When Does HIPAA Override State Medical Privacy Laws

HIPAA Preemption of State Law

The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals’ individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies. These exceptions include if the State law:

  • relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information
  • provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or
  • requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule.

Additional areas that permit State law to have an exception from the Federal preemption rules can be created by formal request from the State if certain requirements are met.  The Department of Health and Human Services (HHS) may, following request from a State, determine that a provision of State law which is “contrary” to the Federal requirements – as defined by the HIPAA Administrative Simplification Rules – and which meets certain additional criteria, will not be preempted by the Federal requirements. The Secretary of HHS must determine that one of the following criteria apply before granting and exception from the HIPAA preemption rules. These criteria require a showing that the state law at issue:

  1.  is necessary to prevent fraud and abuse related to the provision of or payment for health care,
  2. is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation,
  3. is necessary for State reporting on health care delivery or costs,
  4. is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or
  5. has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.

Only State laws that are “contrary” to the Federal requirements are eligible for an exemption determination. In order to be considered “contrary”  it must be impossible for a covered entity to comply with both the State and Federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.


Tags: , , , , ,

Comments are closed.