Idaho Medical Records Privacy Laws
Meet Your Trusted Utah IT Support Professionals Today
By and large, medical records are considered confidential and protected by a combination of federal and state laws. Such records contain very personal information that could be used for illegitimate or criminal purposes. For instance, genetic information could be used by an employer to discriminate against a job applicant with a family history of serious depression, or a therapist’s notes could be used for blackmail purposes.
Medical records are required for these reasons only to be accessible to the medical care providers (and authorized health care and health insurance administrators) who need it for legitimate purposes, in addition to the patient (and, if a minor) the patient’s parents.
Since it’s sometimes necessary to share medical records with a third party, such as an employer if filing for workers’ compensation, for example, each state has a process for authorizing the release of these records.
Idaho’s medical records privacy laws allow the release of confidential files with a subpoena (and in some civil actions if needed for discovery), to the patient, or the parent of the patient if a minor. In addition, the state may collect general information about AIDS and other infectious diseases for statistical purposes.
Additional details of Idaho’s medical records laws are listed in the following chart. See FindLaw’s Patient Rights Basics section for related articles.
Patient or agent by subpoena (§9-420); parent of a minor child whether custodial or not (§32-717A); in some civil actions records may be open to discovery (§39-1392e); government medical records exempted from open records law (§9-340C).
What Privileges Apply to Medical Records?
Physician (§9-203(4)), psychologist (§9-203(6)).
Mandatory Reporting Requirements
Child abuse cases within 24 hours (§16-1619); enumerated venereal diseases including AIDS and HIV (§39-602).
Patient Consent and Waiver
Patient or doctor or nurse responsible for entries in hospital record may request protective order to deny or limit access (§9-420).
Provisions Related to HIV/AIDS
Confidentiality of patient information maintained; use of information restricted to “public health requirements” and “those with a legitimate need to know” (§39-609)
Note: Idaho State laws are always subject to change, most often through the enactment of newly signed legislation or voter-approved ballot initiatives but sometimes through higher court decisions or other means. You should contact an Idaho health care attorney or conduct your own legal research to verify the state law(s) you are researching.
The Idaho Department of Health and Welfare is dedicated to protecting your confidential information. To give you quality care and services, they ask for and keep records containing confidential information. They follow all local, State and federal laws regarding information you share with them. According to federal law, they are required to:
To get your information, you need to fill out a specific form. These are available in .pdf format on the Idaho Dept. of Welfare Privacy and Confidentiality Practices page, or you can pick them up at your local Department office. Forms must be returned to the Department.
For more information, please contact the Health and Welfare Privacy Office — which oversees policies and procedures in Idaho covering privacy and access to health information in Department records.
The Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form relating to transactions that are covered under HIPAA.
The Rule protects consumers’ “individually identifiable health information,” which includes information that identifies or can be used to identify a consumer (name, address, birth date or Social Security number), as well as demographic data about:
Generally, a covered entity may not use or disclose a consumer’s protected health information without the consumer’s written authorization. However, the entity may disclose the consumer’s information without authorization:
A covered entity must obtain a consumer’s written authorization to use or disclose protected health information for marketing purposes. However, several exceptions to this rule exist and the definition of “marketing” is limited. For a complete discussion of this topic, please visit www.hhs.gov.
The Department of Health and Human Service’s Office for Civil Rights enforces the Privacy Rule and consumers who believe a covered entity has violated the Rule can file a complaint with the office. Complaint packets, along with detailed instructions, are available at: www.hhs.gov/ocr.
The Security Rule establishes standards that dictate what technical and non-technical safeguards all HIPAA-covered entities must implement to secure consumers’ electronic protected health information (e-PHI).
A more detailed discussion of the Rule, including compliance and enforcement issues, is available at www.hhs.gov.
The Idaho.gov site has some useful information on cybersecurity best practices for businesses you may want to browse as well.
To protect e-PHI, covered entities must maintain reasonable and appropriate administrative, technical and physical safeguards that:
Covered entities must notify affected consumers of the security breach. A notice must be in writing and sent by mail or email within 60 days of the breach. The notice must provide:
The U.S. Department of Health and Human Service’s Office of Civil Rights (OCR) enforces the Security Rule. Complaint packets, along with detailed instructions, are available at: www.hhs.gov/ocr.
You also can report suspected security breaches to the Federal Trade Commission, which has independent authority over personal health record vendors and their third-party service providers under the Health Information Technology for Economic and Clinical Health (HITECH) Act. You can file a complaint with the FTC at www.ftc.gov.
If you are a covered entity or business associate and have any further questions about how to remain in compliance with the Idaho Medical Records Privacy (and HIPAA) Laws, then call the SymTec nationwide hotline at (800) 489-1706, or email us at firstname.lastname@example.org, or use our secure contact form for more info.