Navigating Red Flag Laws Under HIPAA
Some states permit healthcare providers to petition the court for the removal of firearms from patients. How can a provider do this without violating HIPAA’s Privacy Rule?
“Red flag” laws, as they’re commonly called, empower family members, health providers, or law enforcement to file a petition with a court for an extreme risk protection order (ERPO) to disarm dangerous individuals. After a hearing, if the court determines that a person is a serious risk to themselves or others, the court can order the removal of the firearms from that person’s possession. These orders aim to prevent suicide, homicide, mass shootings, and other violence.
Many states, including Illinois, New York, California, and Washington DC, have enacted red flag laws. As a result, healthcare providers in such states may play a role in obtaining an ERPO, either as an applicant or in support of someone else’s petition.
Meanwhile, the federal Health Insurance Portability and Accountability Act (HIPAA) lays down rigorous guidelines for safeguarding (or releasing) patient information. A healthcare provider involved in an ERPO petition regarding a patient will need to disclose information that typically HIPAA protects. So how do these laws fit together?
Protection of PHI
HIPAA guards Protected Health Information (PHI). Essentially, PHI is anything that relates to medical treatment or its payment and would allow a reasonable person to identify the patient. Combining any health information with a common identifier like full name or security number, for example, would be enough.
Covered entities — that is, any individual or organization required to follow HIPAA — must uphold the Privacy Rule. The HIPAA Privacy Rule limits when a covered entity can release PHI. For the most part, PHI must be kept secret and not released to unauthorized third parties. Providers can only release PHI with the patient’s written authorization or in specific situations outlined within the rule.
Penalties for violating HIPAA can include OCR-mandated corrective action, a resolution agreement between the covered entity and the government, fines (ranging from the low thousands to $1.5 million per year). HIPAA violations can even bring criminal penalties prosecuted by the Department of Justice (which could lead to jail time).
In short, HIPAA aims to protect patients by keeping their private medical data private. Patients need to feel comfortable talking openly with their providers — they must know third parties will not have access to their data. If an exception does not apply, providers cannot release PHI without written patient consent.
Permitted and Required Disclosures Under HIPAA
In a few situations, HIPAA’s Privacy Rule either requires or permits disclosure of PHI. For example, HIPAA requires that covered entities release PHI to patients who request their own records — the “Right of Access” provisions. Similarly, when the US Department of Health and Human Services (HHS) requests PHI as part of an investigation, covered entities must comply.
Meanwhile, the Privacy Rule permits disclosures in the following situations:
- The treatment, payment, and healthcare operations, such as speaking with members of the treatment team or insurers.
- Use and disclosure with the opportunity to agree or object, i.e., when the individual had a clear opportunity to object to the disclosure and did not.
- Incidental use and disclosure, such as if a maintenance worker glances at the patient sign-in sheet. OCR is unlikely to penalize this provider.
- Limited data sets, which are PHI with identifying information removed. Such data sets are often used for research.
- Public interest and benefit activities.
Note the last item because it becomes relevant to red flag laws, as we’ll discuss shortly. Under this category of permitted disclosures, providers may disclose PHI when:
- Required by law
- Necessary for public health and safety, like controlling disease outbreak
- To appropriate authorities when there is a victim of abuse
- For court-ordered judicial proceedings
- For certain law enforcement purposes
- When there is a serious threat to health or safety, such as when the provider believes the disclosure is necessary to prevent — or mitigate the risk of — serious harm to someone. (See our related blog on “duty to warn” laws.)
PHI in ERPO Petitions
Many covered providers, especially those in mental health, may be privy to information that signifies an individual is dangerous. In some states, these providers may apply to a court for an ERPO. How do they do this while remaining compliant with HIPAA?
In 2021, HHS released guidance to help providers support an ERPO petition within HIPAA’s privacy constraints.
First, providers can release PHI when required by law, such as in response to a court order. For example, say a psychotherapist receives a court-ordered subpoena. The subpoena demands the release of therapy notes necessary to determine if the patient is a danger to another person. That provider can — and, in fact, must — release the PHI.
Second, HHS authorizes the release of PHI when necessary to prevent or lessen a serious and imminent threat to the health or safety of the public. If a provider, in good faith, believes a patient is at serious risk of harming themselves or others, then they may release PHI in support of an ERPO petition.
For instance, imagine the psychotherapist is seeing a client who exhibits extreme anger towards his landlord for raising his rent. After further discussion, this client states he intends to get back at his landlord by shooting and killing him. The client further reveals that he has access to a gun. In this situation, the client has expressed clear intent — and ability — to use a gun to harm someone. The therapist can very likely release PHI to a court to obtain an ERPO.
Note that enforcement of ERPO laws varies widely by state. That is, some states do not authorize healthcare providers to petition for an ERPO. In such states, only the first permitted disclosure (in response to a court order) would be relevant. Note also that HIPAA’s “minimum necessary” requirement still applies. Even though a covered entity is allowed to disclose PHI, the covered entity must make an effort to disclose the minimum amount necessary to accomplish the purpose of the release.
For example, the above psychotherapist can likely release an affidavit explaining the client’s thought process and intent to harm the landlord. The therapist can also discuss the clinical signs of anger and the likelihood of danger. However, the therapist likely cannot release PHI about the client’s attempt to quit smoking if it’s unrelated to any propensity towards violence.
Establish Practice Policies
Providers can release PHI in support of an ERPO petition in limited circumstances, namely, when the patient poses a risk of danger to themselves or others or if the disclosure is required by law. Providers must release PHI carefully, though. They only can release the minimum necessary and also must still take reasonable safeguards to ensure unauthorized people don’t access it. HIPAA is vital to protect patient privacy. However, with this guidance, HHS recognizes that it must be balanced with public safety.
Covered entities should Include protocols for supporting ERPO requests in their mandated HIPAA policies document. If you’ve put off creating your written HIPAA policy for your practice, it’s time to get in compliance!
A healthcare attorney can help you create your HIPAA policies and procedures. Moreover, your healthcare attorney can also provide situation-specific guidance on the scope of patient information to release in support of an ERPO (or in response to any documents request such as a subpoena).
Jackson LLP Healthcare Lawyers serves independent practices in several states. If you operate in one of them and need legal or compliance assistance, schedule a consultation to determine if we fit your needs.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader and should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.