Based on Final HIPAA Privacy Rule 2/5/16

DRAFT

Version 1/FINAL: 2/8/16

Based on Final HIPAA Privacy Rule 2/5/16

HIPAA COW

PRIVACY NETWORKING GROUP

ANALYSIS OF 2016 HIPAA PRIVACY RULE MODIFICATIONS TO STRENGTHEN THE FIREARM BACKGROUND CHECK SYSTEM

Disclaimer

This analysis document is Copyright  by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is not removed. When information from this document is used, HIPAA COW shall be referenced as a resource. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This analysis document is provided “as is” without any express or implied warranty. This analysis document is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this analysis document. Therefore, this document may need to be modified in order to comply with Wisconsin/State law.

State Preemption Issues: No state preemption issues are identified with the 2016 HIPAA Privacy Rule modification.

Purpose: To provide an analysis of the impact of the 2016 HIPAA Privacy Rule modifications to strengthen the firearm background check system. The modifications are effective February 5, 2016.

Background:

On January 4, 2016, the Department of Health and Human Services (HHS) moved forward on the Administration’s commitment to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to expressly permit certain covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of those individuals who, for mental health reasons, already are prohibited by Federal law from having a firearm. This modification better enables the reporting of the identities of prohibited individuals to the background check system and is an important step toward improving the public’s safety while continuing to strongly protect individuals’ privacy interests. The final rule gives States improved flexibility to ensure accurate but limited information is reported to the NICS. This rulemaking makes clear that, under the Privacy Rule, certain covered entities are permitted to disclose limited information to the NICS. The information that can be disclosed is the minimum necessary identifying information about individuals who have been involuntarily committed to a mental institution or otherwise have been determined by a lawful authority to be a danger to themselves or others or to lack the mental capacity to manage their own affairs.[1]

Attachment: Frequently Asked Questions (FAQs)

Definitions:

NICS: The National Instant Criminal Background Check System (NICS) is a national system that checks available records on persons who may be disqualified from receiving firearms. The FBI developed the system through a cooperative effort with the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) and local and state law enforcement agencies. The NICS is a computerized background check system designed to respond within 30 seconds on most background check inquiries so theFederal Firearms Licensees (FFL) receive an almost immediate response. Depending on the willingness of state governments to act as a liaison for the NICS, the Federal Firearm Licensees contact either the FBI or a designated state point of contact to initiate background checks on individuals purchasing or redeeming firearms.

Policy Statements:

1. In the state of Wisconsin, responsibility for reporting to NICS those individuals who have been involuntarily committed to a mental institution is the responsibility of the Wisconsin Department of Justice (DOJ). As a result, there is no NICS reporting responsibility for the individual healthcare provider.

1. In summary, the 2016 modification to the HIPAA Privacy Rule does not create any new reporting responsibility for healthcare providers.

1. The 2016 modification is as follows:

“Revision to 45 CFR 164.512of the Privacy Rule by adding a new category of permitted disclosures to45 CFR 164.512(k), which addresses uses and disclosures for specialized government functions. The new provisions at (k)(7) would permit certain covered entities to disclose the minimum necessary demographic and other information for NICS reporting purposes, which would not include clinical, diagnostic, or other mental health information.”

Applicable Regulations/Standards:

• HIPAA Privacy Rule - 45 CFR 164.512(k)

Resources:

• Fact Sheet - National Instant Criminal Background Check System, Federal Bureau of Investigation, available at:

• HIPAA Privacy Rule and the National Instant Criminal Background Check System (NICS), Press Release – January 5, 2016, U.S. Department of Health and Human Services, available at:

• HIPAA Privacy Rule, available at: .

Version History:

Current Version: February 8, 2016

Prepared by: / Reviewed by: / Content Changed:
Nancy Davis, MS, RHIA, CHPS, Privacy Officer - Ministry Health Care
Chrisann Lemery, MSE, RHIA, CHPS, FAHIMA
Senior Health Solutions Consultant & Privacy Officer
Avastone Health Solutions / Privacy Networking Group Members
Carrie Aiken, CHC
Chief Compliance Officer, GetixHealth
Marianne Baumgarten,
Director | Health Information Services / Business Services, Reedsburg Area Medical Center
Catherine J. Hansen, RHIA
Director, Health Information Services & Privacy Officer, Saint Croix Regional Medical Center
Linda A. Sturnot, CPCS, CHPE
Quality Improvement Administrator / HIPAA Privacy Officer
Forest County Potawatomi Health & Wellness Center - Quality Division / Not applicable.

Attachment

FREQUENTLY ASKED QUESTIONS FOR HEALTHCARE PROVIDERS REGARDING 2016 HIPAA PRIVACY RULE MODIFICATIONS TO STRENGTHEN THE FIREARM BACKGROUND CHECK SYSTEM

When is the change effective? February 5, 2016

Does this mean that on February 5th, healthcare providers will be responsible to report identifying information of patients who have been involuntarily committed or at risk of danger to themselves or others?

NO. In the State of Wisconsin, responsibility for reporting those individuals who have been involuntarily committed to a mental institution to NICS is with the Wisconsin Department of Justice (DOJ).[2]

How does a healthcare provider respond to a patient who feels that because of the President’s executive action and the HIPAA modifications, the patient wants to terminate their patient-provider relationship and request destruction of the patient’s existing health records?

Of course, a patient can choose at any time to terminate his or her relationship with a provider. However, a patient cannot request that his or her health records be destroyed. Healthcare providers are required by federal and state law to maintain health records for not less than a period of ten years. The health record is not only a patient communication tool, it is also a business record and legal document.

What if a patient requests that his or her health record be amended to eliminate documentation he or she may feel makes them susceptible to potential “reporting” to NICS?

An individual has the right to have a covered entity amend protected health information or a record about the individual in a designated record set for as long as the protected health information is maintained in the designated record set. A covered entity may deny an individual's request for amendment, if it determines that the protected health information or record that is the subject of the request:

• Was not created by the covered entity, unless the individual provides a reasonable basis to believe that the originator of protected health information is no longer available to act on the requested amendment;
• Is not part of the designated record set;
• Would not be available for inspection under§164.524; or
• Is accurate and complete.[3]

What should a healthcare provider do if a patient shares information that he or she has a gun and is considering harming themselves or others?

As noted in the HIPAA COW Law Enforcement Grid, healthcare providers may rely on professional judgment in determining the need to report patient information to Law Enforcement Officials when there is reasonable cause to believe that there is a need to protect the patient or the community from “imminent and substantial” danger (“duty-to-warn”). Information to be reported should be limited to:

• Patient name, age, gender.
• Patient demographic information.
• Next of kin/emergency contact information.
• Patient's general condition.
• Other information, which in the reasonable professional judgment of the provider, should be shared with the Law Enforcement Officials – including patient photograph if available.

Does the modification to the HIPAA Privacy Rule change in anyway how a healthcare provider practices?

No. Wisconsin already has in place processes to address reporting at risk individuals to NICS.

 Copyright HIPAA COW Page 1 of 5

[1] HHS-OCR Press Release dated 1/5/16 and available at:

[2] With regard to Saint Elizabeth Medical Center in Minnesota, it is generally not within the scope of the organization’s services to facilitate involuntary commitments for dangerous patients.

[3] 45 CFR §164.526