HIPAA allows state preemption means that covered entities are required to comply with a provision of state law – rather than the equivalent HIPAA provision – if the provision of state law has more stringent privacy requirements than HIPAA, provides individuals with more rights than HIPAA, or falls into one of the categories included in Subpart B of the HIPAA General Administrative Requirements.
Prior to the passage of HIPAA, a number of states already had laws that protected health information or special classes of health information (i.e., mental health information, AIDS information, etc.). Different states also had different reporting requirements for public health and licensing purposes. The state laws varied greatly in scope and strength – prompting HHS Secretary Donna Shalala to describe them as “a morass of erratic law”.
Because HIPAA is a federal law, it would normally preempt state laws. However, because some states had laws with more stringent requirements than were being proposed in the HIPAA Administrative Simplification Regulations, the text of HIPAA allows state preemption in certain circumstances. Indeed, when the HIPAA Privacy Rule was published it was described as “a federal floor of privacy protections” that preempted state laws unless an exception applies.
When Does HIPAA Allow State Preemption?
The exceptions when HIPAA allows state preemption are published in Subpart B of the HIPAA General Administrative Requirements (§160.203). The exceptions are divided into four categories:
Privacy Exceptions
The privacy exceptions when HIPAA allows state preemption apply when a state law provides greater privacy protections or privacy rights with respect to Protected Health Information (PHI) than the HIPAA Privacy Rule. With regards to this exception, it is important to note that some state privacy laws exempt HIPAA covered entities (and sometimes business associates) and/or exempt PHI – but not necessarily personal information that does not qualify as PHI.
Health / Public Health Exceptions
While the HIPAA Privacy Rule permits disclosures of PHI for “the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention” (§164.512) in some states reports of this nature are mandatory. In addition, HIPAA requires covered entities to inform individuals that a report has been made (except in certain circumstances). This is not always a requirement of a mandatory state law.
Licensing Exceptions
The licensing exceptions when HIPAA allows state preemption apply when a provision of state law requires a health plan or healthcare provider to report or provide access to PHI for the purposes of licensing the organization, its facilities, or individuals. It may also be required in some states to disclose PHI in management, monitoring, or evaluation reports. In such cases, the recipient of PHI usually attests that the information will not be further disclosed.
Regulatory Exceptions
Regulatory exceptions include when a disclosure of PHI is necessary to prevent fraud or abuse related to the provision of or payment for healthcare, for state reporting on healthcare delivery or costs, or to monitor compliance with state regulations. In addition, HIPAA allows disclosures of PHI to regulate the manufacture, registration, distribution, or dispensing of controlled substances. Disclosures to the FDA are permitted by the HIPAA Privacy Rule under §164.512.
Examples of When HIPAA Allows State Preemption
The best known example of when HIPAA allows state preemption is in Texas, where the Texas Medical Records Privacy Act has a number of provisions that are more stringent than HIPAA. These provisions include (but are not limited to) the requirement to obtain an authorization for certain disclosures of PHI that are permitted by the HIPAA Privacy Rule and to respond to patient access requests within fifteen days (rather than the thirty days required by HIPAA).
It is important to be aware that the Texas Medical Records Privacy Act not only applies to covered entities located in Texas, but to any covered entity that creates, receives, maintains, or transmits the PHI of a Texas resident. It is also important to be aware that the definition of a covered entity in Texas not only includes health plans and healthcare providers, but can also include organizations such as sports clubs, IT service providers, and website owners.
Due to the speed at which state privacy laws are being introduced, enacted, and amended, it can be difficult to be on top of every scenario in which HIPAA allows state preemption. If your organization requires help managing policies and procedures to account for state laws and when they preempt HIPAA – or training members of the workforce on when does HIPAA allow state preemption, it is recommended you speak with a healthcare compliance professional.