New HIPAA Exception Allows Covered Entities to Report Behavioral Health Considerations Applicable to Possessing a Firearm

gun rangeAs of February 5, 2016, a change in the law allows certain health care providers to report the identity of an individual who is prohibited from possessing a firearm for mental health reasons to the National Instant Criminal Background Check System (“NICS”).  The Department of Health & Human Services (“HHS”) amended the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to allow such reporting by health care providers who are a “covered entity” under HIPAA and who are: state agencies; designated by the state with lawful authority to make the adjudications or commitment decisions that make individuals subject to a “mental health prohibitor”; or serve as repositories of information for NICS reporting purposes.  The Final Rule that makes this amendment to HIPAA was published in the Federal Register on January 6, 2016: click here.

Before this amendment, health care providers who are “covered entities” under HIPAA could report information to the NICS only if:

(1) the health care provider had designated itself as a “hybrid entity” where the Privacy Rule would apply only to the entity’s functions that are subject to HIPAA but not the functions that are not subject to HIPAA (e.g., a university that operates a hospital that is subject to HIPAA and a research laboratory that is not subject to HIPAA because it does not bill for any patient services) (see this FAQ: click here).

(2) the health care provider was required (not just permitted) to make a report to NICS under state law.

See 45 CFR 164.512(a).  Prior to the amendment, the HIPAA Privacy Rule provisions that permitted disclosures in certain situations for law enforcement purposes or to avert a serious threat to health or safety did not extend to disclosures to NICS.  Healthcare providers would have had to obtain written authorization from the subject individual or their authorized representative to have made such a disclosure.  To remedy this, HHS added a new section to the Privacy Rule at 45 C.F.R. § 164.512 to allow covered entities to report protected health information (“PHI”) without the individual’s written authorization.

However, HHS narrowly tailored the new exception in an effort to balance public safety concerns about gun possession against an individual’s privacy rights regarding mental health information.  Certain healthcare providers who are HIPAA-covered entities may report, but are not required to report, the identities of individuals who are disqualified from shipping, transporting, possessing, or receiving a firearm based on federal “mental health prohibitors”.   Among the types of persons prohibited for mental health reasons (“mental health prohibitors”) from owning a firearm are individuals who have been:

  • involuntarily committed to a mental institution (covered entities should determine how “involuntary commitment” is defined under their state laws because this definition can vary from state to state);
  • found incompetent to stand trial or not guilty by reason of insanity or
  • otherwise determined by a court, or other lawful authority, to be a danger to themselves or others, or to lack the mental capacity to contract or manage their own affairs, as a result of marked subnormal intelligence or mental illness, incompetency, condition, or disease.

HHS explains that a “mental health prohibitor” does not apply to “individuals in a psychiatric facility for observation or who have been admitted voluntarily” in an effort “to ensure that individuals are not discouraged from seeking voluntary treatment.”

This HIPAA amendment does not extend to permitting covered entities to disclose for NICS reporting purposes the PHI of individuals who are subject to state-only mental health prohibitors or subject to other federal prohibitors that do not relate to mental health.

It is also important to note that this HIPAA amendment does not apply to all health care providers and, in fact, it will not apply to most treating providers.  Rather, it applies only to covered entities that are either state agencies or have been designated by the state with lawful authority to make the adjudications or commitment decisions that make individuals subject to a mental health prohibitor, or that serve as repositories of information for NICS reporting purposes.  In most cases, the entities that make such adjudications or retain these records are not subject to HIPAA because these processes originate with the court system, which is not a HIPAA covered entity. However, because state laws differ, there may be HIPAA covered entities that are also state agencies, boards, commissions, or other lawful authorities outside the court system that are involved in some involuntary commitments or mental health adjudications that make an individual subject to the federal mental health prohibitor or are repositories of this information.

Covered entities are also limited as to what may be reported and to whom they may report.  The disclosure is restricted to limited demographic and certain other information needed for NICS purposes.  Further, the Final Rule specifically prohibits disclosing “diagnostic or clinical information” from medical records or other sources and any mental health information beyond the indication that the individual is subject to the mental health prohibitor.  These covered entities may only disclose this information to the NICS or to an “entity designated by the State to report, or which collects information for purposes of reporting, on behalf of the State, to the [NICS].”

Because state laws vary, HIPAA covered entities should examine their state laws to determine whether they are authorized by the state to order the involuntary commitments or make the other adjudications that cause individuals to be subject to the federal mental health prohibitor, or if they serve as repositories of such information for NICS reporting purposes.  If they are, then they should update their privacy policies accordingly.



Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.