October 18, 2019

October 18, 2019

Subscribe to Latest Legal News and Analysis

October 17, 2019

Subscribe to Latest Legal News and Analysis

October 16, 2019

Subscribe to Latest Legal News and Analysis

HIPAA Privacy Rule Amendment will Permit Very Limited Reporting of Mental Health Information to NICS

An amendment to HIPAA’s privacy rules will allow a limited subset of covered entities (such as, potentially, state agencies) to disclose information to the National Instant Criminal Background Check System (NICS).

The amendment takes effect February 5, 2016, and will be most relevant in those states that do not already require reporting of this information to the NICS. According to a 2014 article from the Washington Post[1], thirty states have passed laws requiring the reporting of this information to the NICS. The amendment will allow the qualified entities that aren’t required by state law to report the information to NICS to do so without violating HIPAA.

This amendment will only apply to a very limited subset of entities that are considered “covered entities” under HIPAA that have lawful authority to make mental health adjudications or decisions of involuntary commitments, or act as designated repositories to collect and report to the NICS the identities of individuals prohibited from possessing a firearm because they are subject to a “[f]ederal mental health prohibitor”. For example, a state health agency may fall within this definition.

An individual is subject to a “federal mental health prohibitor” if he has been:

  • Involuntarily committed to a mental institution;
  • Found incompetent to stand trial or not guilty by reason of insanity, or;
  • Otherwise determined by a court, board, commission or other lawful authority to be a danger to themselves or others or to lack the mental capacity to contract or manage their own affairs; as a result of marked subnormal intelligence or mental illness, incompetency, condition or disease.

The information permitted to be reported by these entities is also very limited. Diagnostic and clinical information from medical records or other sources may not be disclosed. Only the information needed for NICS reporting may be disclosed (such as the name of individual, their date of birth, and their gender).

[1] See here (last accessed January 7, 2016).

© Copyright 2019 Dickinson Wright PLLC


About this Author

Rose Willis, Dickinson Wright, Healthcare Regulatory Matters Lawyer, HIPAA Privacy Attorney

Rose's practice focuses on healthcare regulatory, transactional and corporate law in her representation of healthcare providers and suppliers and other current or prospective participants in the healthcare industry. Rose regularly counsels healthcare industry clients on matters regarding:

  • Entity governance documents such as Bylaws, Operating Agreements, Shareholder Agreements, Buy-Sell Agreements and Deferred Compensation Agreements

  • HIPAA privacy and security laws

  • ...