HIPAA Update: A New Permitted Disclosure for Certain Health Care Providers
On January 6, 2016, the Department of Health and Human Services issued a Final Rule modifying the HIPAA Privacy Rule. The new Rule expressly permits the disclosure of PHI to the National Instant Criminal Background Check System (NICS) for certain covered entities. The Rule aims to strengthen the accuracy of the national firearm background check system by removing any real or perceived barriers that HIPAA poses for healthcare providers in reporting PHI to the NICS.
The NICS is a reporting database created to help prevent the sale of firearms to those who are prohibited by law from owning guns. Individuals who meet the definition of the federal “prohibitors” are disqualified from owning a gun. One of the disqualifications comes from the “mental health prohibitor.” The mental health prohibitor disqualifies individuals who were:
- Subject to involuntary commitment to a mental health institution;
- Found incompetent to stand trial or not guilty by reason of insanity;
- Determined to be a danger to themselves or others, or who are found unable to manage their own affairs.
Certain covered entities have a responsibility to report the prohibited person to the NICS. The HIPAA Privacy Rule had allowed for such reporting under the existing permitted disclosures. However, HIPAA’s privacy protections were viewed by some as a barrier to the reporting obligations of the NICS. The Final Rule applies to those covered entities with lawful authority to make the adjudication or commitment decisions or those with reporting authority under individual state law.
The new permitted disclosure allows covered entities to provide the information that a NICS report requires, which is limited demographic information. In addition to the required information, the Rule allows reports to include optional information listed by the NICS. Including the optional information helps reduce instances of false matches. The preamble lists the optional data elements as “social security number, state of residence, height, weight, place of birth, eye color, hair color, and race.” The preamble excludes diagnosis or treatment information from the list of reportable information.
The Rule’s preamble repeatedly emphasizes that this new Rule will apply to a small number of covered entities which are required to report to the NICS. Those covered entities it directly affects may want to consider updating the Notice of Privacy Practices and staff training to comply with the new Rule, effective February 5, 2016.