The Department of Health and Human Services has revealed a final rule permitting certain covered bodies to disclose specific elements of Protected Health Information (PHI) to the National Instant Criminal Background Check System (NICS), altering the HIPAA Privacy Rule.
At the time of publishing, HIPAA does not allow healthcare providers to disclose PHI, except in a very limited number of circumstances, without first having received permission from a patient. The rule amendment, which will become effective 30 days after publication in the federal register, will allow certain data about individuals to be divulged and entered into NICS by some HIPAA-covered entities.
NICS is controlled by the FBI and is used by Federal Firearms Licensees (FFLs) to determine whether an individual is allowed to purchase a firearm. When an FFL starts a NICS background check on a person, the system will search three separate databases: The Interstate Identification Index (III), The National Crime Information Center (NCIC), and the NICS Index. NCIC and III contain information on peoples who have been convicted of crimes, are wanted by law enforcement bodies, are deported felons, or who are subject to protection orders. The data that will be permitted to be disclosed under the new final rule would be used to update the NICS index.
The final rule covers a very specific section of HIPAA-covered bodies, and will only allow the disclosure of very specific data. The change does not permit healthcare providers or other HIPAA covered bodies to divulge any diagnostic or clinical information. The only data that can be divulged is certain demographic information and a limited amount of PHI that is requested by NICS for the purpose of identifying an individual as being prohibited from being included in a firearm transfer.
The rule amendment will only impact people who are currently prevented from shipping, receiving, transporting, or possessing a firearm under current Federal laws. That includes people who are deemed to be a danger to others or themselves, or who lack the mental capacity to contract or manage their own affairs. This is the case whether this incapacity or incompetency has been caused by a condition, disease, mental illness, or is due to lower than usual intelligence.
It will also apply to people who have previously been involuntarily committed to a mental institution or found to have been incompetent to stand trial, or have been found not guilty of a crime by reason of insanity.
The rule amendment does not apply to all HIPAA-covered bodies, only those who are required to make a decision on adjudications or commitment, or “that serve as repositories of information for NICS reporting purposes.” The only data that can be disclosed is that which allows a judgement that the individual is subject to the Federal mental health prohibitor under the Gun Control Act (1968).
While it is important to secure the privacy of all healthcare patients, certain data is required by government organizations in order to make decisions to better protect the public, hence the need for the final rule amendment.
