HHS Guidance Addresses HIPAA and Emergency Protective Orders
HHS recently issued guidance about HIPAA compliance when information must be released in conjunction with an extreme risk protection order (ERPO). The guidance will be useful for risk managers and compliance officers, but may present some challenges when trying to adhere to HIPAA restrictions.
An ERPO is “a court order that temporarily prevents a person in crisis, who poses a danger to themselves or others, from accessing firearms. ERPO legislation, which can vary in important ways among states, generally specifies certain categories of petitioners (e.g., law enforcement officers, family members, healthcare providers) who may apply to a court for an ERPO and includes requirements for affidavits or sworn oral statements from the petitioner or witnesses to support the application,” HHS explained.
The guidance does not indicate any change in how providers should determine whether to disclose protected health information (PHI) when a patient might be at risk of harming themselves or others, but it illustrates how these scenarios are likely to occur, explains Breanne M. Rubin, JD, an attorney with Eastman & Smith in Toledo, OH. The guidance notes how those situations can be addressed under existing laws.
“What is most key in the guidance is how OCR highlights that ERPO laws vary from state to state,” Rubin says. “The guidance discusses how a covered entity can disclose PHI under HIPAA, and if so, what conditions apply.”
The decision to disclose PHI in such a situation can be difficult, Rubin says, coming down to the discretion of the provider assessing the patient’s condition, the statements made by the patient, and the likelihood of the patient acting on a threat. HIPAA allows for disclosure in these situations as long as certain conditions are met.
“HIPAA sets the floor for the minimum requirements, but there may be a state law that is more strict, in addition to other federal laws and regulations that apply to the disclosure of health information,” Rubin says. “There are very strict rules regarding the release of information related to substance abuse, for example — much [stricter] than HIPAA.”
The guidance is useful, particularly in the light of concerns over gun violence in the country, says Alaap B. Shah, JD, an attorney with Epstein Becker Green in Washington, DC. Healthcare providers may find themselves in difficult situations when a patient is considered dangerous, and the HHS guidance should help them make a lawful decision.
“People have been confused by HIPAA. It’s often used as a shield, with people automatically saying HIPAA doesn’t allow us to disclose anything,” Shah says. “[HHS] is clarifying that there are some purposeful avenues by which you can disclose sensitive information, including mental health information records, to prevent gun violence.”
However, the guidance only goes so far. It still is up to the covered entity to understand pertinent state laws and other federal laws that may limit disclosure.
“HHS is saying that there are ways to disclose this information under HIPAA, but they’re also emphasizing that they are not the final word on any disclosure decision,” Shah says. “They help you understand how HIPAA applies, but they’re very clear that you have to explore these other avenues before making a decision to disclose.”
One challenge that could result in litigation is interpreting the scope of the guidance’s “minimum necessary” standard, says Callan G. Stein, JD, partner with Troutman Pepper Hamilton Sanders in Boston. The guidance is clear: Covered entities and business associates must limit their disclosure of PHI under ERPO laws to the absolute minimum that is necessary to accomplish the intended purpose.
“But what constitutes ‘minimum necessary’ will vary, not just on a case-by-case basis but on a purpose-by-purpose basis. It is not difficult to envision an individual getting upset and even taking legal action against a covered entity that discloses, under an ERPO law, more PHI than the individual believes was necessary,” Stein explains. “Covered entities should be sure to carefully consider what PHI is absolutely necessary to disclose, and to document those decisions in such a way that they can be relied upon later should the need arise.”
The same interpretational challenges also could arise in the context of whether a person presents a serious and imminent threat such that disclosing PHI is justified, Stein says. It is not difficult to imagine an individual challenging such a determination in court if he or she believes PHI was disclosed unnecessarily.
“Here, the guidance does provide some guardrails for providers, making clear that a provider who discloses PHI to prevent or mitigate a serious and imminent threat is presumed to have acted in good faith so long as the provider’s belief is based on actual knowledge or a credible representation by someone with actual knowledge,” Stein says. “Once again, providers who disclose PHI under these circumstances would be wise to carefully consider the threat of harm and, more importantly, document the facts and/or representations on which the decision is ultimately made. Providers should also be cognizant of to whom they make the PHI disclosure. The guidance permits providers to make the disclosure to anyone who is in a position to prevent or lessen the harm.”
Another challenge for covered entities is navigating the maze of state ERPO laws that will differ from each other, sometimes in significant ways, Stein says. For example, the guidance noted different states may restrict who can and cannot apply for an ERPO. For example, a physician could apply for an ERPO under one state law but not another.
Covered parties will need to ensure they know what state laws apply to a given situation, and be sure to consult the laws themselves or local counsel before taking any action. They need to understand state-specific laws also extend beyond state ERPO laws.
“Certain states have enacted laws or have common law judicial decisions that will likewise impact these situations,” Stein says. “For example, certain states have enhanced restrictions on the disclosure of certain types of PHI, which may still apply in the context of an ERPO.”
HHS recently issued guidance about HIPAA compliance when information must be released in conjunction with an extreme risk protection order. The guidance will be useful for risk managers and compliance officers, but may present some challenges when trying to adhere to HIPAA restrictions.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.