HHS Considers Amending HIPAA Privacy Rule to Permit Disclosure of Mental Health Information for Firearm Background Checks
Adding yet another wrinkle to the nation’s contentious gun control debate, the U.S. Department of Health and Human Services (HHS) has released an Advance Notice of Proposed Rulemaking (ANPRM) soliciting information and public comment on possible amendments to the HIPAA Privacy Rule to permit disclosure of limited mental health information to the National Instant Criminal Background Check System (NICS). The ANPRM stems from one of the 23 Executive Actions included in the Obama Administration’s January 2013 plan to reduce gun violence that sought to address “unnecessary legal barriers, particularly relating to [HIPAA], that may prevent states from making information available to the NICS.”
What is the NICS?
The NICS is the federal government’s background check system for the sale or transfer of firearms. Established under the Brady Handgun Violence Prevention Act, licensed gun dealers use the NICS to identify persons who are subject to one or more “prohibitors” under the Gun Control Act that make them ineligible to purchase firearms. One such prohibitor is the “mental health prohibitor,” which applies to persons who have been involuntarily committed to a mental institution, found incompetent to stand trial or not guilty by reason of insanity, or otherwise adjudicated as having a serious mental condition that results in their presenting a danger to themselves or to others or being unable to manage their own affairs. Prohibitors often originate at the state level, but federal law does not require state agencies to disclose the identities of individuals subject to prohibitors to the NICS, and not all states report prohibitors. This lack of reporting to the NICS can result in the sale or transfer of firearms to individuals who are prohibited from purchasing them.
How does the Privacy Rule Affect the NICS?
According to the ANPRM, some states are not reporting mental health prohibitor information to the NICS because they are concerned that such disclosures may be prohibited under the HIPAA Privacy Rule. However, as the ANPRM points out, much of the mental health prohibitor information in question, such as records of individuals adjudicated as incompetent to stand trial, originates with entities in the criminal justice system that are not covered entities subject to the Privacy Rule. In addition, to the extent covered entities are involved, the ANPRM provides that there are ways in which the Privacy Rule permits reporting to the NICS, such as through the enactment of state legislation requiring such reporting or the use of hybrid entity status. The ANPRM does note, however, that NICS reporting would not fall under the Privacy Rule’s provisions permitting disclosures for law enforcement purposes (which apply to specific law enforcement inquiries) or to avert a serious threat to public safety (which require an imminent threat of harm).
How would the amendment work?
The amendments under consideration would expressly permit covered entities with information on the identities of persons subject to a mental health prohibitor to disclose this information to the NICS. Such disclosures would be subject to the minimum necessary rule and would likely be limited to names, demographic information, and codes identifying the reporting entity and the relevant prohibitor. No treatment records or other clinical or diagnostic information would be disclosed. In addition, only those entities responsible for the determination that a mental health prohibitor exists would be permitted to disclose the information.
HHS is seeking information regarding the nature and scope of the underreporting problem, the entities creating and/or maintaining data, the extent to which existing permissible disclosures are insufficient and additional methods of disseminating information concerning whether the Privacy Rule affects reporting to the NICS. In particular, HHS has requested specific examples of situations where NICS reporting has been hindered by HIPAA requirements or where covered entities are uncertain over how HIPAA applies to such reporting. HHS will then review and evaluate comments to the ANPRM and determine whether amendments to the HIPAA Privacy Rule are necessary. Comments regarding the Privacy Rule amendments and the information requested by HHS are due by June 7, 2013.