Mental Health and Substance Abuse PHI Reporting under HIPAA: HIPAA & HITECH Act Blog by Jonathan P. Tomes with guest commentator Alice M. McCart, J.D.

JonTomesTrying to figure out what HIPAA and the HITECH Act require in the way of disclosing protected health information (“PHI”) under various circumstances in general is difficult, to say the least. When you are trying to figure out what HIPAA and HITECH, various state and other federal laws and regulations, and professional credentialing organizations require you to report or not to report regarding a threat in a mental and behavioral health or substance abuse situation, difficult rapidly escalates into seemingly impossible. Part of the problem is finding the time and knowing where to look to find the particular rules that apply before reporting a threat becomes too late, and the mere threat becomes a fact.

Recent shootings, such as the one at Marjory Stoneman Douglas High in Parkland, Florida, have reignited the debate on the prevalence of mental health in public mass shootings and what to do about it. See Grant Duwe and Michael Rocque, “Actually there is a clear link between mass shootings and mental illness,” LA Times, Feb. 23, 2018, at, citing Eric Silver, Understanding the Relationship Between Mental Disorder and Violence: The Need for a Criminological Perspective, Law and Human Behavior, Vol. 30, Issue 6, 685-706 (Dec. 2006), at, in which two criminologists debunk the theory that mass shooters are not disproportionately mentally ill: “At the broadest level, peer-reviewed research has shown that individuals with major mental disorders (those that substantially interfere with life activities) are more likely to commit violent acts, especially if they abuse drugs. When we focus more narrowly on mass public shootings—an extreme and, fortunately, rare form of violence—we see a relatively high rate of mental illness.”

We―that is, Jon Tomes and I―invite you to consider having a process/procedure/policy in place so that you and your workforce know where to look for the answer as to what to do and how to do it in such situations. Jon has drafted for you a Sample Policy on Disclosure to Prevent a Serious and Imminent Threat to an Individual or the Public. This sample policy is available for you in an editable Word document with the file name Disclosure to Prevent Harm Policy on the Premium Member section of our website at If you need to draft or update your HIPAA policies and would like guidance as to how to do so, consider using a book by Jonathan P. Tomes, The Complete Guide to HIPAA Policies and Procedures, with accompanying CD of dozens of sample policies and procedures, also available for purchase on our website. Jon gives you everything that you need to know about the requirements regarding HIPAA policies and procedures in this book. I contributed a chapter on how to write policies and procedures in general, including essential parts, such as introduction, assumptions, definitions if the policy so warrants, policy/procedure, enforcement, and signature(s). Remember to base your policies/procedures on an updated risk analysis under HIPAA and to train your workforce on your policies/procedures. A really thorough appendix in the book includes a matrix of required, addressable, and other policies/procedures to help you figure out where you are, where you need to be, and how to get there.

For those of you who have been reading Jon’s blog for a while, please accept our apology for not having posted for a time. Jon has been moving our office without my help because I have been in a nursing home trying to recover from stupidities, specifically peripheral artery disease resulting in amputations, that I had caused when I was smoking before I quit cold tofu 32 years ago. We appreciate your reading Jon’s blog. Jon has more to write for you soon. Please stay tuned.

seo by: k.c. seo