HHS' Office for Civil Rights issued new guidance Dec. 20 to explain how HIPAA covers healthcare providers who disclose protected health information to support instances of extreme risk protection orders.
Seven things to know:
1. The U.S. Department of Justice in June published model extreme risk protection order (ERPO) legislation that lets states create their own framework for developing laws that let law enforcement, family members or providers obtain these orders and intervene when an individual is in crisis.
2. An ERPO is a court order that temporarily prevents a person in crisis, who poses a danger to themselves or others, from accessing firearms.
3. HHS' Dec. 20 guidance clarifies the requirements of the HIPAA Privacy Rule for healthcare providers in relation to ERPO laws; the agency said the Privacy Rule allows covered providers to disclose protected health information about an individual without their authorization to support an ERPO.
4. HIPAA allows providers to disclose protected health information to support an ERPO in two circumstances: one, when the disclosure is required by law; and two, when the disclosure is in response to an order of a court or administrative tribunal, subpoena, discovery request or other lawful process.
5. HIPAA allows mental healthcare providers to disclose the minimum necessary protected health information to comply with a subpoena that is not accompanied by a court order or administrative tribunal if reasonable efforts have been made to ensure the individual subject of the protected health information request has been notified of the request or efforts have been made to secure a protective order that prohibits use of disclosure of the protected health information for any reason other than support of the ERPO.
6. HIPAA also permits mental healthcare providers to disclose minimum necessary protected health information when the disclosure is vital to prevent or reduce a serious or imminent threat to the health or safety of a person or the public.
7. Providers that disclose protected health information in situations to prevent or lessen a serious or imminent threat are presumed to have acted in good faith.
Click here to view the HHS HIPAA Privacy Rule fact sheet.