Providers Get More Flexibility To Report Mental Health Patients To Gun Data Base Under New Privacy Rule

As part of the broader series of regulatory and executive actions that President Obama says the Obama Administration is taking in hopes of deterring gun violence, the Department of Health & Human Service Office of Civil Rights (“OCR”) is amending the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule applicable to health care providers, health plans, healthcare clearinghouses and their business associates (hereafter, collectively “Covered Entities”) to expressly permit some (not all) HIPAA-Covered Entities to disclose the identities of and certain other protected health information (PHI) of individuals with certain mental health conditions that would disqualify the individual from having a firearm under Federal law.

“The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS): Final Rule” (“Final Rule”) scheduled for official publication in the Federal Register today (January 6, 2016).

The adoption of the Final Rule provides more latitude for some by not all health care providers covered by HIPAA to report for listing on the NICS patients with gun ownership disqualifying mental health histories under the Brady Handgun Violence Prevention Act of 1993, Pub. L. 103-159 (Brady Gun Law), and its implementing regulations.

However, an analysis of a prepublication copy of the Final Rule available for review here reveals that while the Final Rule will provide greater latitude for some Covered Entities to disclose the identify and other specified PHI to the NICS data base, Covered Entities contemplating making such disclosures should conduct a careful, well-documented analysis of the proposed report to ensure that the disclosure fulfills each of the requirements to qualify as allowed by the Final Rule.

The NICS reporting and other requirements of the Brady Gun Law and the Gun Control Act of 1968, as amended (Title 18, United States Code, Chapter 44), certain individuals from owning, and licensed dealers from selling or otherwise transferring firearms to certain categories of individuals referred to as “prohibitors” including felons and, most relevant for the Final Rule, “mental health prohibitors.”

Under the Department of Justice (DOJ) regulations, a “mental health prohibitors” are defined as individuals who have been involuntarily committed to a mental institution, for reasons such as mental illness or drug use; found incompetent to stand trial or not guilty by reason of insanity; or otherwise determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or unable to manage their own affairs, as a result of marked subnormal intelligence, or mental illness, incompetency.

Prior to the adoption of the Final Rule, many health care providers have cited the HIPAA Privacy Rule as a deterrent to their reporting patients whose mental health history would qualify the patients as mental health prohibitors to the NICS. The HIPAA Privacy Rule, establishes federal protections to ensure the privacy and security of protected health information (PHI) and establishes an array of individual rights with respect to one’s own health information by providing that Covered Entities may only use and disclose individually identifiable health care information considered “protected health information” for purposes of HIPAA (“PHI” with the individual’s written authorization, or as otherwise expressly permitted or required by the HIPAA Privacy Rule.

As interpreted by OCR prior to its adoption of the Final Rule, a health care provider or other Covered Entity generally could not rely upon exceptions from the Privacy Rule for disclosures to law enforcement or for safety to exempt the report from HIPAA’s prohibitions against disclosure of PHI where the record of an involuntary commitment or mental health adjudication originated with a HIPAA covered entity, or the HIPAA covered entity is the State repository for such records. Rather, OCR interpreted the Privacy Rule as providing only three possible ways in which Covered Entities generally could report to the NICS (without the individual’s authorization):

  • The patient authorized the disclosure in accordance with the HIPAA Privacy Rule;
  • Where a State enacted a law that requires (and does not merely authorize) such reporting; or
  • Where no such state law exists, a HIPAA covered entity that performs both health care and non-health care functions (e.g., NICS reporting) could become a hybrid entity under HIPAA so that the Privacy Rule applies only to its health care functions and then report the prohibitor information through its non-HIPAA covered NICS reporting unit without restriction under the Privacy Rule.

OCR’s adoption of the Final Rule implements changes that it previously proposed in 2013 as part of a series of 23 executive actions President Obama proposed in 2013 aimed at curbing gun violence across the nation. OCR says its adoption of the Final Rule is an important step to improving public safety by better enabling the reporting of the identities of prohibited individuals to the background check system “while continuing to strongly protect individuals’ privacy interests.”

While preserving these options, the Final Rule expands the authority of health care providers and other Covered Entities to report a mental health prohibitor to the NICS data bank by creating a specific NICS reporting disclosure exception to the HIPAA Privacy Rule’s general prohibitions against disclosures of PHI without authorization in Privacy Rule § 164.512(k)(7).

Health care providers and other Covered Entities considering making NICS reports about the mental health history of individuals that qualifies as PHI should proceed with caution. The Final Rule only authorizes NICS disclosures of PHI for a small subset of HIPAA Covered Entities that either make the mental health determinations that disqualify individuals from having a firearm or are designated by their States to report this information to NICS. The rule does not apply to most treating providers.

Under the Final Rule, a Covered Entity may use or disclose PHI for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm as a mental health prohibitor under 18 U.S.C. 922(g)(4), if the Covered Entity:

  • Is a State agency or other entity that is, or contains an entity that is either
    •  An entity designated by the State to report, or which collects information for purposes of reporting, on behalf of the State, to the National Instant Criminal Background Check System; or
    • A court, board, commission, or other lawful authority that makes the commitment or adjudication that causes an individual to be a mental health prohibitor; and
  • Discloses the information only to:
    • The National Instant Criminal Background Check System; or
    • An entity designated by the State to report, or which collects information for purposes of reporting, on behalf of the State, to the National Instant Criminal Background Check System; and
  • Discloses only the limited demographic and certain other information needed for purposes of reporting to the National Instant Criminal Background Check System; and
  • Does not disclose diagnostic or clinical information for such purposes.

Health care providers contemplating making or the need to consider making NICS reports about persons with mental health treatment histories need to proceed cautiously as even following the adoption of the Final Rule, the health care provider should anticipate the need to manage a number of risks under HIPAA and otherwise. Obviously, since disclosure of PHI in a NICS report or otherwise exposes health care providers and other Covered Entities to civil penalties, criminal prosecution, licensing board or other disciplinary actions as well as a host of other adverse consequences, a health care provider or other Covered Entity contemplating making a NICS disclosure under the Final Rule or any other disclosure of PHI will want to ensure the all requirements to make the use or disclosure permitted under the Privacy Rule are met.

Beyond these HIPAA considerations, since the disclosures specifically relate to individuals suffering mental illness, health care providers or other Covered Entities also should take steps to mitigate their potential exposures to potential charges of disability discrimination which if not properly managed, could trigger civil sanctions by OCR under its disability discrimination rules, limitation or exclusion from Medicare or other federal program participation, law suits and other liabilities.

In addition, Covered Entities also will want to consider and manage the foreseeable challenges and exposures that could arise from the disclosure under medical malpractice, licensing board, ethics, confidentiality and other applicable federal and state laws and regulations

In light of these and other risks, health care providers or other Covered Entities contemplating making or facing the need to consider making a NICS report should consider, among other things engaging the assistance of qualified legal counsel experienced with HIPAA and these other matters to assist and advise them about:

  • Reviewing their existing policies and procedures in light of the Final Rule, as well as their state’s current policies regarding the permissibility or requirement to make NICS reports;
  • Updating their written privacy practices and notices of their privacy practices to allow the NICS report in accordance with the Final Rule
    Ensuring that the updated privacy notices are distributed going forward to patients and posted on their websites, in their facilities as required to comply with the Privacy Rule;
  • Exercising care both to verify that all requirements of the Final Rule (or the other alternatives for allowing disclosure) are met and to preserve documentation of this analysis in the event of a future complaint or investigation;
  • Reviewing and adopting additional protocols to manage potential mental health disability discrimination exposures under federal and state disability or other discrimination and laws; and
  • Considering and implementing other processes to manage foreseeable malpractice, breach of medical confidentiality, licensing or ethical requirements or other risks that could result from such disclosures.

For More Information Or Assistance

The author of this update, attorney Cynthia Marcotte Stamer, has extensive experience representing and advising health industry clients and others on these and other regulatory, risk management, public policy and operations matters.

Recognized as a “Top Lawyer” and “Legal Leader” in Healthcare Law, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 28 years’ experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

Other Helpful Resources & Other Information.

We hope that this information is useful to you. If you found these updates of interest, you also be interested in  other recent Solutions Law Press, Inc. training, articles and resources.  You can see more articles from this Health Care Update electronic publication, the Coalition for Responsible Health Care Reform electronic publication, our electronic HR & Benefits Update and other publications like the following and get information about training and other resources at


You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can access other recent updates and other informative publications and resources here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2016 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press, Inc. All other rights reserved.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: