The trusted source for
healthcare information and
President Obama’s recent announcement that he is changing the Health Insurance Portability and Accountability Act (HIPAA) to allow reporting of patients with mental health issues drew acclaim from gun control advocates, but the effect on healthcare providers was not clear. Some legal experts caution that, despite how the rule change is being reported in the general media, it is not a broad HIPAA modification and will apply only to a subset of healthcare providers.
Don’t let your physicians and staff misunderstand the rule change and think they have carte blanche to report patients whom they fear could be violent at some point. In most cases, that reporting still would be a HIPAA violation.
Most healthcare organizations don’t report mentally ill patients to the Federal Bureau of Investigation’s National Instant Criminal Back-ground Check System (NICS), the federal database used to conduct background searches on people who want to buy guns. The database is intended to prevent guns from being sold to prohibited individuals, primarily felons, but also anyone deemed “mentally defective” or who has been involuntarily committed to a mental institution. The Justice Department reports that the database has prevented more than 2 million guns from getting into the wrong hands since it was created in 1998, with most of the data coming from state civil court systems.
Previously, the Department of Health and Human Services didn’t allow reporting to NICS under the HIPAA exemption when law enforcement agencies inquired about a person, even if the person posed a serious threat to health or safety. Some state agencies could report those individuals by separating patient healthcare information from other state data, but for the most part, the NICS received little such information. A 2012 General Accountability Office report stated that 17 states had submitted fewer than 10 records of people prohibited, for mental health reasons, from legally buying guns.
Intending to improve the reporting, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a final rule, which took effect this month. That rule clearly states that, for some covered entities, there is no HIPAA prohibition on reporting patients with mental health issues to the NICS. (The rule is available online at http://tinyurl.com/h5526mc.) The new rule states that HHS is modifying HIPAA “to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of individuals who are subject to a Federal ‘mental health prohibitor’ that disqualifies them from shipping, transporting, possessing, or receiving a firearm.” Note that OCR addressed the change only to “certain” covered entities.
The rule also specifies some limitations: “Under this final rule, only covered entities with lawful authority to make the adjudications or commitment decisions that make individuals subject to the Federal mental health prohibitor, or that serve as repositories of information for NICS reporting purposes, are permitted to disclose the information needed for these purposes. The disclosure is restricted to limited demographic and certain other information needed for NICS purposes. The rule specifically prohibits the disclosure of diagnostic or clinical information, from medical records or other sources, and any mental health information beyond the indication that the individual is subject to the Federal mental health prohibitor.”
Essentially, OCR is affirming what already was the law under HIPAA, explains Abner E. Weintraub, a HIPAA consultant in Oregon City, OR.
HIPAA already allowed certain healthcare providers and the state agencies to report mental health issues to NICS without violating HIPAA, but the complexity of the law and the potential for substantial fines and other consequences caused many of them to hesitate and play it safe by deciding not to report, he explains. In the modified rule, OCR explains that those providers and agencies already had ways to report, but that they often required setting up separate entities and databases to keep information separate. That requirement was a burden and, as OCR describes, “despite these avenues for disclosure, many States still were not reporting to the NICS essential information on persons prohibited from possessing firearms for reasons related to mental health; concerns were raised that the HIPAA Privacy Rule’s restrictions on covered entities’ disclosures of PHI [protected health information] might be preventing certain States from reporting the relevant information to the NICS.”
Healthcare providers can easily misinterpret the rule change, Weintraub cautions. The change — or more appropriately, the confirmation or clarification — applies only to state agencies or any other entity that is designated by a state to report information to the NICS. This group can include healthcare providers that operate within one of those agencies, such as state mental health facility.
“This is a very, very narrow change that affects a narrow group of providers. It does not affect 95% of healthcare providers, and it does not make any change to the requirements or prohibitions regarding health information for most medical providers,” Weintraub says. “Because of the news reports going around, people think this affects all medical providers, but it does not. This is a huge misunderstanding in the making.”
The healthcare providers most likely to fall under this part of HIPAA are those that have a contract to provide mental health assessments to courts, Weintraub explains. The new rule is an amendment to section 164.5 12 by adding a paragraph stating unequivocally that HIPAA does not prohibit those covered entities from disclosing PHI, he says.
“There has been a lot of discussion in that small circle that there is a conflict with HIPAA over the reporting that they have already been doing,” Weintraub says. “OCR had been privately advising these folks that there is no conflict with HIPAA. But with gun violence in the news so much lately, OCR decided it was necessary to provide written clarification that HIPAA does not conflict with their ability to do this reporting.”
Other healthcare providers still are bound by HIPAA restrictions that prohibit the release of PHI, including a person’s mental status.
That restriction means the typical acute care hospital still cannot report to NICS that a patient has a mental illness and could be violent, Weintraub explains. However, healthcare providers have always been allowed, even obligated, to report to law enforcement when patients pose a threat of imminent harm to themselves or others, he notes. HIPAA has never prohibited that reporting, and it still doesn’t, Weintraub says.
“This was a clarifying change to a single section of HIPAA aimed at a very narrow segment of courts and agencies, and a very few medical providers involved with those courts and agencies, that were already allowed to report to NICS,” he says.
Risk managers should be on the lookout for physicians and staff who misinterpret this HIPAA rule, says R. Stephen Trosty, JD, MHA, ARM, CPHRM, president of Risk Management Consulting in Haslett, MI, and a past president of the American Society for Healthcare Risk Management (ASHRM) in Chicago.
“The way it’s been reported in the media and what it is are actually two different things. It’s very confusing,” Trosty says. “I hope risk managers will look into the actual regulation and not just go on what the media reports. They will find that, in most cases, it doesn’t affect them and nothing has changed.”
Trosty is more concerned about physicians. If they are removed from the hospital’s education pipeline, where the risk manager should educate staff about what the rule change means, physicians and their practice staff might rely on media reports that give the impression that they can report patients with mental issues, he says. Many physician offices don’t keep up with HIPAA details on a day-to-day basis, he notes.
“Given what’s been happening with the shootings lately, all the concern over that, they may decide that it’s better to be safe than sorry. They want to do the right thing, so they try to report the patient to the database,” Trosty says. “Of course, that’s going to get them in trouble.”
Risk managers should ensure that education about the HIPAA rule includes not just hospital staff but also physicians and their staffs who are affiliated with the hospital or health system, Trosty advises. Too often, he says, physicians are left out of the loop when risk managers provide education.
“The liability is going to be on the hospital or health system if the physicians in that system do something wrong,” Trosty says. “This is a potential liability issue that can have very substantial financial consequences.”