A recent rule on the National Instant Criminal Background Check System (NICS) and an article on mHealth show why it's important to stay on top of HIPAA and mental health.
In January 2016, the Department of Health and Human Services (“HHS”) published the Final Rule in the Federal Register concerning background checks and modifications to HIPAA, which expressly permit select "HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of individuals who are subject to a Federal 'mental health prohibitor' which disqualifies them from "shipping, transporting, possessing, or receiving a firearm." (81 Fed. Reg. 382 (Jan. 6, 2016).
NICS, a national system maintained by the FBI, enables certain individuals from receiving firearms under either Federal or State law. Importantly, "[u]nder this final rule, only covered entities with lawful authority to make the adjudications or commitment decisions that make individuals subject to the Federal mental health prohibitor, or that serve as repositories of information for NICS reporting purposes, are permitted to disclose the information needed for these purposes." The prohibited individuals are defined in the Gun Control Act of 1968 and include: (1) individuals who have been involuntarily committed to a mental institution; (2) individuals found incompetent to stand trial; or (3) individuals determined by a court, board, etc. to be a danger to themselves or others, among other similar scenarios. Certain covered entities, which include types of physicians should pay close attention to the following language: “[u]nder this final rule, covered entities that order involuntary commitments or make other adjudications that subject individuals to the Federal mental health prohibitor, or that serve as repositories of the relevant data, are permitted to use or disclose the information needed for NICS reporting of such individuals either directly to the NICS or to a State repository of NICS data.” Hence, carving out an exception for prior express consent for the release of protected health information.
A related matter of privacy and security of mental health records and cognitive therapy apps was featured in a recent article. First, it is important to discern between clinical and consumer products. For example, according to Jennie Byrne, a board-certified psychiatrist who practices in Chapel Hill, N.C., “[t]here is a whole series of things that happen before a person ends up at a psychiatrist’s office. There are lots of points along the way. Direct-to-consumer apps can be helpful during these contemplation stages.” It is important for providers to appreciate that this information, which is not contained in a medical record, may come into court as evidence that is harder to keep out. Moreover, consumers and providers should make sure that the apps are secure and meet requisite NIST and FIPS standards, depending on the purpose and the content of the app. Finally, it is important to note that both HIPAA and the Federal Trade Commission’s regulations must be met.
The takeaways for physicians include:
1. Understanding whether or not your practice or an entity that you work with/for falls under the recent Final Rules related to gun control;
2. Before recommending an app, be sure to understand its applications; and
3. Have a risk assessment/risk analysis done annually.