(Boise) – Attorney General Lawrence Wasden has released the following statement regarding enforcement of HIPAA privacy and security and breach notification rules during Idaho’s current emergency declaration:
“The Idaho attorney general, pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act, has authority to enforce the HIPAA Privacy, Security and Breach Notification Rules (the HIPAA Rules) to protect the privacy and security of Idahoans’ protected health information. The U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency, last amended March 30, 2020 (the OCR Notification) stating OCR will exercise enforcement discretion against covered health providers in connection with their good faith provision of telehealth services during the COVID-19 nationwide public health emergency.
“Effective immediately and continuing through the proclamation issued by Idaho Governor Brad Little on March 13, 2020 declaring a state of emergency, as amended (and any subsequent proclamations), the attorney general will exercise his enforcement discretion and will not impose or seek penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers acting as outlined in the OCR Notification in connection with their good faith provision of telehealth during the COVID-19 public health emergency. Health care providers must continue to comply with all other laws or rules that govern the provision of telehealth services, and the enforcement discretion set forth in this statement only applies to the HIPAA matters discussed in the OCR Notification.
“Health care providers who have questions about this notice may call the Office of the Attorney General’s Consumer Protection Division at 208-334-2424.”