🔒 Notice of Privacy Practices

HIPAA Privacy Rule (45 CFR Parts 160 & 164)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established the national standard for protecting your Protected Health Information (PHI). PHI includes any information that identifies you and relates to your past, present, or future physical or mental health condition, health care services received, or payment for those services. Under HIPAA we are required to:

• Keep your health information private and secure
• Give you this Notice of our privacy practices
• Follow the privacy practices described in this Notice
• Notify you if your unsecured PHI is breached
• Use or disclose the minimum necessary information to accomplish the intended purpose

HITECH Act (Health Information Technology for Economic and Clinical Health Act, 2009)

The HITECH Act strengthened HIPAA's privacy and security protections in the digital age. Key enhancements that protect you include:

• Stronger breach notification: We must notify you promptly (within 60 days) if your electronic health information is compromised
• Business associate accountability: All vendors and partners who handle your information are directly bound by HIPAA security requirements
• Stricter penalties: Civil and criminal penalties for violations have been significantly increased, providing a stronger deterrent
• Electronic access rights: You have the right to receive an electronic copy of your health records when they are maintained electronically
• Accounting of disclosures: We must track disclosures of your electronic health information used for treatment, payment, and operations

ESIGN Act & Electronic Signatures (15 U.S.C. § 7001)

The Electronic Signatures in Global and National Commerce (ESIGN) Act gives electronic signatures the same legal standing as handwritten signatures. When you sign documents through our secure portal:

• Your signature is captured as a tamper-evident digital record
• A cryptographic hash (SHA-256) is created at the moment of signing to detect any future alteration
• The exact date, time, and IP address of your signature are recorded in a permanent audit log
• You may request a copy of any document you sign at any time

42 CFR Part 2 — Substance Use Disorder Record Confidentiality

Federal regulations at 42 CFR Part 2 provide additional protections beyond HIPAA that apply specifically to records relating to substance use disorder (SUD) assessment, diagnosis, treatment, or referral for treatment maintained by a federally assisted program. If any of your care with us involves SUD services, those records are subject to these heightened protections:

• Stricter consent requirements: SUD treatment records may not be disclosed without a written consent that specifically names the recipient, the purpose of disclosure, how much information may be shared, and your right to revoke consent at any time — even where a general HIPAA authorization might otherwise suffice
• Re-disclosure prohibition: Anyone who receives your SUD records from us is prohibited from re-disclosing those records without your additional written consent or another lawful basis
• Criminal proceedings bar: Records protected under 42 CFR Part 2 may not be used to initiate or substantiate criminal charges against you, or used in any criminal investigation of you
• Permitted disclosures without consent: Medical emergencies, bona fide research and audit activities conducted under written data use agreements, child abuse and neglect reporting, and valid court orders that meet Part 2's specific requirements
• 2024 alignment updates: Amendments effective 2024 allow SUD records to be shared for treatment, payment, and certain healthcare operations under a single general consent that includes the required re-disclosure prohibition — bringing Part 2 closer to HIPAA while preserving its stronger patient protections

If you have questions about which of your records are covered under 42 CFR Part 2, please ask your care coordinator or contact our Privacy Officer.

Idaho Behavioral Health Confidentiality Law (Idaho Code Title 66 & IDHW Regulations)

Idaho law provides confidentiality protections for mental health and substance use disorder records that run parallel to — and in some cases are stronger than — federal HIPAA requirements:

• Mental health records (Idaho Code Title 66): Records of persons receiving behavioral health services are confidential under Idaho law. Disclosure generally requires written authorization, a court order, or a specific statutory exception. Idaho law governs even where federal law might allow a broader disclosure.
• SUD treatment records: Records of persons receiving substance use disorder treatment are protected under applicable Idaho Department of Health and Welfare (IDHW) regulations and may require consent separate from a general medical records release.
• Minimum necessary standard: Idaho law reinforces the federal minimum-necessary principle — we share only what is required for the specific purpose, not your entire treatment record.
• Interaction with HIPAA: Where Idaho law is more protective than HIPAA, Idaho law controls. We follow whichever standard provides you the greater protection.

Child Abuse and Neglect — Idaho Code § 16-1619

All Red Oak Counseling staff are mandated reporters under Idaho law. If a staff member has reasonable cause to believe that a child has suffered abuse or neglect, they are required by law to report immediately to the Idaho Department of Health and Welfare (IDHW) Child Protection or to local law enforcement. This obligation cannot be waived by client request or therapeutic relationship. The report is made to protect the child; we will make reasonable efforts to inform you that a report is being made unless doing so would endanger the child.

Vulnerable Adult Abuse — Idaho Adult Protection Act

Idaho law requires us to report suspected abuse, neglect, abandonment, or exploitation of a vulnerable adult (generally persons 60 or older, or adults with disabilities) to IDHW Adult Protection Services or to law enforcement. As with child abuse reporting, this duty exists regardless of client consent.

Duty to Warn and Protect

When a client communicates a serious and imminent threat to harm an identifiable third party, Idaho law and HIPAA (45 CFR §164.512(j)) permit us to take reasonable steps to protect that person. Those steps may include warning the intended victim, notifying law enforcement, or both. We will exercise this authority only when the threat is credible, specific, and imminent, and we will document our actions and rationale. See also the Safety Planning and Crisis section below.

Public Health Reporting — Idaho Code Title 39

Certain communicable diseases, injuries, and health conditions are subject to mandatory reporting to the Idaho Division of Public Health. When we are required to report, we disclose only the minimum information necessary to satisfy the reporting obligation.

Court Orders and Legal Process

We may be required to disclose health information pursuant to a valid court order. For records covered by 42 CFR Part 2, a court order must meet the specific requirements of that regulation (including a separate Part 2 court order) before SUD records can be released — a general subpoena or HIPAA-qualified order is not sufficient for those records.

Parental Involvement in Mental Health Services

Under current Idaho law, a parent or legal guardian must be involved in a minor's mental health treatment. Minors may not independently consent to mental health services without parental participation. Accordingly:

• A parent or legal guardian must provide consent for a minor to receive mental health services through Red Oak Counseling
• Parents and guardians have the right to access their minor child's mental health records
• Treatment planning and care decisions for minors will include parental or guardian participation

Substance Use Disorder Services — 42 CFR Part 2 & Idaho Law

Federal regulations (42 CFR Part 2) provide specific confidentiality protections for substance use disorder treatment records that may limit parental access in certain circumstances even for minors. Where federal law establishes a stricter protection than Idaho law, federal law controls. Records of a minor's SUD services are subject to 42 CFR Part 2 and applicable IDHW regulations:

• The re-disclosure and criminal proceedings prohibitions of 42 CFR Part 2 apply with full force to minor records
• Questions about parental access to a minor's SUD records should be directed to our Privacy Officer

⚠ Required Parental Notification — Effective July 1, 2026

Effective July 1, 2026, Idaho law requires Red Oak Counseling to notify a minor client's parent or legal guardian within 72 hours if a staff member observes or becomes aware of signs that a minor may be experiencing gender dysphoria or identifying as transgender. This is a mandatory reporting obligation under Idaho law; it is not discretionary and cannot be waived by the minor client or by clinical staff.

We recognize this requirement may be sensitive. If you have questions about how this obligation applies to your or your child's care, please contact our Privacy Officer directly before services begin.

Transition to Adult Privacy Rights

When a minor client approaches the age of majority (18 in Idaho), Red Oak Counseling will discuss with the young person and their family how privacy rights and treatment consent will transition to the client independently.

Crisis Resources

If you are experiencing a mental health crisis, suicidal thoughts, or are in immediate danger, please use one of the following resources at any time:

• 988 Suicide & Crisis Lifeline: Call or text 988 (available 24/7)
• Crisis Text Line: Text HOME to 741741
• Emergency services: Call 911 or go to your nearest emergency room if there is an immediate risk to life
• Your care coordinator: Contact your assigned care coordinator during business hours for non-emergency safety concerns

When We May Disclose Information to Protect Safety

HIPAA (45 CFR §164.512(j)) and Idaho law permit — and in some cases require — us to use or disclose protected health information when necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Specifically:

• If we believe in good faith that a disclosure is necessary to prevent or lessen a serious and imminent threat to you or to another person, we may disclose relevant information to persons reasonably able to prevent or lessen the threat, including law enforcement
• When a client makes a specific, credible, and imminent threat against an identifiable third party, we may be required to warn that person and/or notify law enforcement (see Duty to Warn and Protect above)
• Disclosures for safety purposes are limited to the minimum information necessary to address the specific threat
• All safety-related disclosures are documented in the client's record

Safety Accommodations and Confidential Communications

We recognize that for some clients, particularly those in domestic violence situations or other safety-sensitive circumstances, standard communication methods could create risk. You have the right to request that we:

• Contact you only at a specific phone number, address, or through a designated safe contact
• Send appointment reminders or correspondence in a specific format or to a specific location
• Withhold or limit information shared with family members, household members, or others who may accompany you
• Conduct certain conversations in private, even when others are present at an appointment

To request a confidential communications accommodation, please speak with your care coordinator or contact our Privacy Officer. We will honor all reasonable requests without requiring you to explain the reason for the accommodation.