by/of state laws (HIPAA)
HIPAA establishes a federal floor
of health privacy protections. But covered
entities must still attend to their state's requirements.
Contrary state health information laws and regulations are
not preempted by HIPAA's privacy requirements when
the state laws are:
- "more stringent" in their privacy protections;
- provide for the reporting of disease or injury, child
abuse, birth or death, or for the conduct of public health
surveillance, investigation, or intervention; or
- require a covered entity to report, or to provide access
to, information for management or financial audits, program
monitoring and evaluation, or the licensure or certification
of facilities or individuals.
A law is "contrary" in this context if it would
be impossible to comply fully with both the state and federal
provisions, or if the situation presents an "obstacle"
that would impede achievement of the "full purposes and
objectives" of HIPAA.
For the first of the three exceptions -- a "more stringent"
state privacy protection -- there is an expansive regulatory
- with respect to a use or disclosure, the state law prohibits
or restricts a use or disclosure of protected
health information (PHI) in circumstances under which
such use or disclosure otherwise would be permitted by HIPAA;
- with respect to the rights of an individual who is the
subject of the protected health information to access or
amend that PHI, the state law permits greater rights of
access or amendment;
- with respect to information to be provided to an individual
who is the PHI subject about a use, disclosure, rights or
remedies, the state law provides the greater amount of information;
- with respect to the form or substance of an authorization
or consent for use or disclosure of PHI, the state law provides
requirements that narrow the scope or duration, increase
the privacy protections afforded ... or reduce the coercive
effect of the circumstances surrounding the authorization
- with respect to recordkeeping or requirements relating
to accounting of disclosures, the state law provides for
the retention or reporting of more detailed information
or for a longer duration; or
- with respect to any other matter, the state law provides
greater privacy protection for the individual who is the
Note that with respect to uses or disclosures related to
unemancipated minors, state law
controls regardless of whether it might be viewed as more
or less stringent. (Otherwise one would have to decide in
a particular circumstance whether "more stringent"
applied to the privacy rights of the parent or of the minor.)
Even such detailed specifications do not necessarily make
"more stringent" transparent in every circumstance.
HIPAA provides procedures under which the Secretary of the
Department of Health and Human Services (DHHS) can be asked
to make a determination about whether state law or HIPAA prevails
for a given case.
DHHS can grant an exemption for a state provision that is
considered necessary for:
- reporting on health care delivery or costs, or to prevent
fraud and abuse related to the provision of or payment for
- state regulation of insurance and health plans; or
- a "compelling need" related to public health,
safety, or welfare.
An exemption requires a finding by DHHS that "the intrusion
into privacy is warranted when balanced against the need to
be served." Exemption requests must be made in writing,
by a state's chief elected official (or his/her designee).