On Jan. 4, the Obama Administration announced several executive actions on gun control, mostly focused on closing loopholes, including requiring background checks at gun shows and online, with the ultimate goal to reduce gun violence. These actions, which include a new $500 million investment to help engage individuals with serious mental illness in care, will be a major focus of the mainstream media. For those of us in the health IT world, though, it was an amendment to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule that caught our attention.
As HCI Assistant Editor Heather Landi reported on Jan. 5, the amendment will enable mental health providers to more easily disclose limited information to the National Instant Criminal Background Check System (NICS). To this end, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a final rule, which takes effect next month, removing legal barriers preventing states from reporting relevant information to NICS, as reported by Landi. NICS, implemented in 1998, is maintained by the FBI to conduct background checks on people who may be legally disqualified from owning firearms.
According to a Politico Morning eHealth report from Jan. 5, this idea initially came three years ago in the wake of the tragic Newtown, Conn., shootings, but has never come to fruition until now. Meanwhile, while the Brady Handgun Violence Prevention Act of 1993 (Brady Gun Law) prohibits individuals who have been involuntarily committed to a mental health facility, found incompetent to stand trial, or deemed to be a danger to themselves from owning guns, many states have declined to release certain information to the NICS, citing prohibitions under HIPAA, despite the law's allowance to disclose data when it is required by law.
This is an issue that can certainly become very fuzzy. Do HIPAA laws prohibit providers from sharing any mental health information without the consent of patients? According to the background on the OCR final rule, currently, “HIPAA covered entities may only use and disclose protected health information (PHI) with the individual’s written authorization, or as otherwise expressly permitted or required by the HIPAA Privacy Rule.”
OCR goes on to give two instances of when covered entities can currently report to the NICS without the individual’s authorization. “First, a covered entity can disclose the relevant information to the NICS where a State has enacted a law that requires (and does not merely authorize) such reporting. Second, where a State has not enacted such a law, a HIPAA covered entity that performs both healthcare and non-healthcare functions (e.g., NICS reporting) could become a hybrid entity under HIPAA so that the Privacy Rule applies only to its healthcare functions.”
Now, under the final rule, OCR says that “If a covered healthcare entity also has a role in the relevant mental health adjudications or serves as a State data repository, it now may disclose the relevant information for NICS reporting purposes under this new permission even if it is not designated as a HIPAA hybrid entity or required by State law to report. This final rule does not create an express permission for covered entities to disclose for NICS reporting purposes the PHI of individuals who are subject to State-only mental health prohibitors,” OCR says.
To clarify, this rule applies only to a small subset of HIPAA covered entities that either make the mental health determinations that disqualify individuals from having a firearm or are designated by their states to report this information to NICS.
After reading the final rule, I turned to Mental Health America, a more than 100-year-old organization dedicated to addressing the needs of those living with mental illness and to promoting the overall mental health of all Americans. According to a blog post from the organization’s President and CEO, Paul Gionfriddo, the intention of the NICS to include the names of all of those individuals who could not possess firearms legally “presents no problem for judicial system reporters. They add the information to their state repository, which in turn is supposed to report it to the NICS. However, HIPAA covered entities make the determination as to whether an individual meets the standard for inclusion in the registry and orders an involuntary commitment.”
The blog post continues, “Therefore, what the rule says is this: (1) a firearms control data center housed in a HIPAA-covered entity can share limited demographic information with the national registry; and (2) a HIPAA-covered entity that is participating in a judicial proceeding to determine that a person cannot lawfully have a firearm (such as ordering an involuntary commitment) can share limited demographic information with the registry.”
Gionfriddo adds, “This change will affect a relatively small number of people (maybe in the hundreds, maybe in the thousands). So why does it matter? It has already been determined that it is illegal for the individuals whose names will be added to the list to own or possess firearms. So this might prevent a tragic event without infringing on the rights of anyone who can possess firearms.”
I agree with Gionfriddo in that this change is very limited—it basically applies to certain covered entities to allow them to disclose to the NICS the names of individuals who are already barred from owning a firearm for mental health reasons. It does not allow anyone new to be added to the list of people who are not legally able to possess firearms. What’s more, only the person’s name who is in question and the entity which made the ruling is allowed to be disclosed—nothing else, according to a report from The Hill.
While limited in its design, this is still a step in the right direction. An HHS press release on the final rule even admits its specificity, noting, “The new modification is carefully and narrowly tailored to preserve the patient-provider relationship and ensure that individuals are not discouraged from seeking voluntary treatment. This rule applies only to a small subset of HIPAA covered entities that either make the mental health determinations that disqualify individuals from having a firearm or are designated by their States to report this information to NICS – and it allows such entities to report only limited identifying, non-clinical information to the NICS. The rule does not apply to most treating providers and does not allow reporting of diagnostic, clinical, or other mental health treatment information.”
In the wake of the disturbing recent shootings in San Bernardino, Calif., and in Paris, there has been much debate over what the country should do, if anything, to reduce gun violence. No matter which side of the gun control debate you’re on, most rational people will agree that guns should not be getting in the hands of people who have mental health conditions. Rather, those people should be getting help from the many qualified professionals existing in our mental health system. Thankfully, the Brady Gun Law already takes care of this.
What’s more, however, is that it needs to be known who these patients are, and it needs to be made easier and clearer on how HIPAA covered entities can share this data. I think this recent amendment will help accomplish that goal. Some medical professionals have expressed concern that the change will discourage people from seeking treatment. Indeed, while the patient-provider relationship is one that should certainly be respected, it is more important to potentially save lives by providing these mental health records to the people who need them.
Feel free to comment below or follow me follow me on Twitter @RajivLeventhal.
