When Does State Privacy Law Supersede HIPAA?

by

State privacy law controls instead of HIPAA when the state requirement is not preempted under the HIPAA preemption framework, most commonly because the state requirement provides greater privacy protection for individuals than the HIPAA Privacy Rule.

HIPAA Preemption Standard

HIPAA establishes a federal baseline for privacy and security of protected health information. A state law that is contrary to the HIPAA Privacy Rule is preempted unless an exception applies. A law is contrary when a regulated entity cannot comply with both requirements or when the state requirement blocks compliance with HIPAA.

More Stringent State Privacy Laws

A state privacy law applies in place of the HIPAA Privacy Rule when it is more stringent. A more stringent law creates a higher level of privacy protection by limiting uses or disclosures, expanding individual rights, narrowing permitted recipients, or increasing documentation or authorization requirements.

Common examples include state rules that require written authorization for disclosures that HIPAA would otherwise permit, state limits on redisclosure of certain health information categories, and state provisions that grant additional access, amendment, or confidentiality rights.

State Laws That Require Disclosures

State laws that require reporting or other disclosures can operate alongside HIPAA because the HIPAA Privacy Rule permits disclosures that are required by law. In these situations, the state law does not supersede HIPAA as a stricter privacy standard. The state law creates an affirmative duty to disclose, and HIPAA allows the disclosure when the conditions of the required by law provision are met.

Other Preemption Exceptions

State laws may also avoid preemption when they address areas that HIPAA allows states to regulate, such as certain health plan and insurance functions, state oversight of health care delivery or costs, and specific public health or safety activities. Federal determinations can also preserve a state law in limited circumstances.

Operational Application For Regulated Organizations

Covered Entities and Business Associates apply both HIPAA and applicable state privacy law to the same data set and follow the requirement that gives the individual the greater privacy protection when the state law is more stringent. Policies, workforce training, authorization forms, notice content, and disclosure workflows should reflect the controlling rule for the jurisdiction and the information category involved.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA