by Sara Nguyen
Article filed in
HHS issues guidance on HIPAA and ERPOs
by Sara Nguyen
The Department of Health and Human Services (HHS) through its Office of Civil Rights (OCR) released new guidance regarding how HIPAA compliant healthcare providers can legally share protected health information (PHI) to support applications for extreme risk protection orders.
The guidance also supports the U.S. Department of Justice (DOJ) model legislation on ERPO, which provides a framework for states to implement laws surrounding ERPO.
What are extreme risk protection orders?
Extreme risk protection orders (ERPOs) temporarily prevent individuals in crisis from accessing firearms if they are deemed a danger to themselves or others. Depending on state law, people can file an application for an ERPO if they believe an individual is at risk.
“Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country,” said HHS Secretary Xavier Becerra in a press release. “Today’s guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing firearms.”
How is HIPAA involved with ERPOs?
In order to get an ERPO, it may mean that the healthcare providers are disclosing PHI that the patient did not consent to have released. The new guidance published by OCR clarifies the situations in which healthcare providers can share PHI in response to a court order or other lawful process.
The HIPAA Privacy Rule lets healthcare providers disclose PHI to support an ERPO application in limited circumstances like:
- When the disclosure is required by law
- When the disclosure is in response to an order of a court or administrative tribunal, subpoena, discovery request, or other lawful process in the course of a judicial or administrative proceeding
The guidance provides several examples of appropriate situations to disclose patient data. For example, a healthcare provider receiving a court order to share a patient’s medical information may only disclose the PHI authorized in the court order.
In general, healthcare providers should provide only the minimum PHI necessary, follow state ERPO laws, and other state laws regarding an individual that could be a personal or public risk.
What do the new HHS guidelines accomplish?
“HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis,” explained OCR Director Lisa J. Pino in the press release. “Today’s guidance helps clarify legal requirements and to better support individuals in crisis.”
Bottom line: healthcare providers should share PHI responsibly
Regardless of the situation, covered entities should take precautions to share PHI and keep it secure from unauthorized individuals.
Paubox is easy for your employees to use. Since all emails are automatically encrypted, employees won’t have to worry about forgetting to encrypt sensitive emails. Your employees won’t struggle to use Paubox since it can seamlessly integrate with popular email platforms like Google Workspace and Microsoft 365.
We have appropriate security safeguards covered. All of our products include a business associate agreement (BAA) at no additional charge, which means you don’t have to worry about PHI not receiving the highest encryption level it deserves. Paubox uses blanket TLS encryption and security features like two-factor authentication for ultimate protection.