According to the Centers for Disease Control and Prevention, firearm injuries are a serious public health problem in the United States. To combat this problem, many states have passed extreme risk protection order (“ERPO”) laws, otherwise known as “red flag laws.”

ERPO laws allow various individuals, including family members, health care providers, and law enforcement officers, to petition for court orders to temporarily prevent people in crisis and who pose a danger to themselves or others from accessing firearms. ERPOs generally require affidavits from witnesses or the petitioner to support the application. In some instances, those affidavits could rely on protected health information (“PHI”) that is prohibited from unauthorized disclosure subject to the HIPAA Privacy Rule.

On December 20, 2021, the Department of Health and Human Services (“HHS”) issued non-binding guidance (“Guidance”) to clarify the extent to which the HIPAA Privacy Rule permits regulated entities to disclose PHI” to help prevent individuals in crisis from temporarily accessing firearms. The Guidance explains the three circumstances under which the Privacy Rule allows PHI to be disclosed by witnesses and petitioners in ERPO proceedings.

Those three circumstances are when the disclosure of PHI is:

  • Required by law (e.g., by state or federal statute or regulation, or by court order or subpoena) and complies with said law.
  • In response to a court or administrative tribunal order, subpoena, discovery request, or other lawful process in the course of a judicial or administrative proceeding. These disclosures can only be made within certain conditions as outlined in the Privacy Rule; for example:
    • Where a court order compels a provider to release an individual’s PHI to support an ERPO, the provider may only disclose the PHI that is authorized by the court order.
    • The Privacy Rule’s “minimum necessary” standard requires covered entities and business associates to make reasonable efforts to limit most uses, disclosures, and requests to the “minimum necessary” PHI to accomplish the intended purpose of the use, disclosure, or request.
  • Necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. As with responding to court/administrative orders, the health care provider must follow the “minimum necessary” standard.

In approving the guidance, HHS Secretary Xavier Becerra stated: “Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country,” and that the guidance is an “important step . . . towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing fire arms.”