Colorado shootings and HIPAA

By: Albert Lin

As part of a reaction to the mass shootings in Aurora, Colorado and particularly Sandy Hook Elementary School, there has been strong push in recent weeks for stronger and stricter gun control laws to hopefully reduce the risk of future mass shootings. Much attention during debate over the proposed gun control legislation has rightfully been focused on their relation to the Second Amendment’s right to bear arms. One of the proposed alterations to the existing framework of gun control laws involves improving the background check system nationwide and enforcing a prohibition on selling guns to individuals found to be a danger to themselves, otherwise known as “mental health prohibitors.” One unintended potential consequence of the proposed reforms may clash with the current provisions of the Health Insurance Portability and Accountability Act (HIPAA), as well as other laws related to the privacy of personal health information (PHI).

 

HIPAA forbids “covered entities” such as medical clinics, hospitals, physician offices, and other health care organizations, from disclosing the identities of health care information of persons whose medical records they store. Additionally, numerous states have specific statutes providing civil and criminal protection against the disclosure of medical information. Some statutes restrict disclosure of medical data by certain entities, while others restrict the disclosure of particular types of medical data, including mental health information. While it is unclear what the exact mechanism of the proposed background checks is, it is clear that they will undoubtedly be in conflict with the relatively strict nondisclosure requirements under HIPAA.

 

Towards the end of April, the Department of Health and Human Services began soliciting public comments on improving the background check system and for potentially amending the privacy rule to allow covered entities to disclose the identities of those deemed dangerous. The DHHS has cautioned that they would not allow the disclosure of an individual’s treatment record or any related clinical or diagnostic information. In the issued statement, the DHHS also stated they would limit the information disclosed to only the demographic information (such as date of birth), and codes identifying the reporting entity and the relevant prohibitor. Depending on the relevant state laws, however, it is possible that Congress may have to amend HIPAA entirely to allow these increased background checks to move forward. As such, the clash of this prospective expansion to the background check system with HIPAA’s privacy rule must be resolved before the expansion of background checks may be implemented.

 

http://www.courthousenews.com/2013/04/26/57104.htm

http://www.allgov.com/news/controversies/would-gun-background-checks-clash-with-health-privacy-laws-130429?news=849885

http://www.gpo.gov/fdsys/pkg/FR-2013-04-23/html/2013-09602.htm