Amending HIPAA for Background Checks
HHS Considers Privacy Rule ChangeThe Department of Health and Human Services is considering amending the HIPAA Privacy Rule to remove barriers for states reporting information about potentially dangerous mental health patients for use in background checks for gun purchases.
See Also: Why Compliance Matters for Healthcare Industries
HHS' Office for Civil Rights is issuing an advance notice of proposed rulemaking, slated to be published in the Federal Register on April 23, that will seek public input on how HIPAA may prevent some states from reporting information to the National Instant Criminal Background Check System, or NICS, and ways these barriers can be addressed without discouraging mental health patients from seeking treatment.
The NICS is the federal database that stores information about individuals prohibited by law from possessing firearms. Those include felons, those convicted of domestic violence, and individuals involuntarily committed to a mental institution or found to be a danger to themselves or others, or unable to manage their affairs due to a mental health condition, according to an HHS statement.
HHS notes, however, that a 2012 Government Accountability Office report determined that 17 states each submitted fewer than 10 records of individuals prohibited from possessing firearms for mental health reasons from October 2004 to October 2011.
Removing Barriers
HHS says that in certain states, the HIPAA privacy rule may be a barrier for reporting to NICS the identities of mental health patients who should be prohibited from purchasing guns. So HHS is soliciting public comments on those barriers and how they can be addressed.
In particular, HHS is considering "creating an express permission in the HIPAA rules" for reporting relevant information to the NICS by state HIPAA covered entities responsible for involuntary commitments or court rulings that result in individuals being ineligible to purchase firearms due to mental health status.
In addition, HHS is also soliciting comments on "the best methods to disseminate information on relevant HIPAA policies to state-level entities that originate or maintain information that may be reported to NICS."
HHS is also soliciting public input "on whether there are ways to mitigate any unintended adverse consequences for individuals seeking needed mental health services that may be caused by creating express regulatory permission to report relevant information to NICS."
HHS will collect the comments for 45 days, and use the public input to determine how to address the issues.
"A regulatory permission might be helpful to better allow sharing of health information as necessary for NICS," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "HHS goes out if its way to indicate that there generally are means under HIPAA for state agencies to already report necessary information to NICS. A frequent challenge with HIPAA, however, is that entities don't understand what they can do, and so default to not sharing information. To alleviate this, a regulatory change can be very impactful, rather than relying on entities to navigate complicated provisions."
Privacy vs. Public Danger
The proposal to amend the HIPAA privacy rule follows another move in January by HHS to clarify for mental health professionals that HIPAA allows them to disclose patient health information to law enforcement if they believe the patient is a danger to themselves or others (see: Patient Privacy vs. Public Danger).
OCR Director Leon Rodriquez sent a letter in January to thousands of U.S. mental health professionals about the HIPAA provision to carry out one of 23 executive orders signed by President Obama related to his gun control program following the December mass murder of 26 children and adults at a school in Newtown, Conn.
In a statement about the new proposed amendment to HIPAA, Rodriguez sought to clarify the data that's kept in the NICS.
"It is important to reiterate that the NICS is not a mental health registry and this rulemaking process will not create a mental health registry," he says. Data kept in the NICS includes:
- Basic identifying information about the individual, such as name, Social Security number, and date of birth;
- The name of the state or federal agency that submitted the information;
- A notation on which of the 10 prohibited categories is applicable to the individual, which allows the individual to appeal and seek to correct incomplete or inaccurate information.
"The advanced notice of proposed rulemaking potentially goes much further than the letter that was sent out in January, which was geared towards mental health professionals and focused on cases where there is a serious and imminent threat," says Greene, the attorney. "This is very different than the issue of sharing with NICS, where the professional may not perceive an imminent threat."