Preventing gun violence is a complicated challenge. New guidance from the U.S. Department of Health and Human Services (HHS) should help ease the process of keeping firearms out of reach of persons who may pose a danger. If a crisis is looming, health care providers need clarity to act promptly and assist, without fear of violating HIPAA.
Yesterday HHS, through its Office for Civil Rights (OCR) issued guidance to help clarify how the HIPAA Privacy Rule permits health care providers to disclose protected health information (PHI) to support applications for extreme risk protection orders that temporarily prevent a person in crisis, who poses a danger to themselves or others, from accessing firearms.
This guidance supports the U.S. Department of Justice’s (DOJ) model extreme risk protection order legislation, a framework for states to use for legislation that allows law enforcement, concerned family members, or others to seek these orders and to intervene in an effort to save lives. These orders can improve public safety by helping to prevent firearm injuries and deaths. The DOJ model was published in June, 2021.
Commentary from the Department of Justice explains:
“Research has shown that states can save lives by authorizing courts to issue extreme risk protection orders (ERPOs) that temporarily prevent a person in crisis from accessing firearms. This model legislation provides a framework for states to consider as they determine whether and how to craft laws allowing law enforcement, concerned family members, or others to seek these orders and to intervene before warning signs turn into tragedy.”
HIPAA Allows Disclosure to Prevent Violence
When law enforcement or a family member of a potentially violent individual wants to obtain an extreme risk protection order, health care providers are often asked for PHI of the individual in question. The new OCR guidance shows health care providers how HIPAA allows them to disclose protected health information without the individual’s authorization in these circumstances.
OCR explained the guidance noting in the wake of incidents of mass violence such as shootings and acts of terrorism that it heard claims HIPAA prevented health care providers from disclosing PHI that could prevent those incidents. This guidance lines up with OCR’s proposed Privacy Rule modification permitting PHI disclosure to avert “serious and reasonably foreseeable” health and safety threats instead of the current standard permitting disclosure only when a threat is “serious and imminent”.
School shootings show that health care providers need clarity about disclosing PHI and school administrators need clarity about the intersection of HIPAA and the Family Educational Rights and Privacy Act (FERPA).
OCR Director Lisa J. Pino said yesterday:
“HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis.”
Underlying HIPAA law has always provided an exception to the authorization requirement to protect public safety, but the new guidance expands the kinds of situations where disclosure is allowed, and explains the exception in more detail with specific examples for each permission. Read the guidance in full here.