On January 6, 2016, the U.S. Department of Health and Human Services (HHS) issued a final rule amending the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to strengthen the current background check system in order to prevent individuals prohibited by law from possessing or receiving firearms. As background, HIPAA regulates how covered entities (health plans, health care clearinghouses and health care providers that conduct certain transactions electronically) may use and disclose protected health information (PHI). PHI includes individually identifiable health information, such as names, social security numbers and addresses, when that information is associated with health data. Covered entities may only use or disclose PHI without an individual’s prior authorization if expressly permitted in the HIPAA Privacy Rule. The final rule creates a new pathway that allows, but not does not require, certain covered entities to disclose PHI about individuals prohibited from possessing or receiving firearms to the National Instant Criminal Background Check System (NICS) without the individual’s prior authorization.

Federal firearms licensees, such as gun dealers, pawnbrokers, and manufacturers of firearms or ammunition, use the NICS to determine if a potential purchaser or recipient of a firearm is prohibited by law from possessing or receiving a firearm as part of the required background check process. One category of individuals who may not ship, transport, receive or possess firearms is the “federal mental health prohibitor.” This category of disqualified persons includes:  individuals who have been involuntarily committed to a mental health facility; individuals found incompetent to stand trial or not guilty by reason of insanity; and individuals determined by a lawful authority, such as a court, to be a danger to themselves or others or unable to manage their own affairs due to mental illness, incompetency, condition, disease or marked subnormal intelligence. The new rule cross-references, but does not change or expand the federal mental health prohibitor, which was created by the Gun Control Act of 1968 and appears in U.S. Department of Justice (DOJ) regulations. HHS plans to work with DOJ to create guidance on the groups within the federal mental health prohibitor.

Supporters of the final rule argue that it may decrease rates of gun violence, increase NICS reporting, limit the ability of individuals with severe mental health issues to acquire firearms, and reduce a risk of harm to the public and the individuals themselves. Detractors assert that changing HIPAA would not necessarily increase reporting of federal mental health prohibitor information and the rule would infringe on the Second Amendment right to bear arms and due process. Those opposed to the new rule say it may discourage individuals from seeking mental health treatment. In response, HHS notes that comments on the federal mental health prohibitor are outside the scope of the HIPAA Privacy Rule and states that a mental health diagnosis alone would not cause an individual to be subject to a federal mental health prohibitor.

Prior to HHS’s issuance of this final rule, covered entities could only report to the NICS without an individual’s authorization in two situations: (1) if a state law required covered entities to make such reports, or (2) if the covered entity was a hybrid entity and reported prohibitor information through one of its designated components that did not perform HIPAA covered functions. If a state did not require covered entities to make reports to the NICS, then state lawmakers may have expressed concerns that a law requiring entities to make reports to the NICS would be preempted by the Privacy Rule. HIPAA generally preempts contrary state laws, unless the state law relates to the privacy of individually identifiable health information and is more stringent than the requirements of the Privacy Rule. HHS clarified in the final rule that because the Privacy Rule permits uses and disclosures of PHI that are required by law, HIPAA would not preempt any state law requirement that covered entities report to the NICS. To the extent that this final rule allows, but does not require, certain covered entities to disclose PHI for NICS reporting purposes, HHS also noted it would not consider any state law that prohibits disclosures of PHI to the NICS to be contrary to the Privacy Rule. In other words, were a state law to prohibit the disclosures of mental health information to the NICS, that state law would not be preempted under HIPAA and the provider would not be empowered by HIPAA to make such disclosure.

Covered Entities Affected

The amendment to the Privacy Rule adds the NICS reporting provision to an existing section that describes when a covered entity may use and disclose PHI without individual authorization for specialized government functions, 45 C.F.R. § 164.512. The NICS provision allows two types of covered entities to use or disclose PHI for purposes of NICS reporting: (1) those covered entities with the lawful authority to make adjudications or commitment decisions that subject individuals to the federal mental health prohibitor, and (2) those covered entities that serve as repositories of information for NICS reporting purposes. These two types of covered entities may include state departments of mental health, public health, state records repositories, or other state agencies, boards, or commissions outside of the court system.

The rule does not create a blanket exception that would permit other types of covered entities to disclose PHI about their patients to the NICS. Mental health providers that electronically submit bills to insurance, but have no authority to involuntarily commit an individual, may not report their patients to the NICS under this rule. Only covered entities that perform an adjudicatory or data repository function may report PHI to the NICS. HHS limited the rule to these covered entities in response to concerns that the rule would discourage individuals who need mental health treatment from seeking such treatment. HHS noted that this modification to the Privacy Rule may only affect a small number of covered entities. This is not the first time that HHS has limited the applicability of a Privacy Rule provision to only a few covered entities.

Limitations of the Amendment to the HIPAA Privacy Rule

The new rule does not apply to all individuals with a mental health diagnosis. Nor does the rule allow the two types of covered entities to disclose treatment records or diagnostic or clinical information for NICS reporting. Affected covered entities may report only limited demographic and other information to the NICS, though HHS does not specify exactly which data elements a covered entity may disclose to the NICS. In the rule’s preamble, HHS clarified that information needed for NICS reporting could include: data elements required to create a NICS record as well as information that could exclude false positives when a background check is conducted, including social security number, state of residence, height, weight, place of birth, eye color, hair color and race. The rule does not allow the two types of covered entities to disclose PHI that is not needed for NICS reporting purposes.

State Law Considerations

Under the new rule, covered entities are not permitted to disclose PHI for NICS reporting if an individual is only the subject of a state mental health prohibitor. State mental health prohibitors may be broader or lack the same procedural protections as federal mental health prohibitors. For example, state mental health prohibitors may include individuals who voluntarily commit themselves to a mental health facility. However, if a state law required a covered entity to report information to the NICS on state mental health prohibitors, the covered entity could still report such information to the NICS in compliance with the Privacy Rule. Similarly, state law prohibitors may be reported to the NICS by non-HIPAA covered entities, such as hybrid entities with non-covered components.

As mentioned above, the rule creates a new permitted pathway for the specified covered entities to make disclosures to the NICS under the Privacy Rule. The rule does not require the two types of covered entities to disclose the identities of federal mental health prohibitors to the NICS; it permits such disclosures. If a state law prohibits disclosures to the NICS, according to HHS, such a law is not contrary to the Privacy Rule. As a result, a covered entity could comply with the revised Privacy Rule, which does not mandate disclosures, and a state law prohibiting such disclosures by not disclosing PHI to the NICS.