Idaho Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Idaho.
Idaho's healthcare compliance posture is stricter than most rural-Mountain-West neighbors despite its small-state profile. Idaho Code Title 28, Chapter 51 (the Idaho Identity Theft Act) requires breach notification "in the most expedient time possible and without unreasonable delay, no later than 30 calendar days after discovery" — materially stricter than HIPAA's 60-day federal ceiling and one of the tightest deadlines among rural-state regimes. Penalties reach $25,000 per violation. Records retention under IDAPA 16.03.14 requires 10 years for hospitals; physician records follow the HIPAA 6-year minimum. The Idaho Board of Pharmacy Prescription Monitoring Program (idaho.pmpaware.net) must be queried on every controlled-substance prescription. Mandatory child-abuse reporting under Idaho Code § 16-1605 runs on a 24-hour clock to the Department of Health and Welfare or local law enforcement, with good-faith immunity under Idaho Code § 16-1606. Practices serving the Boise metro area and northern Idaho's remote panhandle face the same compliance baseline despite very different practical contexts.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made in the most expedient time possible and without unreasonable delay, no later than 30 calendar days after discovery.
AG notification threshold
All breaches
Notify: AG
Harm analysis required
Penalty range
Up to $25,000 per violation
Enforcement Posture
The Idaho Attorney General's Consumer Protection Division handles breach-notification cases under Idaho Code Title 28, Chapter 51. Historically Idaho has taken a reactive enforcement posture, opening investigations primarily after large multi-state breaches surface in HHS OCR filings or after consumer complaints. The Idaho Board of Medicine and Idaho Department of Health and Welfare separately license providers and facilities and can impose licensing discipline for systemic compliance failures. Idaho's 30-day breach notification clock provides the AG meaningful leverage when investigating timeline failures, particularly because the 30-day deadline runs from discovery rather than the slower "determination" trigger some states use. Practices should expect AG inquiries focused on the reasonableness of discovery-to-notification intervals and pre-breach security adequacy.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 10 years | Last treatment |
Controlled-Substance Prescription Monitoring (Idaho Board of Pharmacy PMP)
The Idaho Board of Pharmacy Prescription Monitoring Program (idaho.pmpaware.net) requires queries on every controlled-substance prescription. Delegation to licensed staff under a documented standing order is permitted. Exemptions cover hospice, ER ≤3-day supplies, inpatient hospital or nursing facility administration, and cancer treatment. Misdemeanor charges for willful noncompliance plus civil penalties up to $1,000 form the enforcement backstop, with licensing-board discipline as the primary practical consequence.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; misdemeanor for willful noncompliance; fines up to $1,000
Exemptions
Hospice patients, ≤3 day supply in ER, inpatient hospital or nursing facility, cancer treatment
How Idaho Rules Hit by Specialty
Pediatrics
Idaho has no codified pediatric retention extension — the 10-year hospital baseline and HIPAA 6-year physician floor apply. Pediatric standard of care argues for retention until age of majority (18) plus the longer retention period (effectively age 28 from a chart opened at birth). Codify this internal policy explicitly.
Behavioral health
Mental-health records follow the same retention baselines. Mandated reporting under Idaho Code § 16-1605 runs on a 24-hour clock for child abuse with civil and criminal immunity under § 16-1606. Idaho also has a duty-to-warn framework for therapists when patients pose imminent risk of serious bodily harm.
Telehealth providers
Out-of-state telehealth providers serving Idaho residents fall under Idaho Code Title 28, Chapter 51 for breaches affecting Idaho residents and must register with the Idaho Board of Pharmacy PMP before issuing any controlled-substance prescription. The Idaho Board of Medicine requires Idaho licensure or interstate compact licensure (IMLC).
Pharmacy/compounding
Idaho pharmacies and compounders face Idaho Board of Pharmacy PMP dispensing-report obligations. Civil penalties up to $1,000 per violation and possible misdemeanor charges for willful noncompliance form the enforcement framework, alongside licensing-board discipline.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, and all healthcare professionals
Report to
Department of Health and Welfare, Child Protection or local law enforcement
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to 6 months jail and/or $1,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability under Idaho Code 16-1606
Mandated reporters
Physicians, nurses, and all healthcare professionals
Report to
Adult Protection Unit, Idaho Commission on Aging
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $1,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from suspected criminal activity
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Idaho Department of Health and Welfare, Division of Public Health
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $1,000 fine
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Idaho Compliance FAQs
Idaho Code Title 28, Chapter 51 requires notification 'in the most expedient time possible' and no later than 30 calendar days after discovery. This is materially stricter than HIPAA's 60-day federal ceiling. The Idaho AG must also be notified, with no specific resident threshold.
IDAPA 16.03.14 requires hospitals to retain medical records for 10 years from discharge or last treatment. Physician records follow the HIPAA 6-year minimum unless the practice is hospital-owned, in which case the 10-year hospital rule applies.
Yes. Idaho Board of Pharmacy PMP permits licensed staff (RNs, LPNs, MAs under a documented standing order) to perform queries. The prescriber must review and document the result before issuing the prescription. Penalties for willful noncompliance can include misdemeanor charges in addition to licensing-board action.
Yes. Idaho Code § 16-1605 requires reports within 24 hours of suspicion to the Idaho Department of Health and Welfare or local law enforcement. Good-faith reporters receive civil and criminal immunity under § 16-1606. Failure to report is a misdemeanor carrying up to 6 months jail and/or $1,000 fine.
Up to $25,000 per violation under Idaho Code Title 28, Chapter 51 — a notably high cap for a small-state regime. Licensing-board discipline can be imposed independently by the Idaho Board of Medicine, Board of Nursing, or Board of Pharmacy based on the role of the provider involved.
Neighboring State Compliance Guides
Stay audit-ready in Idaho
GuardWell tracks Idaho-specific breach deadlines, retention periods, Idaho Board of Pharmacy PMP PDMP queries, and mandatory reporting obligations automatically.