New HIPAA Rule Allows Mental Health Reporting to Federal Firearm Background Check System

by Matthew J. Effken

The Department of Health and Human Services is relaxing Privacy Rule provisions of the Health Insurance Portability and Accountability Act (HIPAA) to allow some covered entities to notify the National Instant Criminal Background Check System (NICS) about individuals who are prohibited from having a firearm for mental health reasons.  The NICS is a national database maintained by the FBI and used to conduct background checks for gun purchases.  Under the new rule, the only information that can be reported is the minimum necessary to identify persons who have been involuntarily committed to a mental institution or otherwise have been determined by a lawful authority to be a danger to themselves or others or to lack the mental capacity to manage their own affairs.

The new rule applies only to those HIPAA covered entities with lawful authority to make mental health determinations that disqualify an individual from having a firearm, or are designated NICS reporting entities under state law.  The only information that can be reported is limited identifying information, not diagnostic or clinical information.  The new rule does not apply to most treating providers.  The rule will primarily impact state agencies, boards and commissions outside the court system in states that do not already require that such information be provided to the NICS.

The new rule is effective February 5, 2016.  The text of the rule is available at

© 2015 Vandenack Williams LLC
For more information, Contact Us

$750,000 HIPAA Settlement Highlights the Importance of Risk Assessments under HIPAA

By Matthew J. Effken

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) and The University of Washington Medicine (UW Medicine) recently announced an agreement to settle an OCR investigation into a self-reported HIPAA breach involving UW Medicine patient records.  The breach occurred when a UW Medicine staff member opened an e-mail attachment that contained malicious code, allowing outsiders to gain potential access to confidential patient information.  The information compromised included treatment and demographic information such as addresses, dates of birth and social security numbers for over 90,000 UW Medicine patients.

The settlement agreement states that UW Medicine had adopted HIPAA security policies and procedures, but had not assured that its affiliated entities had implemented such procedures.  UW Medicine also failed to conduct comprehensive risk assessments to identify and respond to potential security vulnerabilities.  The result was a $750,000 monetary penalty, plus a Resolution Agreement that requires at least two years of enhanced reporting to OCR.  UW Medicine also agreed to a reorganization of its compliance program.  Failure to comply with the Resolution Agreement may result in the imposition of additional monetary penalties.

OCR Director Jocelyn Samuels commented: “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.  All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise.”

The Resolution Agreement is available on the OCR website at:

© 2015 Vandenack Williams LLC
For more information, Contact Us

Who Owns Medical Records in the Digital Age?

Determining who owns medical records in the age of electronic health records remains somewhat ambiguous. In fact, recent issues at the University of Rochester Medical Center highlight the confusion as the health provider recently reached settlement over a violation of protected health information because a nurse practitioner took patient information to a new practice. Thus, the relevant question is whether the provider, the physician, the electronic health record provider, or the patient own the information?

Many patients assume the Health Insurance Portability and Accountability Act (HIPAA) provides ownership of health information to the patient, but the law, in fact, fails to specify. Largely, this issue is left to state legislatures to determine, but the majority of states have failed to address the issue. According to a recent survey by the George Washington University’s Hirsh Health Law and Policy Program and the Robert Wood Johnson Foundation, only New Hampshire provides ownership of medical records to the patient, while in 20 other states, the healthcare provider owns them.

In the age of electronic health records, patient data is quickly shareable between physicians, patients, and other individuals. This poses new legal challenges for healthcare providers and physicians, especially as the laws and regulations on protected health information continue to evolve and state attorneys general start to enforce the privacy laws under the Health Information Technology for Economic and Clinical Health Act. This means that physicians and healthcare providers of all types should ensure that their internal policies on health records fully comply with the evolving legal landscape.

© 2015 Houghton Vandenack Williams
For more information, Contact Us