The Department of Health and Human Services (HHS) through its Office of Civil Rights (OCR) released new guidance regarding how HIPAA compliant healthcare providers can legally share protected health information (PHI) to support applications for extreme risk protection orders.
The guidance also supports the U.S. Department of Justice (DOJ) model legislation on ERPO, which provides a framework for states to implement laws surrounding ERPO.
Extreme risk protection orders (ERPOs) temporarily prevent individuals in crisis from accessing firearms if they are deemed a danger to themselves or others. Depending on state law, people can file an application for an ERPO if they believe an individual is at risk.
"Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country," said HHS Secretary Xavier Becerra in a press release. "Today's guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing firearms."
In order to get an ERPO, it may mean that the healthcare providers are disclosing PHI that the patient did not consent to have released. The new guidance published by OCR clarifies the situations in which healthcare providers can share PHI in response to a court order or other lawful process.
The HIPAA Privacy Rule lets healthcare providers disclose PHI to support an ERPO application in limited circumstances like:
The guidance provides several examples of appropriate situations to disclose patient data. For example, a healthcare provider receiving a court order to share a patient's medical information may only disclose the PHI authorized in the court order.
In general, healthcare providers should provide only the minimum PHI necessary, follow state ERPO laws, and other state laws regarding an individual that could be a personal or public risk.
"HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis," explained OCR Director Lisa J. Pino in the press release. "Today's guidance helps clarify legal requirements and to better support individuals in crisis."
Regardless of the situation, covered entities should take precautions to share PHI and keep it secure from unauthorized individuals.
Paubox Email Suite seamlessly encrypts your email by default and gives you the ability to communicate with your patients without fear of a HIPAA violation.
Paubox is easy for your employees to use. Since all emails are automatically encrypted, employees won't have to worry about forgetting to encrypt sensitive emails. Your employees won't struggle to use Paubox since it can seamlessly integrate with popular email platforms like Google Workspace and Microsoft 365 .
We have appropriate security safeguards covered. All of our products include a business associate agreement (BAA) at no additional charge, which means you don’t have to worry about PHI not receiving the highest encryption level it deserves.
Paubox uses blanket TLS encryption and security features like two-factor authentication for ultimate protection.
Our Plus and Premium plan levels also include robust inbound security like our patented ExecProtect feature, which stops display name spoofing emails from entering your employees’ inboxes.
Paubox software has achieved HITRUST CSF certification and meets key regulatory and industry-defined requirements to manage risk. We have your HIPAA compliant email handled.