On January 6, 2016, the Office for Civil Rights (“OCR”) within the federal Department of Health and Human Services (“HHS”) issued a final rule to modify the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule. This final rule allows certain covered entities to disclose to the National Instant Criminal Background Check System (“NICS”) that an individual is subject to a “mental health prohibitor.”[1] Although publicized for being released in tandem with President Obama taking broad executive action on gun control,[2] the HIPAA NICS Rule is actually quite limited in scope.
Background
The Federal Bureau of Investigation (“FBI”) oversees the NICS, a national system used to conduct background checks on persons attempting to purchase a firearm. The NICS is used to identify persons who are prohibited from purchasing a firearm, whether by federal or state law, and once identified, to prevent such persons from purchasing a firearm.[3]
A person subject to a “mental health prohibitor” is prohibited from purchasing a firearm under the Gun Control Act of 1968 and its implementing regulations (“GCA”).[4] The GCA details a number of events that will subject a person to a “mental health prohibitor,” such as (1) an involuntary commitment to a mental institution; (2) being found incompetent to stand trial; (3) being found not guilty by reason of insanity; (4) being found by a “court, board, commission or other lawful authority” to be a danger to themselves or others;[5] and (5) being found by a lawful authority, such as those stated immediately above, to “lack the mental capacity to contract or manage their own affairs.”[6] Voluntarily seeking mental health treatment or being subject to psychiatric observation do not subject a person to a “mental health prohibitor.”[7]
As a general matter, HIPAA requires that a covered entity disclose information only with an individual’s authorization, unless an exception applies or the covered entity is required to disclose by law.[8] Prior to the HIPAA NICS Rule, most affected covered entities could report the existence of an individual’s “mental health prohibitor” to the NICS without that individual’s authorization. In some cases, there would be an applicable state law mandating such reporting.[9] In other cases, the reporting entity may have been a “hybrid” entity, and the reporting would have come from the non-covered entity.[10]
OCR was aware that some organizations found that the HIPAA Privacy Rule prohibited NICS reporting. As a result, OCR implemented the HIPAA NICS Rule to fill what OCR saw as gaps in HIPAA’s permissive reporting requirements and to provide clarity on the issue. Before the HIPAA NICS Rule, permissive reporting categories such as reporting for law enforcement purposes,[11] or to avert a serious threat to health or safety,[12] would not have allowed a covered entity to report the existence of a “mental health prohibitor” to the NICS. Each category has requirements that are too specific to capture disclosure to the NICS.[13]
Limitation of the HIPAA NICS Rule
The scope of the HIPAA NICS Rule is limited both in terms of affected covered entities and information that can be released. Notably, the HIPAA NICS Rule provides for a permissive use or disclosure, e.g., the covered entity may use or disclose to the NICS the fact that an individual is subject to a “mental health prohibitor.”[14] Because the disclosure is a permissive one, covered entities subject to the final rule are not required to disclose such information unless other federal or state law requires them to do so.[15]
First, in order to release the information to NICS, a covered entity must be a state agency or other entity that:
-
Is designated by the state to report, or to collect information for reporting, to NICS; or
-
A court, board, commission, or other entity with the authority to adjudicate commitment or other adjudication decisions that make individuals subject to the federal mental health prohibitor.[16]
Thus, the HIPAA NICS Rule is particularly narrow given that most of the entities listed above would not be subject to HIPAA. Specifically, courts, and other entities within the criminal justice system are not subject to HIPAA.[17] Covered entities who may be allowed to disclose information as a result of the final rule include state health departments and/or other state commissions that render such adjudications.[18]
Second, the reporting covered entity may only disclose to NICS (or to an entity designated for collecting such information), a minimal amount of demographic and certain other information—such as “Social Security number, State of residence, height, weight, place of birth, eye color, hair color, and race”—sufficient to reduce the chance of a false match within the NICS.[19] It should be noted that the covered entity is prohibited from disclosing diagnostic or clinical information.
Impact of the HIPAA NICS Rule
Despite the significant press coverage, the HIPAA NICS Rule will have limited impact for relatively few covered entities. The preamble to the final rule made clear that OCR’s position is that the final rule is a narrow adjustment, intended to assure covered entities subject to state reporting laws that their disclosures to NICS are not in violation of HIPAA. OCR specifically did not agree with arguments made by commentators who raised concerns about a person’s right to bear arms being truncated by the final rule,[20] or the concern that a person would delay treatment for fear of being subject to a “mental health prohibitor.”[21] OCR responded to the gun rights advocates by stating that such concerns were outside the scope of the HIPAA NICS Rule because the comments addressed potential flaws within the GCA, which was not the subject of the final rule.[22] In response to the concern from some commentators that individuals would forego or delay treatment, OCR pointed to the narrow applicability of the HIPAA NICS Rule and reiterated that voluntarily seeking treatment does not subject an individual to a “mental health prohibitor.”[23]
In short, the final rule provides a subset of covered entities with a new permissive reporting option, provided however that covered entities subject to state law that mandates such reporting are required to do so. The majority of covered entities will not have their reporting or HIPAA compliance obligations changed as a result of the HIPAA NICS Rule.
[1] See Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS), 81 Fed. Reg. 382 (Jan. 6, 2016) (to be codified at 45 C.F.R. pt. 164). The full rule is available here: https://federalregister.gov/a/2015-33181 (last visited Jan. 13, 2016) (hereinafter “the HIPAA NICS Rule”).
[2] See “New Executive Actions to Reduce Gun Violence and Make Our Communities Safer,” a fact sheet published by The White House (last visited Jan. 20, 2016).
[3] HIPAA NICS Rule at 382.
[4] See Public Law 90-618-Oct. 22, 1968; see also 27 C.F.R. § 478.11.
[5] See 27 C.F.R. § 478.11(1).
[6] See 27 C.F.R. § 478.11(2).
[7] See 27 C.F.R. § 478.11 for “Committed to a mental institution,” which specifically excludes “a person in a mental institution for observation nor a voluntary admission to a mental institution.” Id.
[8] See 45 C.F.R. § 502(a).
[9] See HIPAA NICS Rule at 384; and see 45 C.F.R. §164.512(a).
[10] See HIPAA NICS Rule at 384. For this example, please note that a hybrid entity is a covered entity that conducts health care and non-health care functions. Thus, HIPAA would only apply to the hybrid entity’s health care functions, and HIPAA would not apply to its non-health care functions, such as reporting to the NICS.
[11] See 45 C.F.R. §164.512(f).
[12] See 45 C.F.R. §164.512(j)
[13] See HIPAA NICS Rule at 384.
[14] See HIPAA NICS Rule at 393; and 45 C.F.R. §164.512(k)(7) as amended by the HIPAA NICS Rule.
[15] See 45 C.F.R. §164.512(k)(7) as amended by the HIPAA NICS Rule.
[16] See 45 C.F.R. §164.512(k)(7).
[17] See HIPAA NICS Rule at 393.
[18] See HIPAA NICS Rule at 384.
[19] See HIPAA NICS Rule at 34. Note that it is the FBI, and not the OCR, that has the authority to “define the information required by NICS.” Id.
[20] See HIPAA NICS Rule at 386.
[21] See HIPAA NICS Rule at 387.
[22] See HIPAA NICS Rule at 390.
[23] See HIPAA NICS Rule at 387.