45 CFR 160, Subpart A - General Provisions

The Department of Health and Human Services (HHS or “the Department”) is issuing this final rule to: Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act” or “the Act”) to strengthen the privacy and security protection for individuals' health information; modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comment received on the interim final rule; modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA); and make certain other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the HIPAA Rules) to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.

On January 16, 2013, President Barack Obama announced a series of Executive Actions to reduce gun violence in the United States, including efforts to improve the Federal government's background check system for the sale or transfer of firearms by licensed dealers, called the National Instant Criminal Background Check System (NICS). Among those persons disqualified from possessing or receiving firearms under Federal law are individuals who have been involuntarily committed to a mental institution; found incompetent to stand trial or not guilty by reason of insanity; or otherwise have been determined, through a formal adjudication process, to have a severe mental condition that results in the individuals presenting a danger to themselves or others or being incapable of managing their own affairs (referred to below as the “mental health prohibitor”). Concerns have been raised that, in certain states, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule may be a barrier to States' reporting the identities of individuals subject to the mental health prohibitor to the NICS. The Department of Health and Human Services (HHS or “the Department”), which administers the HIPAA regulations, is issuing this Advance Notice of Proposed Rulemaking (ANPRM) to solicit public comments on such barriers to reporting and ways in which these barriers can be addressed. In particular, we are considering creating an express permission in the HIPAA rules for reporting the relevant information to the NICS by those HIPAA covered entities responsible for involuntary commitments or the formal adjudications that would subject individuals to the mental health prohibitor, or that are otherwise designated by the States to report to the NICS. In addition, we are soliciting comments on the best methods to disseminate information on relevant HIPAA policies to State level entities that originate or maintain information that may be reported to NICS. Finally, we are soliciting public input on whether there are ways to mitigate any unintended adverse consequences for individuals seeking needed mental health services that may be caused by creating express regulatory permission to report relevant information to NICS. The Department will use the information it receives to determine how best to address these issues.