NICS Reports Now Permitted Under HIPAA Privacy Rules

by | Jan 7, 2016

The Department of Health and Human Services has revealed a final rule permitting certain covered bodies to disclose specific elements of Protected Health Information (PHI) to the National Instant Criminal Background Check System (NICS), altering the HIPAA Privacy Rule.

At the time of publishing, HIPAA does not allow healthcare providers to disclose PHI, except in a very limited number of circumstances, without first having received permission from a patient. The rule amendment, which will become effective 30 days after publication in the federal register, will allow certain data about individuals to be divulged and entered into NICS by some HIPAA-covered entities.

NICS is controlled by the FBI and is used by Federal Firearms Licensees (FFLs) to determine whether an individual is allowed to purchase a firearm. When an FFL starts a NICS background check on a person, the system will search three separate databases: The Interstate Identification Index (III), The National Crime Information Center (NCIC), and the NICS Index. NCIC and III contain information on peoples who have been convicted of crimes, are wanted by law enforcement bodies, are deported felons, or who are subject to protection orders. The data that will be permitted to be disclosed under the new final rule would be used to update the NICS index.

The final rule covers a very specific section of HIPAA-covered bodies, and will only allow the disclosure of very specific data. The change does not permit healthcare providers or other HIPAA covered bodies to divulge any diagnostic or clinical information. The only data that can be divulged is certain demographic information and a limited amount of PHI that is requested by NICS for the purpose of identifying an individual as being prohibited from being included in a firearm transfer.

The rule amendment will only impact people who are currently prevented from shipping, receiving, transporting, or possessing a firearm under current Federal laws. That includes people who are deemed to be a danger to others or themselves, or who lack the mental capacity to contract or manage their own affairs. This is the case whether this incapacity or incompetency has been caused by a condition, disease, mental illness, or is due to lower than usual intelligence.

It will also apply to people who have previously been involuntarily committed to a mental institution or found to have been incompetent to stand trial, or have been found not guilty of a crime by reason of insanity.

The rule amendment does not apply to all HIPAA-covered bodies, only those who are required to make a decision on adjudications or commitment, or “that serve as repositories of information for NICS reporting purposes.” The only data that can be disclosed is that which allows a judgement that the individual is subject to the Federal mental health prohibitor under the Gun Control Act (1968).

While it is important to secure the privacy of all healthcare patients, certain data is required by government organizations in order to make decisions to better protect the public, hence the need for the final rule amendment.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy