State Law: Can It Override Hipaa?

can state law preempt hipaa

The Health Insurance Portability and Accountability Act (HIPAA) sets a “federal floor” of privacy protections and rights for individuals. This means that state laws that are contrary to HIPAA's requirements are generally preempted by federal law. However, there are exceptions to this rule, and state laws can sometimes provide greater privacy protections or rights than HIPAA. In these cases, the state law supersedes HIPAA, and covered entities must comply with both the state law and HIPAA's requirements. This topic has been the subject of several court cases, including an Arizona appeals court case, which found that certain state laws are not subject to HIPAA preemption.

Characteristics Values
State law is "contrary" to HIPAA Privacy Rule If it is impossible for an entity to comply with both the state law and the HIPAA Privacy Rule
Example of a contrary state law A state law that prohibits the disclosure of protected health information (PHI) to an individual who is the subject of the information
Example of a non-contrary state law A state law that provides greater privacy protections or privacy rights to individuals concerning individually identifiable health information
Preemption of a contrary state law Will not occur if the Secretary or designated HHS official determines that the state law is necessary to prevent fraud and abuse related to the provision of or payment for healthcare
Will not occur if the Secretary or designated HHS official determines that the state law is necessary to ensure appropriate State regulation of insurance and health plans
Will not occur if the Secretary or designated HHS official determines that the state law is necessary for State reporting on health care delivery or costs
Will not occur if the Secretary or designated HHS official determines that the state law is necessary for purposes of serving a compelling public health, safety, or welfare need
Will not occur if the Secretary or designated HHS official determines that the state law has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances
State law that supersedes HIPAA Illinois' Biometric Information Privacy Act
Law 10 LPRA §4051 in Puerto Rico

lawshun

State law can preempt HIPAA if it provides greater privacy protections

The Health Insurance Portability and Accountability Act (HIPAA) sets a “federal floor” of privacy protections and rights for individuals. This means that state laws that are contrary to HIPAA's requirements are generally preempted by federal law. However, there are exceptions to this rule, and state law can sometimes provide greater privacy protections than HIPAA.

The HIPAA Privacy Rule provides a baseline level of privacy protections for individuals' identifiable health information held by covered entities or their business associates. State laws that conflict with or weaken HIPAA's privacy and security standards are typically preempted, and covered entities must comply with HIPAA in these cases. However, the Department of Health and Human Services (HHS) has the authority to determine that a state law provision that is "contrary" to HIPAA's requirements will not be preempted by federal law if certain criteria are met.

For example, if a state law is necessary to prevent fraud and abuse related to healthcare provision or payment, or if it serves a compelling public health, safety, or welfare need, HHS may grant an exemption from preemption. Additionally, state laws that relate to the reporting of specific events, such as disease, injury, child abuse, birth, or death, are not preempted by HIPAA and can coexist with the federal requirements.

In some states, such as Illinois and New York, data breach notification requirements go beyond HIPAA's standards. For instance, Illinois' Biometric Information Privacy Act requires breaches of biometric information to be reported, regardless of whether the breached information could identify an individual. These state laws provide greater privacy protections than HIPAA and, therefore, supersede the federal requirements in those specific cases.

Overall, while HIPAA sets a baseline for privacy protections, state laws can sometimes provide greater protections or rights for individuals. In these cases, state law supersedes HIPAA, ensuring that individuals' privacy is protected to the highest degree possible.

lawshun

State law can be contrary to HIPAA if it's impossible to comply with both

The Health Insurance Portability and Accountability Act (HIPAA) sets a “federal floor” of privacy protections and rights for individuals. This federal floor preempts any state law that provides lesser protections or rights. However, state law can indeed be contrary to HIPAA if it is impossible to comply with both.

A state law is "contrary" to the HIPAA Privacy Rule and, therefore, subject to HIPAA preemption if it is impossible for a covered entity to comply with both the state law and the HIPAA Privacy Rule. For example, a state law that prohibits the disclosure of protected health information (PHI) to the individual who is the subject of that information may be contrary to the HIPAA Privacy Rule. The HIPAA Privacy Rule requires the disclosure of protected health information to individuals in certain circumstances. In such a case, a covered entity would find itself in a Catch-22 situation, where complying with the state law would mean violating the HIPAA Privacy Rule, and vice versa.

The Department of Health and Human Services (HHS) may, upon specific request, determine that a contrary state law will not be preempted by the federal requirements if certain criteria are met. These criteria include situations where the state law is necessary to prevent fraud and abuse related to healthcare provision or payment, or if it serves a compelling public health, safety, or welfare need.

It is important to note that only state laws that are “contrary” to federal requirements are eligible for an exemption determination. This means that it would be impossible to comply with both the state and federal requirements or that the state law provision obstructs the fulfilment of the Administrative Simplification provisions of HIPAA.

While there is no single state privacy law that supersedes HIPAA in its entirety, elements of non-privacy state laws can apply, requiring covered entities to implement more stringent privacy protections and greater individual rights than HIPAA.

lawshun

State law can be exempt from HIPAA if it's necessary to prevent fraud and abuse

The Health Insurance Portability and Accountability Act (HIPAA) sets a federal baseline for privacy protections for individuals' identifiable health information. However, it is important to note that state laws that are "contrary" to HIPAA are subject to preemption by federal requirements. This means that when a state law is in conflict with HIPAA, the federal requirements of HIPAA will take precedence and must be followed.

A state law is considered "contrary" to HIPAA when it is impossible for a covered entity to comply with both the state law and HIPAA, or when the state law hinders the fulfillment of HIPAA's objectives. In such cases, the federal requirements of HIPAA will override the state law.

However, there are exceptions where a state law that is "contrary" to HIPAA will not be preempted by federal requirements. The Department of Health and Human Services (HHS) may determine that a state law that meets certain criteria will not be subject to preemption. One of these criteria is if the state law is deemed necessary to prevent fraud and abuse related to the provision of or payment for healthcare.

For example, if a state law requires additional privacy protections for individuals' health information to prevent fraud, and it is possible to comply with both the state law and HIPAA, then the state law can be exempt from preemption. In this case, the covered entity must comply with both the state law and HIPAA, providing greater privacy protections for individuals.

In summary, while HIPAA sets a federal standard for privacy protections, state laws can be exempt from preemption if they are necessary to prevent fraud and abuse and do not conflict with the requirements of HIPAA. This allows states to implement additional protections for individuals' health information while still adhering to the overall objectives of HIPAA.

lawshun

State law can supersede HIPAA if it provides more stringent privacy protections

The Health Insurance Portability and Accountability Act (HIPAA) sets a "federal floor" of privacy protections and rights for individuals. This means that state law can supersede HIPAA if it provides more stringent privacy protections. The HIPAA Privacy Rule is a part of HIPAA that sets national standards for the protection of individuals' medical records and personal health information handled by certain entities.

State laws that are contrary to the Privacy Rule are preempted by federal requirements unless a specific exception applies. These exceptions include if the state law relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information. For example, in Illinois, breaches of biometric information must be reported to the Illinois Department of Human Services, regardless of whether the breached information could identify an individual. In New York State, any unauthorized access of computerized data must be reported to the New York State Attorney General, the Department of State, and the Division of State Police within ten days, even if the data does not contain health information.

In some cases, the Department of Health and Human Services (HHS) may determine that a provision of state law that is "contrary" to HIPAA's requirements will not be preempted by federal law. For instance, if the state law is necessary to prevent fraud and abuse related to healthcare provision or payment, or if it serves a compelling public health, safety, or welfare need, an exemption from preemption may be granted.

It is important to note that only state laws that are "contrary" to federal requirements are eligible for an exemption determination. This means that it would be impossible for a covered entity to comply with both the state and federal requirements, or that the state law provision is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.

lawshun

State law can preempt HIPAA if it's necessary for public health, safety, or welfare

The Health Insurance Portability and Accountability Act (HIPAA) sets a "federal floor" of privacy protections and rights for individuals. This federal floor preempts any state law providing lesser protections or rights. However, state law can supersede HIPAA when it provides greater privacy protections or rights for individuals. In these cases, the superseding standard or clause applies, rather than the whole of the state privacy law.

State laws that are contrary to the HIPAA Privacy Rule are preempted by federal requirements unless a specific exception applies. One such exception is if the state law is necessary for public health, safety, or welfare. For example, if a state law relates to the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, it is not preempted by HIPAA. These laws are allowed to coexist with HIPAA.

The Department of Health and Human Services (HHS) may, upon specific request, determine that a provision of state law that is "contrary" to HIPAA's requirements will not be preempted by federal law if it serves a compelling public health, safety, or welfare need. This ensures that critical public health reporting and certain state-specific privacy protections can continue to function alongside the federal HIPAA Privacy Rule while maintaining a baseline level of privacy protection for individuals' health information.

It is important to note that only state laws that are "contrary" to federal requirements are eligible for an exemption determination. "Contrary" means that it would be impossible for a covered entity to comply with both the state and federal requirements or that the state law provision is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.

Frequently asked questions

State law can preempt HIPAA when a state law provides greater privacy protections for individually identifiable health information than HIPAA, or when a state law provides individuals with more privacy rights than HIPAA.

The "federal floor" approach refers to the idea that the HIPAA Privacy Rule sets a baseline level of privacy protections and rights for individuals. States are free to impose more stringent privacy protections if they deem it appropriate.

Yes, in certain cases, the Department of Health and Human Services (HHS) may determine that a state law that is "`contrary`" to HIPAA's requirements will not be preempted by federal law. This can occur if the state law is necessary to prevent fraud and abuse related to healthcare provision or payment, or if it serves a compelling public health, safety, or welfare need.

Some examples of state laws that preempt HIPAA include Illinois' Biometric Information Privacy Act, which allows individuals to claim damages in the event of a data breach, and state laws in New York and Illinois that require the reporting of data breaches beyond what is required by HIPAA.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment