On Jan. 4, the Obama Administration announced several executive actions on gun control, mostly focused on closing loopholes, including requiring background checks at gun shows and online, with the ultimate goal to reduce gun violence. These actions, which include a new $500 million investment to help engage individuals with serious mental illness in care, will be a major focus of the mainstream media. For those of us in the health IT world, though, it was an amendment to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule that caught our attention.
As HCI Assistant Editor Heather Landi reported on Jan. 5, the amendment will enable mental health providers to more easily disclose limited information to the National Instant Criminal Background Check System (NICS). To this end, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a final rule, which takes effect next month, removing legal barriers preventing states from reporting relevant information to NICS, as reported by Landi. NICS, implemented in 1998, is maintained by the FBI to conduct background checks on people who may be legally disqualified from owning firearms.
According to a Politico Morning eHealth report from Jan. 5, this idea initially came three years ago in the wake of the tragic Newtown, Conn., shootings, but has never come to fruition until now. Meanwhile, while the Brady Handgun Violence Prevention Act of 1993 (Brady Gun Law) prohibits individuals who have been involuntarily committed to a mental health facility, found incompetent to stand trial, or deemed to be a danger to themselves from owning guns, many states have declined to release certain information to the NICS, citing prohibitions under HIPAA, despite the law's allowance to disclose data when it is required by law.
This is an issue that can certainly become very fuzzy. Do HIPAA laws prohibit providers from sharing any mental health information without the consent of patients? According to the background on the OCR final rule, currently, “HIPAA covered entities may only use and disclose protected health information (PHI) with the individual’s written authorization, or as otherwise expressly permitted or required by the HIPAA Privacy Rule.”
OCR goes on to give two instances of when covered entities can currently report to the NICS without the individual’s authorization. “First, a covered entity can disclose the relevant information to the NICS where a State has enacted a law that requires (and does not merely authorize) such reporting. Second, where a State has not enacted such a law, a HIPAA covered entity that performs both healthcare and non-healthcare functions (e.g., NICS reporting) could become a hybrid entity under HIPAA so that the Privacy Rule applies only to its healthcare functions.”
Now, under the final rule, OCR says that “If a covered healthcare entity also has a role in the relevant mental health adjudications or serves as a State data repository, it now may disclose the relevant information for NICS reporting purposes under this new permission even if it is not designated as a HIPAA hybrid entity or required by State law to report. This final rule does not create an express permission for covered entities to disclose for NICS reporting purposes the PHI of individuals who are subject to State-only mental health prohibitors,” OCR says.
To clarify, this rule applies only to a small subset of HIPAA covered entities that either make the mental health determinations that disqualify individuals from having a firearm or are designated by their states to report this information to NICS.
After reading the final rule, I turned to Mental Health America, a more than 100-year-old organization dedicated to addressing the needs of those living with mental illness and to promoting the overall mental health of all Americans. According to a blog post from the organization’s President and CEO, Paul Gionfriddo, the intention of the NICS to include the names of all of those individuals who could not possess firearms legally “presents no problem for judicial system reporters. They add the information to their state repository, which in turn is supposed to report it to the NICS. However, HIPAA covered entities make the determination as to whether an individual meets the standard for inclusion in the registry and orders an involuntary commitment.”
The blog post continues, “Therefore, what the rule says is this: (1) a firearms control data center housed in a HIPAA-covered entity can share limited demographic information with the national registry; and (2) a HIPAA-covered entity that is participating in a judicial proceeding to determine that a person cannot lawfully have a firearm (such as ordering an involuntary commitment) can share limited demographic information with the registry.”
Gionfriddo adds, “This change will affect a relatively small number of people (maybe in the hundreds, maybe in the thousands). So why does it matter? It has already been determined that it is illegal for the individuals whose names will be added to the list to own or possess firearms. So this might prevent a tragic event without infringing on the rights of anyone who can possess firearms.”