HIPAA Certified

HIPAA compliance is a false sense of security

New HIPAA guidance

Yesterday, December 20th, 2021, the Office for Civil Rights issued new guidance under the Privacy Rule on disclosures of PHI for Extreme Risk Protection Orders (ERPO). Inevitably, this is going to get twisted and contorted by those on the right and the left, so let's get to the actual ruling and define it clearly here. Here's a copy if you'd like to read it yourself, which I highly recommend - HIPAA Privacy Rule and Disclosures of Protected Health Information for Extreme Risk Protection Orders | HHS.gov. This was supposed to be a happy and light-hearted Holiday message, but since this topic impacts so many of our clients, we need to address it sooner rather than later.

Before we break into specifics, let's discuss intent. It's a tragedy when anyone suffering from mental distress lashes out in violence at others. When a firearm is involved, it's often national news. In certain cases, the argument goes, if we could prevent or remove their access to firearms, we could minimize or eliminate a gun-related incident. The logic follows that if family, friends, or care providers are aware of such a risk, they should be able to intervene, and HIPAA should not be a hindrance to that end. So OCR has weighed in and issued guidance to. Here's what they've said.

The Privacy Rule does permit a covered health care provider to disclose PHI about an individual, without their knowledge or authorization, to support an application for an ERPO against them. HOWEVER, and this is where the battle will happen, the specifics pertaining to the exact circumstances are fairly narrow, at least in the letter of the guidance. To illustrate that point, OCR offers 3 examples. Here's the summary - first is release based upon a court order - something we all know about and is applicable far beyond an ERPO. Second, if a petitioner files in state court, alleging her partner has made threats involving firearms, and a subpoena has been issued to the mental health provider to release treatment records. And the third example provided was if a family member solicits the individual's therapist and states the patient has threatened to commit violence with firearms.

As I said, these are very specific scenarios that give most care providers cover in the event they are compelled to release PHI. The concern is if this ruling is broadly distorted or abused, those who need counseling the most will choose not to seek it, and we may only deepen the mental health crisis we are already in. Let's hope that doesn't happen.

Our best wishes to all and may everyone have a safe and Happy Holiday Season.

Jeff Mongelli

HIPAA Security Reminders

 

HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top