The Department of Health and Human Services’ Office for Civil Rights (OCR) has released new guidance to make clear how the HIPAA Privacy Law can be applied to disclosures of protected health information (PHI) to aid applications for extreme risk protection orders.
In June 2021, the U.S. Department of Justice shared model legislation to give states having a system for making their own extreme risk protection order (ERPO) rules. Extreme risk protection orders in the short term stop an individual in crisis, who presents a threat to themselves or people, from accessing weapons. ERPOs are designed to enhance public safety and minimize the possibility of firearm accidents and demise.
ERPO laws allow a number of entities for instance law enforcement authorities, family members, and healthcare organizations to submit an application to the courts for an ERPO. Part of that method consists of getting affidavits or sworn oral documents from witnesses and petitioners. When healthcare companies are engaged in ERPOs, the HIPAA Privacy Regulation is applicable and puts prohibitions on any disclosures of PHI.
The HIPAA Privacy Rule allows PHI disclosures when those disclosures are demanded by legislation, for instance regarding statutes, laws, court orders, and subpoenas whenever the disclosures conform to and are confined to the pertinent demands of such regulations. OCR has established that healthcare organizations are allowed to share information concerning someone to assist an application for an ERPO against that individual and, in these instances, the person won’t be required to allow the disclosure within selected conditions.
When demanded by a court order to disclose a patient’s medical information to aid an ERPO, a healthcare company is just authorized to make known the PHI that is particularly permitted by the court order.
In case a state’s attorney makes a subpoena for health documents that isn’t complemented by a court or administrative tribunal order, the required PHI may only be made available in case one of these conditions are satisfied:
The provider gets adequate assurances from the state’s attorney that valid efforts were made to inform the subject about the PHI request related to the request for the PHI access
The provider obtains sufficient guarantees from the state’s attorney that valid efforts were done to protect a certified protective order banning usage or sharing of the PHI for uses aside from the proceeding and necessitating the return to the provider or deletion of the PHI at the ending of the proceeding.
If the disclosure is needed to prevent or diminish a critical and impending risk to the health or safety of anyone or the public.
In all cases, HIPAA-governed entities ought to exert reasonable effort to reduce disclosures of PHI to the lowest required amount to reach the objective for which the PHI is being shared. It is furthermore necessary to consult with state legislation, as rules may be found at the state level that offers tougher privacy protections for persons than those of the HIPAA Privacy Law and not every state allows healthcare companies to fill out an application for an ERPO.
OCR reminds HIPAA-controlled entities that government legislation including 42 U.S.C. § 290dd-2 and 42 CFR part 2, as well as the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99 may be applicable in a circumstance where they have data implying a danger to public security.
HHS Secretary Xavier Becerra says that many times, communities carry the burden of devastating tragedies brought on by the high incidence of gun violence in the country. This guidance regarding HIPAA and Extreme Risk Protection Orders is a vital move the Biden-Harris Administration is taking towards safeguarding communities from gun violence by enabling police officers, concerned members of the family, or other folks to keep a person in crisis from using firearms.