skip to main content


If You Provide Behavioral Health Services, Do the New HIPAA Reporting Rules Apply to You?

January 27, 2016

In early January, the Office for Civil Rights of the United States Department of Health and Human Services (“OCR”) issued new regulations regarding the right of certain HIPAA covered entities to disclose mental health information to the National Instant Criminal Background Check System (“NICS”).  Since these final regulations have been published, we have received many questions from our clients regarding the final rule and its application to them.  We drafted this alert to explain the new regulations and, most importantly, their very limited scope.


NICS is a national system maintained by the FBI to conduct background checks on persons who may be disqualified from receiving firearms based on prohibited categories under state or federal law.  The prohibited categories include individuals who have been involuntarily committed to a mental institution, found incompetent to stand trial or not guilty by reason of insanity, or otherwise have been determined by a court of law to be a danger to themselves or others or to lack mental capacity.

In recent years, concerns were raised that certain health care-related entities with NICS-related information were unable to disclose the information because they were located in states that do not require such disclosure by law.  OCR’s rulemaking attempts to address this concern and permit these entities to disclose relevant information to the NICS.

What the New Regulations Mean For You

In order to disclose PHI to the NICS pursuant to the new regulations, a covered entity must fit into one of the following two categories:

  • The covered entity functions as a data repository of information (e.g. registrar) relevant to the NICS on behalf of a state (note that OCR expects states to identify which covered entities in the state, if any, serve such a function); or
  • The covered entity is a board, commission, or other lawful authority that makes involuntary commitments or other adjudications that make an individual subject to the NICS. 

Such covered entities may disclose PHI directly to the NICS or to an entity designated by a state as a repository of data for purposes of reporting to the NICS. The PHI that may be disclosed is limited to what is necessary for NICS reporting purposes.

We expect that very few covered entities will be implicated by the new regulations and the regulations will have little, if any, effect on the HIPAA compliance programs of the vast majority of HIPAA covered entities.  More specifically, we think the rule will have very narrow application for two reasons: (i) entities or bodies that fall into one or more of the categories above are typically not covered entities; and (ii) most covered entities are neither data repositories for the state they operate within and or considered boards or governmental entities that make commitment decisions.

If you have any questions about this Alert or HIPAA in general, please contact Joan Feldman ( or 860.251.5104), Vincenzo Carannante ( or 860.251.5096) or Bill Roberts ( or 860.251.5051).

© Shipman & Goodwin LLP 2020. All Rights Reserved.