials, family members, and healthcare organizations to submit an application to the courts for an ERPO. Part of that process entails acquiring affidavits or sworn oral statements from petitioners and witnesses. In case healthcare companies are involved in ERPOs, the HIPAA Privacy Regulation applies and places limitations on any PHI disclosures.
The HIPAA Privacy Rule enables disclosures of PHI when those disclosures are mandated by law, for example with regards to statutes, rules, court orders, and subpoenas when the disclosures adhere to and are restricted to the appropriate specifications of such rules. OCR has affirmed that healthcare organizations are allowed to disclose information regarding a person to help an application for an ERPO against that individual and, in such instances, the person will not be required to authorize the disclosure under some conditions.
When demanded by a court order to make a disclosure of a patient’s medical data to support an ERPO, a healthcare organization is only authorized to share the PHI that is specifically approved by the court order.
In case a state’s attorney issues a subpoena for health records that is not supported by an order of a court or administrative tribunal, the needed PHI can only be given when one of the following conditions are met:
The provider gets sufficient assurances from the state’s attorney that reasonable efforts were made to alert the subject regarding the PHI request concerning the request for access to PHI
The provider obtains reasonable guarantees from the state’s attorney that enough efforts were made to secure an approved protective order forbidding use or disclosure of the PHI for reasons other than the proceeding and demanding the return to the provider or disposal of the PHI at the conclusion of the proceeding.
When the disclosure is required to prevent or minimize a serious and imminent danger to the health or safety of an individual or the public.
In all cases, HIPAA-governed entities must make reasonable work to limit disclosures of PHI to the least necessary amount to realize the goal for which the PHI is being disclosed. It is additionally essential to check with state rules, as regulations may exist at the state level that gives more strict privacy protections for individuals than those of the HIPAA Privacy Law and not all states permit healthcare companies to fill out an application for an ERPO.
OCR reminds HIPAA-controlled entities that federal regulations like 42 U.S.C. § 290dd-2 and 42 CFR part 2, and the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99 may apply in a situation where they have data suggesting risk to public security.
HHS Secretary Xavier Becerra states that quite often, communities endure the weight of tragic tragedies due to the crisis of gun violence in our country. This guidance about HIPAA and Extreme Risk Protection Orders is a crucial step the Biden-Harris Administration is taking towards securing communities from gun violence by permitting authorities, concerned members of the family, or other people to stop a person in crisis from employing firearms.