end gun violence

HIPAA and Gun Violence Prevention

Preventing gun violence is a complicated challenge. New guidance from the U.S. Department of Health and Human Services (HHS) should help ease the process of keeping firearms out of reach of persons who may pose a danger. If a crisis is looming, health care providers need clarity to act promptly and assist, without fear of violating HIPAA.

Yesterday HHS, through its Office for Civil Rights (OCR) issued guidance to help clarify how the HIPAA Privacy Rule permits health care providers to disclose protected health information (PHI) to support applications for extreme risk protection orders that temporarily prevent a person in crisis, who poses a danger to themselves or others, from accessing firearms.

This guidance supports the U.S. Department of Justice’s (DOJ) model extreme risk protection order legislation, a framework for states to use for legislation that allows law enforcement, concerned family members, or others to seek these orders and to intervene in an effort to save lives.  These orders can improve public safety by helping to prevent firearm injuries and deaths. The DOJ model was published in June, 2021.

Commentary from the Department of Justice explains:

“Research has shown that states can save lives by authorizing courts to issue extreme risk protection orders (ERPOs) that temporarily prevent a person in crisis from accessing firearms.  This model legislation provides a framework for states to consider as they determine whether and how to craft laws allowing law enforcement, concerned family members, or others to seek these orders and to intervene before warning signs turn into tragedy.”

HIPAA Allows Disclosure to Prevent Violence

When law enforcement or a family member of a potentially violent individual wants to obtain an extreme risk protection order, health care providers are often asked for PHI of the individual in question. The new OCR guidance shows health care providers how HIPAA allows them to disclose protected health information without the individual’s authorization in these circumstances. 

OCR explained the guidance noting in the wake of incidents of mass violence such as shootings and acts of terrorism that it heard claims HIPAA prevented health care providers from disclosing PHI that could prevent those incidents. This guidance lines up with OCR’s proposed Privacy Rule modification permitting PHI disclosure to avert “serious and reasonably foreseeable” health and safety threats instead of the current standard permitting disclosure only when a threat is “serious and imminent”.

School shootings show that health care providers need clarity about disclosing PHI and school administrators need clarity about the intersection of HIPAA and the Family Educational Rights and Privacy Act (FERPA).

OCR Director Lisa J. Pino said yesterday:

“HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis.”

Underlying HIPAA law has always provided an exception to the authorization requirement to protect public safety, but the new guidance expands the kinds of situations where disclosure is allowed, and explains the exception in more detail with specific examples for each permission. Read the guidance in full here.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Share on facebook
Share on twitter
Share on linkedin

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2021 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free