What are extreme risk protection orders?

Healthcare providers may need to be aware of and consider Extreme Risk Protection Orders (ERPOs) when they have patients in crisis, show signs of posing a danger to themselves or others, or are required to by law. It is, therefore, necessary to understand how to disclose patient data while maintaining HIPAA compliance. 

What is an extreme risk protection order?

An ERPO is a legal tool that enables courts to issue orders to temporarily prevent individuals in crisis from accessing firearms. This preventive measure aims to intervene before warning signs escalate into potential harm to the individual or others.

There is a framework for states to consider when implementing ERPO laws, outlining who can apply for such orders – including law enforcement officers, immediate family members, health care providers, and other concerned parties – and the types of orders that can be issued. 

Two forms of ERPO could be issued: 

1. Emergency ex parte orders: A court can issue these orders immediately under qualifying emergency circumstances. They are based on probable cause, indicating a significant danger posed by the individual's access to firearms. Emergency ex parte orders prohibit the individual from possessing or acquiring firearms and may require them to surrender any firearms they currently have. These orders are intended to provide swift intervention to prevent imminent harm.
2. Long-term orders: Long-term orders are issued after a hearing, during which the court evaluates the evidence and circumstances to determine whether the individual poses a danger to themselves or others. If the court finds sufficient grounds, it can issue a long-term order that remains in effect for a period specified by state law. Similar to emergency orders, long-term orders prohibit individuals from possessing or acquiring firearms and may require them to surrender any firearms. These orders provide a more comprehensive and extended restriction on firearm access.

See also: What is protected health information (PHI)?

When can healthcare providers disclose PHI?

Healthcare providers can disclose Protected Health Information (PHI) in the context of an Extreme Risk Protection Order (ERPO) under certain circumstances outlined in the model legislation. These circumstances include:

1. Disclosure required by law: Healthcare providers can disclose PHI to support an ERPO application when the disclosure is required by law, such as a court order, subpoena, or other lawful process. The disclosure must comply with the relevant requirements of the law.
2. Disclosure to prevent imminent harm: Healthcare providers can disclose PHI without an individual's authorization if they believe in good faith that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. The disclosure should be made to any person or persons reasonably able to prevent or lessen the threat.

Go deeper: 

• HHS issues guidance on HIPAA and ERPOs
• Disclosures of PHI that occur during litigation
• How HIPAA balances privacy with patient safety in crisis situations

How to disclose PHI while remaining HIPAA compliant?

When disclosing PHI in the context of an ERPO while maintaining HIPAA compliance, healthcare providers must exercise utmost caution and adhere to specific legal circumstances. It is necessary to ensure that only the minimum necessary PHI is shared, limiting the information disclosed to what is directly relevant to the ERPO application.

By adhering to this standard, healthcare providers ensure they are not revealing excessive or irrelevant information, thus preserving patient confidentiality and privacy rights.

Providers should establish satisfactory assurances from authorized entities, such as state attorneys, to confirm proper notice to the individual subject to the PHI request or to secure suitable protective orders. The "satisfactory assurance" requirement entails that healthcare providers, before disclosing PHI, ensure they receive credible confirmation from authorized entities or individuals.

These entities could include state attorneys or legal representatives involved in the ERPO process. Providers must ascertain that proper notice has been given to the individual subject to the PHI request or that suitable protective orders are in place. 

See also: HIPAA Compliant Email: The Definitive Guide