HHS issues guidance on HIPAA and ERPOs

Featured image

Share this article

Judges hand and gavel hitting block

The Department of Health and Human Services (HHS) through its Office of Civil Rights (OCR) released new guidance regarding how HIPAA compliant healthcare providers can legally share protected health information (PHI) to support applications for extreme risk protection orders. 

The guidance also supports the U.S. Department of Justice (DOJ) model legislation on ERPO, which provides a framework for states to implement laws surrounding ERPO.

What are extreme risk protection orders?

Extreme risk protection orders (ERPOs) temporarily prevent individuals in crisis from accessing firearms if they are deemed a danger to themselves or others. Depending on state law, people can file an application for an ERPO if they believe an individual is at risk. 

“Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country,” said HHS Secretary Xavier Becerra in a press release. “Today’s guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing firearms.”

How is HIPAA involved with ERPOs?

In order to get an ERPO, it may mean that the healthcare providers are disclosing PHI that the patient did not consent to have released. The new guidance published by OCR clarifies the situations in which healthcare providers can share PHI in response to a court order or other lawful process. 

The HIPAA Privacy Rule lets healthcare providers disclose PHI to support an ERPO application in limited circumstances like:

  • When the disclosure is required by law
  • When the disclosure is in response to an order of a court or administrative tribunal, subpoena, discovery request, or other lawful process in the course of a judicial or administrative proceeding

The guidance provides several examples of appropriate situations to disclose patient data. For example, a healthcare provider receiving a court order to share a patient’s medical information may only disclose the PHI authorized in the court order. 

In general, healthcare providers should provide only the minimum PHI necessary, follow state ERPO laws, and other state laws regarding an individual that could be a personal or public risk.

What do the new HHS guidelines accomplish?

“HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis,” explained OCR Director Lisa J. Pino in the press release. “Today’s guidance helps clarify legal requirements and to better support individuals in crisis.”

Bottom line: healthcare providers should share PHI responsibly

Regardless of the situation, covered entities should take precautions to share PHI and keep it secure from unauthorized individuals. 

Paubox Email Suite seamlessly encrypts your email by default and gives you the ability to communicate with your patients without fear of a HIPAA violation

Paubox is easy for your employees to use. Since all emails are automatically encrypted, employees won’t have to worry about forgetting to encrypt sensitive emails. Your employees won’t struggle to use Paubox since it can seamlessly integrate with popular email platforms like Google Workspace and Microsoft 365

We have appropriate security safeguards covered. All of our products include a business associate agreement (BAA) at no additional charge, which means you don’t have to worry about PHI not receiving the highest encryption level it deserves. Paubox uses blanket TLS encryption and security features like two-factor authentication for ultimate protection. 

Our Plus and Premium plan levels also include robust inbound security like our patented ExecProtect feature, which stops display name spoofing emails from entering your employees’ inboxes. 

Paubox software has achieved HITRUST CSF certification and meets key regulatory and industry-defined requirements to manage risk. We have your HIPAA compliant email handled.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Sara Nguyen

Read more by Sara Nguyen

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022