How to ensure HIPAA compliance when issued with an ERPO

When issued with an extreme risk protection order (ERPO), can you disclose the protected health information of a person without their authorization? Such disclosures, do they violate HIPAA?  How to ensure compliance with HIPAA and ERPO legislation when presented with an order?

In December, the HHS issued its guidance on how healthcare professionals can disclose protected health information when presented with an ERPO.

As you go through this blog, you’ll learn about the HIPAA issues that you’d need to address when presented with such orders. Specifically, you’ll learn about the issues listed below

  1. Can you disclose a patient’s protected health information when presented with an ERPO?
  2. How much information can you disclose under the law?
  3. Can you disclose a patient’s PHI to a court in an ERPO application?

How to ensure HIPAA compliance when issued with an ERPO

What is an ERPO?

ERPO, or an extreme risk protection order is a court order that prevents people from accessing firearms if they pose a threat to others or themselves. The ERPO legislations vary from state to state. Different states might permit different groups of people to file for an EPRO. Generally, law enforcement officers, family members, and healthcare providers can apply for an ERPO.

The petitioners of such orders need to submit affidavits and sworn statements from themselves or witnesses to support their application. The process may require a healthcare provider to disclose protected health information of an individual without their authorization.


Generally, under HIPAA, healthcare providers are not permitted to disclose an individual’s PHI without their consent. Doing so, can be regarded as a HIPAA violation.

Thus, as healthcare providers, you need to treat a fine line between the ERPO legislation and HIPAA, when responding to a request for an individual’s medical records to help the court decide if they should issue an ERPO against your patient.

HHS guidance for Extreme Risk Protection Orders (ERPO)

The newly issued HHS guidance addresses these questions with three examples.

First, if you (the healthcare provider) receive a court order that compels you to produce an individual’s PHI to support its determination if it should issue an ERPO against the individual.

Second, if you receive a subpoena issued by the state’s attorney general compelling you to disclose an individual’s PHI to determine if there’s a legal basis to issue an ERPO against the individual.

And third, if you are informed by a person’s family that the individual in question is threatening to use firearms, and you find their worries to be credible enough to petition a court for an ERPO to protect the life of the others.

As per the HHS guidance, the Privacy rule allows unauthorized disclosures of PHI, but only in limited circumstances. To cite a few –

  • When the disclosure is required by law. For instance, statues, regulations, court orders, subpoena, etc.
  • If the disclosure is in response to an order of court, subpoena, and other lawful processes in the course of an administrative or judicial proceedings
  • When sharing the PHI is necessary to prevent a threat to the health and safety of an individual or people

Psychotherapy notes

The disclosure permission applies to psychotherapy notes as well. Generally, they receive special protection under the Privacy rule, but if the disclosure can prevent or lessen a threatened harm, a provider can disclose the necessary medical records.

For instance, if a therapist believes that the disclosure of his or her patient’s PHI might help the patient’s supervisor to prevent or lessen an imminent threat, the therapist can notify that person.

Minimum necessary rule

However, in all cases, disclosures must follow the minimum necessary standard set by the Privacy Rule. The healthcare provider needs to ensure that only the minimum necessary information required for the intended purpose is released. The only exception is the first case, when the disclosure is required by law.

In conclusion

Similarly, you need to consult the state ERPO laws as well. State laws differ significantly on extreme risk protection orders. So, before you disclose the requested PHI, ensure that the disclosure is necessary and follows state laws.

Some state laws and court decisions might require you to disclose PHI to prevent risk or harm to an individual; but some states also have privacy laws that are stricter than the HIPAA Privacy rule. Similarly, you may have to consider applicable Federal laws as well.

Like this post? Subscribe to receive updates directly in your inbox.