HIPAA Privacy Rule and Disclosures of Protected Health Information for Extreme Risk Protection Orders

On June 7, 2021, the United States Department of Justice published model legislation to provide a framework for states to consider as they determine whether and how to implement their own “extreme risk protection order” (ERPO) laws.1 An ERPO is a court order that temporarily prevents a person in crisis, who poses a danger to themselves or others, from accessing firearms. ERPO legislation, which can vary in important ways among states, generally specifies certain categories of petitioners (e.g., law enforcement officers, family members, health care providers) who may apply to a court for an ERPO and includes requirements for affidavits or sworn oral statements from the petitioner or witnesses to support the application. This guidance addresses the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule for covered health care providers in relation to ERPO laws.2

Does the Privacy Rule permit a covered health care provider to disclose protected health information (PHI) about an individual, without the individual’s authorization, to support an application for an ERPO against the individual?

In limited circumstances, yes. The Privacy Rule permits a covered health care provider to disclose PHI to support an ERPO application by the provider or another person in certain circumstances, including the following:

  • When the disclosure is required by law.3 A covered health care provider may disclose PHI when the disclosure is required by law (e.g., statute, regulation, court order, subpoena) and the disclosure complies with and is limited to the relevant requirements of such law.4
  • When the disclosure is in response to an order of a court or administrative tribunal, subpoena, discovery request, or other lawful process in the course of a judicial or administrative proceeding.5 The Privacy Rule places conditions on disclosures for these purposes, including when such disclosures are required by other law.6 For example:

Example 1: A covered health care provider receives a court order compelling the provider to produce an individual’s medical records to the court to support its determination as to whether to issue an ERPO against the provider’s patient. The Privacy Rule permits the provider to disclose only the PHI that is authorized by the court order.7

Example 2: A petitioner applies for an ERPO in state court alleging, in an affidavit, that her partner has threatened to shoot her with his firearm and has been receiving care from a mental health professional. The state’s attorney issues a subpoena compelling the partner’s covered mental health care provider to disclose medical records to determine whether there is a sufficient legal basis to issue the ERPO.

The Privacy Rule permits the mental health care provider to disclose the minimum necessary8 PHI to comply with the subpoena that is not accompanied by an order of a court or administrative tribunal if one of the following conditions is met:9

  • The provider receives satisfactory assurances10 from the state’s attorney that reasonable efforts have been made to ensure that the individual who is the subject of the PHI request has been given notice of the request;11 or
  • The provider receives satisfactory assurances12 from the state’s attorney that reasonable efforts have been made to secure a qualified protective order prohibiting use or disclosure of the PHI for purposes other than the proceeding, and requiring the return to the provider or destruction of the PHI at the end of the proceeding.
  • When the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.13 A covered health care provider who believes that an individual presents a serious and imminent threat to the health or safety of a person (including the individual) or the public may, consistent with applicable law and standards of ethical conduct, disclose PHI if the provider believes in good faith that the disclosure is necessary to prevent or lessen the threat and the disclosure is made to any person or persons reasonably able to prevent or lessen the threat.14 The covered health care provider must make reasonable efforts to limit the PHI disclosed to the minimum necessary to prevent or lessen the threat.15

A health care provider that discloses PHI to prevent or lessen a serious and imminent threat is presumed to have acted in good faith with regard to the belief that the disclosure is necessary to prevent harm if the belief is based on the provider’s actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority.16   Health care providers may disclose the necessary PHI, without an individual’s authorization, to anyone who is in a position to prevent or lessen the threatened harm.17 This permission includes the sharing of psychotherapy notes, which otherwise receive special protection under the Privacy Rule.18

Example 3: An individual’s family member calls the individual’s therapist and states that the family is worried because the individual threatened to bring a firearm to the workplace and kill a supervisor. An applicable state law authorizes health care providers to petition a court for an ERPO to protect the life of a patient or another person.  The therapist knows that the individual possesses a firearm and believes the family member’s representation is credible. The therapist applies for an ERPO and provides an affidavit that discloses PHI about the individual who poses a threat.

The Privacy Rule permits the therapist to disclose the PHI of the individual to the court in an ERPO application if the therapist believes in good faith that the disclosure is necessary to lessen or prevent the serious and imminent threat to the supervisor. The good faith belief may be based on a credible representation by the individual’s family member.

The Privacy Rule also permits the therapist to notify the supervisor that the individual poses a serious and imminent threat if the therapist believes in good faith that the disclosures are necessary to prevent or lessen the threat and the disclosures are to a person or persons reasonably able to prevent or lessen the threat.19

GENERAL CONSIDERATIONS

Minimum Necessary: The Privacy Rule’s “minimum necessary” standard requires covered entities and business associates to make reasonable efforts to limit most uses, disclosures, and requests to the minimum necessary PHI to accomplish the intended purpose of the use, disclosure, or request.20 This standard generally applies to uses and disclosures of PHI in relation to ERPO laws, except where the use or disclosure is required by law.21

State ERPO Laws: State ERPO laws differ from each other in significant ways. For example, a state ERPO law may permit a law enforcement officer or an individual’s family member to apply for an ERPO but not permit an individual’s health care provider to do so. Covered health care providers should consult any applicable ERPO laws in their state before using or disclosing PHI in relation to an application for an ERPO.

Other Laws: In addition to professional ethical standards, most states have laws and/or court decisions that address, and in many instances require, the disclosure of an individual’s health information to prevent or lessen the risk of harm. Further, some states have laws that provide more stringent privacy protections for certain types of health information (e.g., restrictions on disclosures of information concerning an individual’s mental health) than the Privacy Rule requires. Providers should consult the laws applicable to their profession in the states where they practice.  OCR also advises providers to consider other Federal laws that may apply to their situations, such as 42 U.S.C. § 290dd-2 and 42 CFR part 2 (governing the disclosure of substance use disorder treatment records) and the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99 governing the disclosure of school education and treatment records) to understand their duties and authorities in situations where they have information indicating a threat to public safety.

RESOURCES

* This document is not a final agency action, does not legally bind persons or entities, and may be rescinded or modified in the Department’s discretion.

  • 1. See https://www.justice.gov/doj/reducing-gun-violence.
  • 2. This guidance addresses the Privacy Rule provisions that are most likely to apply in the ERPO context. Other Privacy Rule permissions may apply, depending on the particular facts and circumstances of the person in crisis. Further, this guidance does not address the full scope of circumstances in which the Privacy Rule permits a covered entity to use or disclose an individual’s protected health information to prevent or address potential harm to an individual, another person, or the public. Links to additional information on this topic are provided at the end of this document.
  • 3. 45 CFR 164.512(a)(1). See also the definition of Required by law at 45 CFR 164.103: “Required by law means a mandate contained in law that compels an entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Required by law includes, but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.”
  • 4. The disclosure also must comply with the conditions in 45 CFR 164.512(c), (e), or (f), as applicable.
  • 5. 45 CFR 164.512(e).
  • 6. See 45 CFR 164.512(a)(2).
  • 7. 45 CFR 164.512(e)(1)(i).
  • 8. See General Considerations section for explanation of the “minimum necessary” standard in the HIPAA Privacy Rule, 45 CFR 164.502(b).
  • 9. Other laws, such as state laws, may place additional conditions or restrictions on such disclosures.
  • 10. 45 CFR 164.512(e)(1)(ii)(A).
  • 11. Title II of the Americans with Disabilities Act requires state and local governments to provide effective communication for individuals with disabilities, which may include providing auxiliary aids and services.  In addition, Title VI of the Civil Rights Act of 1964 requires recipients of Federal financial assistance to take reasonable steps to provide meaningful access to individuals with limited English proficiency, which may include providing materials translated into non-English languages or oral language assistance.
  • 12. 45 CFR 164.512(e)(1)(ii)(B).
  • 13. 45 CFR 164.512(j).
  • 14. 45 CFR 164.512(j)(1)(i).
  • 15. Id.
  • 16. See 45 CFR 164.512(j)(4).
  • 17. More information about disclosures to a person or persons reasonably able to prevent or lessen the threat is available in OCR’s Fact Sheet, “HIPAA helps mental health professionals to prevent harm,” available at https://www.hhs.gov/sites/default/files/hipaa-helps-prevent-harm.pdf.
  • 18. See 45 CFR 164.508(a)(2).
  • 19. 45 CFR 164.512(j).
  • 20. See 45 CFR 164.502(b).
  • 21. See 45 CFR 164.502(b)(2)(v).
Content created by HHS Office of Civil Rights
Content last reviewed