Updated HIPAA Guidance for Extreme Risk Protection Orders

January 19, 2022
On December 20th, the HHS released some updated guidance for HIPAA covered entities regarding Extreme Risk Protection Orders. In this blog we'll discuss this guidance and in what instances it may impact a covered entity.

Updated HIPAA Guidance for Extreme Risk Protection Orders

On June 7th, 2021, the US Justice Department released model legislation to help states coordinate the process of establishing "extreme risk guidance orders" (ERPOs). An ERPO is simply a court order that temporarily restricts a person's access to guns when that person is deemed to be a risk to themselves or others. The legislation of ERPO, which varies significantly between states, generally stipulates who can apply for an ERPO (e.g., law enforcement agencies, healthcare providers, family members) and requires affidavits or oral testimony from the witnesses or petitioner in order to grant. This recent HIPAA guidance addresses the Privacy Rule of HIPAA for health care providers in connection to laws enacted by ERPO.

The Details

The main question that is referenced in this situation is - “Does the HIPAA Privacy Rule allow a secured health care agent to let out protected health information (PHI) about a patient without the patient's consent to help an application of ERPO?”

To answer that shortly, yes, in some cases. In certain circumstances, the Privacy Rule does allow a secured HIPAA Covered Entity to reveal PHI to aid an application by ERPO for the provider or a different individual.   

Disclosure of PHI by a secured health care agency is permitted if the exposure is required by law as mandated by agencies enforcing the law (e.g., court orders, subpoenas, regulation) while also meeting the appropriate standards. When the disclosure is required by a court or administrative tribunal order, subpoena, discovery requested, or other legitimate procedure. 

Example Situations

The Rule of Privacy restricts exposure for these reasons, even when compelled by law. Let's check out some examples for better understanding:

Example 1:

 A secured health care agency is ordered by a court to produce medical records of a patient to support an ERPO firmly against the provider. The provider may only release PHI allowed by a court order.   

Example 2: 

A veteran petitioner seeks an ERPO in a court in the state, claiming her spouse has mentioned that he would shoot her with his gun and is seeking mental health treatment. Soliciting the partner's secured care for mental health provider's medical documents, the state's attorney determines whether the ERPO is legally justified.   

The Privacy Rule allows a mental health care professional to cooperate with a subpoena without an administrative or court order provided one of the conditions is adequately met:   

The provider retains adequate assurances from the attorney of the state that reasonable steps have been taken to notify the individual of the request for PHI; After the procedure is completed, the provider gets satisfactory assurances from the state's attorney explaining that significant efforts were made to obtain a qualified security order prohibiting disclosure or use of PHI for reasons other than the normal proceeding.  

The disclosure is required to prevent or diminish a substantial and urgent threat to the public's health or safety. A secured health care agent who strongly believes an individual poses an imminent and severe threat to the safety or health of another individual or the general public may expose PHI if the agency firmly believes in faith that the exposure is imperative to lessen or prevent the threat. The secured health care agent must make reasonable steps to minimize the PHI exposure to the bare minimum.  

A certified health care practitioner who exposes PHI to minimize or prevent an imminent and substantial threat is deemed to have successfully acted in faith if the provider believes the exposure is required to avert harm adequately. To prevent or decrease the possibility of damage, health care practitioners may release PHI without consulting the individual. This includes exchanging notes in psychotherapy, which the Rule of Privacy otherwise protects. 

Example 3:

A family member phones the individual's therapist, concerned that the individual may bring a gun to work and eliminate a supervisor. An ERPO may protect a patient's or another person's life. The therapist is aware that the person has a gun and knows the family member's story. The therapist goes for an ERPO application and gives an affidavit with PHI concerning the threat. To diminish or avoid substantial and urgent harm to the supervisor, the therapist may reveal the individual's PHI to the law enforcement agency in an application for ERPO. A family member's credible portrayal may be the basis for the faith belief.   

The Rule of Privacy permits the veteran therapist to alert the supervisor if the therapist strongly believes in faith that the exposures are essential to diminish or prevent the harm.


Hopefully, this content brings a bit of clarity to this updated HIPAA guidance in relation to ERPOs. While there are a few examples listed and details explained, it is worth noting that this situation is very rare and that the system must pass through appropriate legal channels before a covered entity would be required to share information. This guidance is not intended to heighten the chances of your information being shared but rather to provide a greater breadth of protection to an individual and any others around them in a time where they might be deemed a safety risk.

Get Started
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Ready to chat?

See how some of the fastest growing companies use Accountable to build trust through privacy and compliance.
Trusted by