From EPIC.org:
In comments to the Department of Health and Human Services, EPIC underscored the importance of medical privacy, particularly concerning mental illness. In response to President Obama’s plan to reduce gun violence, the federal agency is considering allowing states to report certain mental illness information to the FBI for inclusion in National Instant Criminal Background Check System. EPIC warned that the proposal could result in incorrect determinations and may also discourage people from receiving medical care. EPIC recommended that the federal agency: (1) require that states be held accountable for disclosing excess medical information; (2) requires that states notify the FBI of incorrect or outdated mental illness record; and (3) encourage states to maintain mental health record accuracy. For more information, see EPIC: Medical Privacy and EPIC: Gun Owners’ Privacy
I share their concerns about the potential for harm, but I’m not optimistic about some of their recommendations as I don’t see most states agreeing to liability for failure to update lists. HIPAA itself does not provide for an individual cause of action, but if HIPAA is amended to permit these disclosures, should there also be an individual cause of action against states? And should everyone on the barred list for mental health reasons be informed of a right to seek review and amendment recommendation via a mental health court in addition to any audit/updating requirements imposed on states?
And what happens with patients who may be well-maintained on medications but might go off their medications? Should patients remain on the barred list “just in case” or should there be a tiered system where for some patients, the prohibitions sunset and must be reviewed sooner?
There are complicated questions here, and I give EPIC credit for trying to tackle them.