Clearing Up Confusion Over the Modified HIPAA Privacy Rule

The Department of Health and Human Services issued a final rule under the Health Insurance Portability and Accountability Act of 1996, which will go into effect on February 5, 2016. HHS published the final rule in tandem with President Obama’s recently announced executive actions to reduce gun violence.

The final rule expressly permits certain covered entities under HIPAA to disclose limited demographic and other information to the National Instant Criminal Background Check System (NICS), or to an entity that is designated by the State to report to the NICS (or which collects information for this reporting). The covered entities are prohibited, however, from disclosing diagnostic or clinical information for this purpose.

The final rule has generated a lot of confusion. In fact, it is a narrow rule that applies to very few covered entities. The rule expressly describes the entities to which it applies as State agencies and other entities that are:

  • a court, board, commission, or other lawful authority that actually makes the commitment or adjudication that causes an individual to become subject to the Federal mental health prohibitor at 18 U.S.C. 922(g)(4) (described below); or
  • designated by the State to report (or which collects information for purposes of reporting), on behalf of the State, to the NICS.

The reference to courts, boards and commissions is perplexing, since these entities generally are not covered by HIPAA to begin with. Some clarity can be found in the rule’s preamble, in the link to Federal Register provided above.  As HHS explains,

“This final rule applies only to covered entities that function as repositories of information relevant to the Federal mental health prohibitor on behalf of a State or that are responsible for ordering the involuntary commitments or other adjudications that make an individual subject to the Federal mental health prohibitor.”

As HHS also acknowledges, for the most part, formal adjudications and data repository functions are conducted by court systems and law enforcement agencies that are not HIPAA covered entities.

Under the final rule, these covered entities may – but are not required to – disclose certain, limited demographic information to the NICS about individuals who are subject to a Federal “mental health prohibitor” that disqualifies them from shipping, transporting, possessing or receiving a firearm.

Individuals subject to the Federal mental health prohibitor include:

  • Individuals who have been involuntarily committed to a mental institution;
  • Individuals found incompetent to stand trial or not guilty by reason of insanity; or
  • Individuals otherwise have been determined by a court, board, commission or other lawful authority to be a danger to themselves or others or to lack the mental capacity to contract or manage their own affairs, as a result of marked subnormal intelligent or mental illness, incompetency, condition or disease

However, the final rule contains no express permission for the designated covered entities to disclose information on individuals who are subject to State-only mental health prohibitors. Adding to the confusion, in some States, covered entities are already required to report similar information, and therefore do not face barriers under HIPAA in the first instance.

The final rule is narrow – it applies to very few covered entities. If your organization is not certain whether it falls into the above-listed categories, it probably does not.

This entry was posted in Corporate Data Policies, Cyber Laws, Data Security, HIPAA Privacy, Privacy & Information Management, State Governments and tagged , , . Bookmark the permalink.

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!