Understanding Idaho Medical Records Privacy Laws and How to Stay in Compliance with Them
By and large, medical records are considered confidential and protected by a combination of federal and state laws. Such records contain very personal information that could be used for illegitimate or criminal purposes. For instance, genetic information could be used by an employer to discriminate against a job applicant with a family history of serious depression, or a therapist’s notes could be used for blackmail purposes.
Medical records are required for these reasons only to be accessible to the medical care providers (and authorized health care and health insurance administrators) who need it for legitimate purposes, in addition to the patient (and, if a minor) the patient’s parents.
Since it’s sometimes necessary to share medical records with a third party, such as an employer if filing for workers’ compensation, for example, each state has a process for authorizing the release of these records.
An Overview of Medical Records and Privacy in Idaho
Idaho’s medical records privacy laws allow the release of confidential files with a subpoena (and in some civil actions if needed for discovery), to the patient, or the parent of the patient if a minor. In addition, the state may collect general information about AIDS and other infectious diseases for statistical purposes.
Additional details of Idaho’s medical records laws are listed in the following chart. See FindLaw’s Patient Rights Basics section for related articles.
Who Has Access to Patient Records?
Patient or agent by subpoena (§9-420); parent of a minor child whether custodial or not (§32-717A); in some civil actions records may be open to discovery (§39-1392e); government medical records exempted from open records law (§9-340C).
What Privileges Apply to Medical Records?
Physician (§9-203(4)), psychologist (§9-203(6)).
Mandatory Reporting Requirements
Child abuse cases within 24 hours (§16-1619); enumerated venereal diseases including AIDS and HIV (§39-602).
Patient Consent and Waiver
Patient or doctor or nurse responsible for entries in hospital record may request protective order to deny or limit access (§9-420).
Provisions Related to HIV/AIDS
Confidentiality of patient information maintained; use of information restricted to “public health requirements” and “those with a legitimate need to know” (§39-609)
Note: Idaho State laws are always subject to change, most often through the enactment of newly signed legislation or voter-approved ballot initiatives but sometimes through higher court decisions or other means. You should contact an Idaho health care attorney or conduct your own legal research to verify the state law(s) you are researching.
Getting Your Information from The Department
The Idaho Department of Health and Welfare is dedicated to protecting your confidential information. To give you quality care and services, they ask for and keep records containing confidential information. They follow all local, State and federal laws regarding information you share with them. According to federal law, they are required to:
- Use and disclose confidential information as required by law;
- Maintain the privacy of your information;
- Give you a notice of our legal duties and privacy practices for your information; and
- Follow the terms of the Notice of Privacy Practices that are in effect.
Your Rights Regarding Your Confidential Information
- Review and copy your health information;
- Ask us to make changes to your health information;
- Ask us not to share your health information;
- Have your health information delivered to you at a different mailing address; and
- Ask for a report of who received your health information and what it said.
To get your information, you need to fill out a specific form. These are available in .pdf format on the Idaho Dept. of Welfare Privacy and Confidentiality Practices page, or you can pick them up at your local Department office. Forms must be returned to the Department.
For more information, please contact the Health and Welfare Privacy Office — which oversees policies and procedures in Idaho covering privacy and access to health information in Department records.
Who Must Comply with the Privacy Rule?
The Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form relating to transactions that are covered under HIPAA.
What Medical Information is Protected?
The Rule protects consumers’ “individually identifiable health information,” which includes information that identifies or can be used to identify a consumer (name, address, birth date or Social Security number), as well as demographic data about:
- The consumer’s past, present or future physical or mental health;
- Health care the consumer has received, or
- Past, present or future payments the consumer made or makes for such health care.
Generally, a covered entity may not use or disclose a consumer’s protected health information without the consumer’s written authorization. However, the entity may disclose the consumer’s information without authorization:
- To the consumer, unless the consumer’s authorization is required for access or for the accounting of disclosures;
- For treatment, payment or health care operations;
- When the consumer has an opportunity to agree or object to the disclosure;
- When the disclosure is incident to an otherwise permitted use or disclosure;
- When the disclosure or use involves the public interest or is otherwise required by law; and
- In limited data sets involving research, public health or health care operations.
A covered entity must obtain a consumer’s written authorization to use or disclose protected health information for marketing purposes. However, several exceptions to this rule exist and the definition of “marketing” is limited. For a complete discussion of this topic, please visit www.hhs.gov.
Who Enforces the Rule?
The Department of Health and Human Service’s Office for Civil Rights enforces the Privacy Rule and consumers who believe a covered entity has violated the Rule can file a complaint with the office. Complaint packets, along with detailed instructions, are available at: www.hhs.gov/ocr.
The Security Rule
The Security Rule establishes standards that dictate what technical and non-technical safeguards all HIPAA-covered entities must implement to secure consumers’ electronic protected health information (e-PHI).
A more detailed discussion of the Rule, including compliance and enforcement issues, is available at www.hhs.gov.
The Idaho.gov site has some useful information on cybersecurity best practices for businesses you may want to browse as well.
What Standards Does the Rule Require?
To protect e-PHI, covered entities must maintain reasonable and appropriate administrative, technical and physical safeguards that:
- Ensure the confidentiality, integrity, and availability of e-PHI;
- Protect against reasonably anticipated threats to the security of e-PHI;
- Protect against reasonably anticipated or impermissible uses or disclosures of e-PHI; and
- Ensure employee compliance.
What Must a Covered Entity Do If My Information Is Released?
Covered entities must notify affected consumers of the security breach. A notice must be in writing and sent by mail or email within 60 days of the breach. The notice must provide:
- A description of what occurred, if known, and a description of the investigation into the breach;
- What information was released,
- How the consumer can prevent additional harm, such as identity theft; and
- Contact information for the covered entity.
Where Can I File a Complaint If I Suspect a Security Breach?
The U.S. Department of Health and Human Service’s Office of Civil Rights (OCR) enforces the Security Rule. Complaint packets, along with detailed instructions, are available at: www.hhs.gov/ocr.
You also can report suspected security breaches to the Federal Trade Commission, which has independent authority over personal health record vendors and their third-party service providers under the Health Information Technology for Economic and Clinical Health (HITECH) Act. You can file a complaint with the FTC at www.ftc.gov.
Stay Compliant with Idaho Law – Get the Right Cyber Security Solutions Today
If you are a covered entity or business associate and have any further questions about how to remain in compliance with the Idaho Medical Records Privacy (and HIPAA) Laws, then call the SymTec nationwide hotline at (800) 489-1706, or email us at email@example.com, or use our secure contact form for more info.