Posted by Health Law Informer Author
on January 06, 2016
HHS,
OCR /
No Comments
In the wake of recent gun violence and in a concerted effort to protect public safety, the Department of Health and Human Services (HHS) released a final rule published in the Federal Register January 6, 2016, that modifies the HIPAA Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of persons who are subject to a Federal “mental health prohibitor” that would prevent such individuals from possessing a firearm (“Final Rule”). The covered entities are those that have “lawful authority to make the adjudications or commitment decisions that make individuals subject to the Federal mental health prohibitor, or that serve as repositories of NICS reporting purposes.”
The Final Rule, which will appear at 42 C.F.R § 164.512(k)(7), adopted what HHS had initially proposed in April 2013 in its proposed rule. The purpose of the Final Rule is to afford the NICS with the ability to identify individuals subject to this prohibitor for the purpose of disqualifying them from shipping, transporting, possessing or receiving a firearm. Individuals subject to the Federal mental health prohibitor include those who have been involuntarily committed to a mental health institution, found incompetent to stand trial or not guilty by reason of insanity, or have been determined by a court or other lawful authority to be a danger to themselves or others or being unable to manage their own affairs. The disclosures to the NICS will be restricted to limited demographic and other information required by the NICS. Further, the Final Rule specifically prohibits the disclosure of any diagnostic or clinical information and “any mental health information beyond the indication that the individual is subject to the Federal mental health prohibitor.”
Importantly, the Final Rule’s express permission to disclose/report is narrowly tailored. Specifically, it does not extend to covered entities permission to report to the NICS the protected health information of individuals who are subject to the State-only mental health prohibitors. Additionally, the permission is not extended to “most treating providers”, which emphasizes HHS’ intention to protect the privacy of the patient-provider relationship.
A key tension at the heart of the gun control issue for years has been how to adequately protect individual privacy, in particular, mental health information, and maintain public safety. Not surprisingly, the Final Rule’s publication comes at a time of heightened tension between these issues, and President Obama announced yesterday that under his executive actions on guns, the administration will, among other actions, seek to expand mandatory background checks for certain private gun sales.
The Final Rule is effective February 5, 2016, 30 days from its publication in the Federal Register. To learn more about reporting under the Final Rule and the amended HIPAA regulation, please contact Greg Fliszar, J. Nicole Martin or any member of Cozen O’Connor’s Health Care team.
About The Authors
Tags: covered entities, covered entity, gun control, health, HIPAA, mental health, NICS, privacy
Posted by Health Law Informer Author
on November 18, 2014
CDC,
HHS,
OCR /
No Comments
In response to the recent Ebola outbreak in West Africa and in light of patients being treated in several hospitals in the U.S., the HHS, OCR (OCR) recently issued a HIPAA Bulletin to remind us that HIPAA covered entities and business associates must maintain the privacy of protected health information (PHI) even in emergency situations (“Guidance”). According to the OCR, the Guidance serves as a reminder “that the protections of the [HIPAA] Privacy Rule are not set aside during an emergency.”
The OCR explains that the HIPAA Privacy Rule requires a balance between the protection of the privacy of PHI against the necessary uses and disclosures of such information “to treat a patient, to protect the nation’s public health, and for other critical purposes” during emergency situations. Although the OCR introduces no new requirements under the HIPAA Privacy Rule, the Guidance lays out the circumstances under which patient information may be shared in emergencies, such as for/due to:
- Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification
- Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification
- Imminent Danger
- Public Health Activities (i.e., to a public health authority; at the direction of a public health authority, to a foreign government agency; and to persons at risk)
- Treatment
The OCR reminds us that most disclosures require covered entities to make “reasonable efforts to limit the information disclosed to that which is the ‘minimum necessary.’” Further, covered entities are also required to: (i) implement “reasonable” safeguards necessary to protect PHI from intentional/unintentional uses and disclosures that are impermissible under HIPAA; and (ii) continue to apply administrative, physical and technical safeguards to protect e-PHI under the HIPAA Security Rule.
Further, according to the OCR, under the Project Bioshield Act of 2004 and Section 1135(b)(7) of the Social Security Act, the Secretary of HHS may waive certain HIPAA Privacy Rule provisions during public health or other emergencies. Such limited waivers require both the President to declare an emergency or disaster and the Secretary of HHS to declare a public health emergency. Additional information regarding the limited waivers appears in the Guidance.
As Ebola remains an emergency of both national and international concern, it not surprising that federal agencies continue to publish updated Ebola guidance. This Guidance reminds all of us, especially covered entities and business associates, that even in emergency situations, patient privacy must be protected, unless the limited waiver is invoked, and if not, covered entities and business associates will face consequences for violating the HIPAA Privacy Rule. For additional information regarding the HIPAA Privacy Rule in the context of emergency situations, see the HHS website. Also see similar guidance (Bulletin and Bulletin published by HHS in 2005 in response to Hurricane Katrina.
About The Author
Tags: business associates, CDC, covered entities, Ebola, emergency, HHS, HIPAA, outbreak, PHI, privacy, Privacy Rule, protected health information, Security Rule