HIPAA Privacy Rule and the National Instant Criminal Background Check System (NICS)
Advance Notice Of Proposed Rulemaking.
On January 16, 2013, President Barack Obama announced a series of Executive Actions to reduce gun violence in the United States, including efforts to improve the Federal government's background check system for the sale or transfer of firearms by licensed dealers, called the National Instant Criminal Background Check System (NICS). Among those persons disqualified from possessing or receiving firearms under Federal law are individuals who have been involuntarily committed to a mental institution; found incompetent to stand trial or not guilty by reason of insanity; or otherwise have been determined, through a formal adjudication process, to have a severe mental condition that results in the individuals presenting a danger to themselves or others or being incapable of managing their own affairs (referred to below as the “mental health prohibitor”). Concerns have been raised that, in certain states, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule may be a barrier to States' reporting the identities of individuals subject to the mental health prohibitor to the NICS. The Department of Health and Human Services (HHS or “the Department”), which administers the HIPAA regulations, is issuing this Advance Notice of Proposed Rulemaking (ANPRM) to solicit public comments on such barriers to reporting and ways in which these barriers can be addressed. In particular, we are considering creating an express permission in the HIPAA rules for reporting the relevant information to the NICS by those HIPAA covered entities responsible for involuntary commitments or the formal adjudications that would subject individuals to the mental health prohibitor, or that are otherwise designated by the States to report to the NICS. In addition, we are soliciting comments on the best methods to disseminate information on relevant HIPAA policies to State level entities that originate or maintain information that may be reported to NICS. Finally, we are soliciting public input on whether there are ways to mitigate any unintended adverse consequences for individuals seeking needed mental health services that may be caused by creating express regulatory permission to report relevant information to NICS. The Department will use the information it receives to determine how best to address these issues.
Table of Contents Back to Top
DATES: Back to Top
Submit comments on or before June 7, 2013.
ADDRESSES: Back to Top
Written comments may be submitted through any of the methods specified below. Please do not submit duplicate comments.
- Federal eRulemaking Portal: You may submit electronic comments at http://www.regulations.gov. Follow the instructions for submitting electronic comments. Attachments should be in Microsoft Word, WordPerfect, or Excel; however, we prefer Microsoft Word.
- Regular, Express, or Overnight Mail: You may mail written comments (one original and two copies) to the following address only: U.S. Department of Health and Human Services, Office for Civil Rights, Attention: HIPAA Privacy Rule and NICS, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue SW., Washington, DC 20201.
- Hand Delivery or Courier: If you prefer, you may deliver (by hand or courier) your written comments (one original and two copies) to the following address only: Office for Civil Rights, Attention: HIPAA Privacy Rule and NICS, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue SW., Washington, DC 20201. (Because access to the interior of the Hubert H. Humphrey Building is not readily available to persons without federal government identification, commenters are encouraged to leave their comments in the mail drop slots located in the main lobby of the building.)
Inspection of Public Comments: All comments received before the close of the comment period will be available for public inspection, including any personally identifiable or confidential business information that is included in a comment. We will post all comments received before the close of the comment period at http://www.regulations.gov. Because comments will be made public, they should not include any sensitive personal information, such as a person's social security number; date of birth; driver's license number, state identification number or foreign country equivalent; passport number; financial account number; or credit or debit card number. Comments also should not include any sensitive health information, such as medical records or other individually identifiable health information, or any non-public corporate or trade association information, such as trade secrets or other proprietary information.
FOR FURTHER INFORMATION CONTACT: Back to Top
Andra Wicks, 202-205-2292.
SUPPLEMENTARY INFORMATION: Back to Top
I. Background Back to Top
On January 16, 2013, President Barack Obama announced 23 Executive Actions aimed at curbing gun violence across the nation. Those actions include efforts by the Federal government to improve the national background check system for the sale or transfer of firearms by licensed dealers, and a specific commitment to “[a]ddress unnecessary legal barriers, particularly relating to the Health Insurance Portability and Accountability Act, that may prevent states from making information available to the background check system.” To better understand the scope of any problems HIPAA may pose to reporting the identities of persons who are subject to the mental health prohibitor to the NICS, where a HIPAA covered entity may hold the records of the involuntary commitments or mental health adjudications, the Department developed this ANPRM to solicit input from States, other stakeholders, and the public on these issues. The public comments will inform the Department's efforts to address concerns related to HIPAA in a manner that is consistent with our approach to balancing important public safety goals and individuals' privacy interests.
The Brady Handgun Violence Prevention Act of 1993, 103, and its implementing regulations, are designed to prevent the transfer of firearms by licensed dealers to individuals who are not allowed to possess them as a result of restrictions contained in the Gun Control Act of 1968, as amended (Title 18, United States Code, Chapter 44), and those deemed otherwise unfit to possess or receive firearms. The Gun Control Act identifies several categories (known as “prohibitors”) of individuals  who are prohibited from engaging in the shipment, transport, receipt, or possession of firearms, including convicted felons and fugitives. Most relevant for the purposes of this ANPRM is the “mental health prohibitor,” which applies to individuals who have been involuntarily committed to a mental institution,  found incompetent to stand trial or not guilty by reason of insanity, or otherwise adjudicated as having a serious mental condition that results in the individuals presenting a danger to themselves or others or being unable to manage their own affairs.  The Brady Act established the National Instant Criminal Background Check System (NICS) to help enforce these prohibitions.  The NICS Index, a database administered by the Federal Bureau of Investigation (FBI), collects and maintains certain identifying information about individuals who are subject to one or more of the Federal prohibitors and thus, are ineligible to purchase firearms.  The information maintained by the NICS typically is limited to the names of ineligible individuals and certain other identifying information, such as their dates of birth, as well as codes for the submitting entity and the prohibited category that applies to the individual. Other than demographic information about the individual, only the fact that the individual is subject to the mental health prohibitor is submitted to the NICS; underlying diagnoses, treatment records, and other identifiable health information is not provided to or maintained by the NICS. A NICS background check queries the NICS Index and certain other national databases  to determine whether a prospective buyer's identifying information matches any prohibiting records contained in the databases.
The potential transfer of a firearm from a Federal Firearms Licensee (FFL) to a prospective buyer proceeds as follows: First, the prospective buyer is required to provide personal information on a Firearms Transaction Record (ATF Form 4473). Unless the prospective buyer has documentation that he or she qualifies for an exception to the NICS background check requirement under 18 U.S.C. 922(t)(3),  the FFL contacts the NICS—electronically, by telephone, or through a State level point of contact—and provides certain identifying information about the prospective buyer from ATF Form 4473.  Within about 30 seconds, the FFL receives a response that the firearm transfer may proceed or is delayed. The transfer is delayed if the prospective buyer's information matches a record contained in one of the databases reviewed. If there is a match, a NICS examiner reviews the records to determine whether it is in fact prohibiting, and then either: (1) If the record does not contain prohibiting information, advises the FFL to proceed with the transaction; (2) if the record does contain prohibiting information, denies the transaction (due to ineligibility); or (3) if it is unclear based solely on the existing information in the record whether it is prohibiting, delays the transaction pending further research.  The NICS examiner does not disclose the reason for the determination to the FFL (e.g., the FFL would not learn that the individual was ineligible due to the mental health prohibitor). In case of a delay, if the NICS examiner does not provide a final instruction to the FFL within three business days of the initial background check request, the FFL may, but is not required to, proceed with the transaction. 
Although FFLs are required in most cases to request a background check through the NICS before transferring a firearm to a prospective buyer,  Federal law does not require State agencies to report to the NICS the identities of individuals who are prohibited by Federal law from purchasing firearms, and not all states report complete information to the NICS. Therefore, the NICS Index does not include information about all individuals who are subject to one or more of the prohibited categories. 
Following the events at Virginia Tech University in 2007, and other tragedies involving the illegal use of firearms, Congress enacted the NICS Improvement Amendments Act (NIAA) of 2008, Public Law 110-180. Among other provisions, the NIAA requires Federal agencies to report to the NICS the identities of individuals known by the agencies to be subject to one or more prohibitors, and it authorizes incentives for States to provide such information when it is in their possession. In addition, some States enacted legislation requiring State agencies to report the identities of ineligible individuals to the NICS or to a State level repository responsible for submitting information to the NICS.
The HIPAA Privacy Rule and NICS Reporting
The Privacy Rule, promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Title II, Subtitle F—Administrative Simplification, Public Law 104-191, establishes federal protections to ensure the privacy and security of protected health information (PHI) and establishes an array of individual rights with respect to one's own health information. HIPAA applies to covered entities, which include health plans, health care clearinghouses, and health care providers that conduct certain standard transactions (such as billing insurance) electronically. HIPAA covered entities may only use and disclose protected health information with the individual's written authorization, or as otherwise expressly permitted or required by the HIPAA Privacy Rule. The Privacy Rule seeks to balance individuals' privacy interests with important public policy goals including public health and safety. In doing so, the Privacy Rule allows, subject to certain conditions and limitations, disclosures of protected health information without individuals' authorization for certain law enforcement purposes, to avert a serious threat to health or safety, and where required by State or other law, among other purposes.
As stated above, individuals who are subject to the mental health prohibitor are ineligible to purchase a firearm because they have been involuntarily committed to a mental institution, have been found incompetent to stand trial or not guilty by reason of insanity, or otherwise have been determined through an adjudication process to have a severe mental condition resulting in the individuals presenting a danger to themselves or others or being unable to manage their own affairs. Records of individuals adjudicated as incompetent to stand trial, or not guilty by reason of insanity, originate with entities in the criminal justice system, and these entities are not HIPAA covered entities. Likewise, involuntary civil commitments are usually made by court order, and thus, records of such orders originate with entities in the justice system. In addition, many adjudications determining that individuals pose a danger to themselves or others, or are incapable of managing their own affairs, occur through legal process in the court system.
However, because of the variety of State laws, there may be State agencies, boards, commissions, or other lawful authorities outside the court system that are involved in some involuntary commitments or mental health adjudications. At this time, we have insufficient data regarding to what extent these State agencies, boards, commissions, or other lawful authorities that order involuntary commitments or conduct mental health adjudications are also HIPAA covered entities. Moreover, we understand that some States have designated repositories to collect and report to the NICS the identities of individuals subject to the mental health prohibitor. We also do not have data to determine to what extent any of these repositories is also a HIPAA covered entity (e.g., a State health agency).
Where the record of an involuntary commitment or mental health adjudication originated with a HIPAA covered entity, or the HIPAA covered entity is the State repository for such records, the records are subject to HIPAA, but there are ways in which the Privacy Rule permits the reporting to the NICS. In particular, the Privacy Rule permits the agency to disclose the information to the NICS to the extent the State has enacted a law requiring such reporting.  Alternatively, where there is no State law requiring reporting, the Privacy Rule permits a State agency that is a HIPAA covered entity that performs both health care and non-health care functions (e.g., NICS reporting) to become a hybrid entity and thus, have the HIPAA Privacy Rule apply only to its health care functions. The State agency achieves hybrid entity status by designating its health care components as separate from other components and documenting that designation. Thus, a State agency that has designated itself a hybrid entity, in accordance with the Privacy Rule,  can report prohibitor information through its non-HIPAA covered NICS reporting unit without restriction under the Privacy Rule.
However, many States still are not reporting essential mental health prohibitor information to the NICS. Some States may face practical difficulties in passing a State law requiring NICS disclosures, and there may be administrative or other challenges to the creation of a hybrid entity. Thus, concerns have been raised that the HIPAA Privacy Rule's restrictions on covered entities' disclosures of protected health information may prevent certain States from reporting to the NICS the identities of individuals who are subject to the mental health prohibitor. Further, in July 2012, the U.S. Government Accountability Office (GAO) reported to Congress on the results of a survey of six states that it had conducted as part of a performance audit of the progress made by DOJ and the States in implementing the NIAA.  In the report, the GAO wrote that, “* * * officials from 3 of the 6 states we reviewed said that the absence of explicit state-level statutory authority to share mental health records was an impediment to making such records available to NICS.”  The report also stated that, although the number of records provided by the States to the NICS had increased by 800 percent between 2004 and 2011, this increase was largely due to efforts by only 12 states. The report raised the possibility that States that do not report to the NICS the identities of individuals who are subject to the mental health prohibitor may experience challenges to reporting related to the HIPAA Privacy Rule.
To address these concerns, the Department is considering whether to amend the Privacy Rule to expressly permit covered entities holding information about the identities of individuals who are subject to the mental health prohibitor to disclose limited mental health prohibitor information to the NICS. Such an amendment might produce clarity regarding the Privacy Rule and help make it as simple as possible for States to report the identities of such individuals to the NICS.
In crafting the elements of an express permission, we would consider limiting the information to be disclosed to the minimum data necessary for NICS purposes, such as the names of the individuals who are subject to the mental health prohibitor, demographic information such as dates of birth, and codes identifying the reporting entity and the relevant prohibitor. We would not consider permitting the disclosure of an individual's treatment record or any other clinical or diagnostic information for this purpose. In addition, we would consider permitting disclosures for NICS purposes only by those covered entities that order involuntary commitments, perform relevant mental health adjudications, or are otherwise designated as State repositories for NICS reporting purposes.
To inform our efforts to address any issues in this area, we request comments specifically on the questions below, which will help us identify the nature and scope of the problem of underreporting, determine whether our assumptions about where data are maintained are correct, determine to what extent the existing permissible disclosures are insufficient, and explore additional methods of disseminating information about whether the HIPAA Privacy Rule affects entities' ability to report to the NICS. The Department welcomes comments from all stakeholders on these issues, including HIPAA covered entities; agencies of State, territorial, and tribal governments; law enforcement officials; individuals; and consumer advocates and groups. We are particularly interested in specific examples of situations in which reporting to the NICS is hindered by HIPAA requirements, or where there may be uncertainty about how HIPAA applies to such reporting, and any other concerns about the disclosure of information for these purposes by health care entities that both perform the adjudications or involuntary commitments and provide the mental health treatment to the individuals. We ask that commenters indicate throughout their submitted comments which question(s) they are responding to.
II. Questions Back to Top
In a 2012 report on implementation of the NIAA, the GAO wrote that States had increased reporting to the NICS of the identities of individuals who are prohibited from purchasing firearms because they have been involuntarily committed to a mental institution, found incompetent to stand trial or not guilty by reason of insanity, or otherwise adjudicated as having a serious mental condition that results in the individuals posing a danger to themselves or others or being unable to manage their own affairs.  Specifically, reporting of this information grew from 126,000 records in October 2004, to approximately 1.2 million in October 2011. The GAO also indicated that just 12 states were responsible for the majority of this increase, having reported the identities of at least 10,000 individuals who are subject to the mental health prohibitor by 2011.  As of February 2013, the number of records was over 2.7 million.  Despite improvements in reporting, only a small proportion of the records of individuals who are subject to the mental health prohibitor have been reported to the NICS. We invite comment on the following questions relating to States' participation in NICS reporting and other related issues.
1. Does your State routinely report the identities of individuals who are subject to the Federal mental health prohibitor to the NICS?
2. If your State does not routinely report the identities of such individuals to the NICS, what are the primary reasons for not doing so?
a. To what extent, if any, is the HIPAA Privacy Rule perceived as a barrier to your participation? If HIPAA is seen as a barrier, please specify in what way(s) HIPAA may prevent NICS reporting or make reporting difficult. (For example, does HIPAA pose a barrier with respect to only certain types of adjudications?)
b. Are there other legal barriers (e.g., State law)?
3. If your State does routinely report the identities of such individuals to the NICS, did you have to overcome any obstacles to your reporting? How did your State overcome those obstacles?
a. If the HIPAA Privacy Rule was perceived as a barrier to your participation, what did you do to meet HIPAA requirements?
b. If State privacy laws were perceived as a barrier to your participation, what did you do to meet State requirements?
c. Please describe any statutory or regulatory changes adopted by your State. To what extent do any changes in State law address the requirements of Federal and/or State privacy laws?
We understand that some States may have designated a particular State agency or other entity to collect and maintain NICS information and report to the NICS on a regular basis. We request comments on the following related questions.
4. Has your State designated one or more agencies as State repositories for information about the identities of individuals who are subject to the mental health prohibitor? If so, please identify the agencies and specify, for each such agency, whether it is a HIPAA covered entity.
5. If HIPAA applies to the repository, how has your State addressed HIPAA requirements while fulfilling its NICS reporting function (e.g., do you have a State law that requires reporting, or has your State created a hybrid entity to isolate the reporting function from the health care component of the repository agency)?
6. If the HIPAA Privacy Rule were to be amended to expressly permit disclosures of the identities of individuals covered by the mental health prohibitor to the NICS Index, would you still face any barriers to reporting? If so, what are they?
As discussed above, in many cases, information on the identities of persons who are subject to the mental health prohibitor originates with entities outside the health care sector that are not subject to HIPAA. Still, we recognize that authority to make these determinations is a matter of State law and, therefore, the process may vary from State to State. Thus, there may be instances in which these types of adjudications are made by State agencies or private parties within the health care system. We request comments on the following matters.
7. Are there situations in your State in which a HIPAA covered entity (e.g., a physician, a hospital, or another entity in the health care system), or a component of a larger organization that is a covered entity (e.g., a State health department), has legal authority to involuntarily commit a person to a mental institution—without review or a final action being made by a court? If so, what types of involuntary commitments can be ordered by these authorities?
8. Are there situations in your State in which a HIPAA covered entity (e.g., a physician, a hospital, or another entity in the health care system), or a component of a larger organization that is a covered entity (e.g., a State health department), has legal authority to make a formal adjudication that an individual has a serious mental condition that results in a finding of danger to self or others or an inability to manage affairs—without review or a final action being made by a court? If so, what types of adjudications can be made by these authorities?
9. If HIPAA applies to the entity conducting the relevant mental health adjudications, how has your State addressed HIPAA requirements while fulfilling its NICS reporting function (e.g., do you have a State law that requires reporting, or has your State created a hybrid entity to isolate the reporting function from the health care component of the repository agency)?
10. If the HIPAA Privacy Rule were to be amended to expressly permit disclosures of the identities of individuals covered by the mental health prohibitor to the NICS, would you still face any barriers to reporting? If so, what are they?
As the Federal government works to improve reporting to the NICS to ensure comprehensive background checks for firearms purchases, HHS also must continue to fulfill its mandate to protect individuals' health information privacy rights. Therefore, we request public input on the following issues and any other relevant considerations.
11. Are there privacy protections in place, under State law or otherwise, for data collected by State entities for reporting to the NICS? Would any State public records laws apply to make this data publicly available, or prohibit the reporting to the NICS?
12. We recognize a heightened need for confidentiality because of the sensitivity of, and the stigma attached to, mental health conditions. Are there implications for the mental health community, or for the treatment/care of consumers of mental health services, in having the identities of individuals who are subject to the mental health prohibitor reported for NICS purposes by health care entities that perform both adjudication and treatment functions? If so, what are those implications?
13. Are there ways that HHS may address or mitigate any unintended adverse consequences, for individuals seeking needed mental health services, that may be caused by creating express regulatory permission to report relevant information to the NICS?
14. How can HHS better disseminate information to States on HIPAA Privacy Rule policies as they relate to NICS reporting? Are there central points of contact at the State level that are able to receive and share this information with entities that serve in an adjudicatory or repository capacity?
15. Are there any additional guidance materials and/or training from HHS on particular aspects of the Privacy Rule that would be helpful to address any confusion regarding HIPAA requirements and help improve NICS reporting?
Dated: April 16, 2013.
Director, Office for Civil Rights.
[FR Doc. 2013-09602 Filed 4-19-13; 4:15 pm]
BILLING CODE 4153-01-P
Footnotes Back to Top
2. The regulation, at 27 CFR 478.11, defines “Committed to a mental institution” as: A formal commitment of a person to a mental institution by a court, board, commission, or other lawful authority. The term includes a commitment to a mental institution involuntarily, commitment for mental defectiveness or mental illness, as well as commitments for other reasons, such as for drug use. The term does not include a person in a mental institution for observation or a voluntary admission to a mental institution.Back to Context
3. The term used in the statute, “adjudicated as a mental defective,” is defined by regulation to include: “(a) A determination by a court, board, commission, or other lawful authority that a person, as a result of marked subnormal intelligence, or mental illness, incompetency, condition, or disease: (1) is a danger to himself or to others; or (2) lacks the mental capacity to contract or manage his own affairs.” The term includes a finding of insanity in a criminal case, and a finding of incompetence to stand trial or a finding of not guilty by reason of lack of mental responsibility pursuant to the Uniform Code of Military Justice. 27 CFR 478.11.Back to Context
4. See 28 CFR 25.1 through 25.11 (establishing NICS information system specifications and processes) and 27 CFR part 478 (establishing requirements and prohibitions for commerce in firearms and ammunition, including requirements related to conducting NICS background checks).Back to Context
5. Additionally, in 2012 the NICS Index began to include the identities of persons who are prohibited from possessing or acquiring firearms by State law, which in some cases may be more restrictive than Federal law. See Statement Before the Senate Judiciary Committee, Subcommittee on Crime and Terrorism at a hearing entitled, “The Fix Gun Checks Act: Better State and Federal Compliance, Smarter Enforcement” (November 15, 2011), by David Cuthbertson, Assistant Director, Criminal Justice Information Services Division, Federal Bureau of Investigation. Testimony available at: http://www.justice.gov/ola/testimony/112-1/11-15-11-fbi-cuthbertson-testimony-re-the-fix-gun-checks-act.pdf.Back to Context
6. The other databases include the Interstate Identification Index, which contains criminal history record information; and the National Crime Information Center, which includes, e.g., information on persons subject to civil protection orders and arrest warrants. Additional information is available at, http://www.fbi.gov/about-us/cjis/nics/general-information/nics-overview.Back to Context
8. The form collects the prospective buyer's name; demographic information such as address, place and date of birth, gender, citizenship, race and ethnicity; and “yes” or “no” answers to questions about the person's criminal history and other potential prohibitors. The form is available at http://www.atf.gov/forms/download/atf-f-4473-1.pdf.Back to Context
9. For example, a “delay” response may mean that further research is required because potentially prohibitive criteria exist, but the matched records are incomplete, See Federal Bureau of Investigation (FBI) Fact Sheet at: www.fbi.gov/about-us/cjis/nice/general-information/fact-sheet.Back to Context
10. Some States have waiting periods that also must be complied with before a firearm may be transferred, regardless of whether a proceed response from NICS is received by the FFL within three business days.Back to Context
12. The same is true of the other two databases accessed during a NICS Check, the III and NCIC. State participation and reporting to those databases is also not required.Back to Context
13. See 45 CFR 164.512(a). Note that disclosures for NICS purposes would not fall under the Privacy Rule's provisions permitting disclosures for law enforcement (which apply to specific law enforcement inquiries) or to avert a serious threat to health or safety (which require an imminent threat of harm). See 45 CFR 164.512(f) and (j).Back to Context
15. See GAO-12-684, Gun Control: Sharing Promising Practices and Assessing Incentives Could Better Position Justice to Assist States in Providing Records for Background Checks.Back to Context
16. We note that the GAO Report uses the term “mental health records” to refer to identifying information on individuals who are subject to the mental health prohibitor. To avoid implying that mental health records are collected by NICS, the Department uses the terms “identities,” “information,” or “data” in place of “mental health records.” GAO-12-684, p. 12.Back to Context
17. GAO-12-684, p. 9.Back to Context
18. GAO-12-684, p. 10.Back to Context
19. FBI, Active Records in the NICS Index as of February 28, 2013, http://www.fbi.gov/about-us/cjis/nics/reports/20130205_nics-index.pdf.Back to Context