HIPAA is federal legislation, and because of this, it is administered at the national level by the Department of Health and Human Services (HHS). It applies to everybody in the United States, and with regard to the security and privacy of health information in our country, there is no more important resource than HIPAA.

However, many states also have their own laws regarding health information privacy, some of which predate HIPAA and others of which were passed after it to strengthen safeguards or enhance punishments. Because of this, conscientious providers need to familiarize themselves not just with HIPAA but also with the laws of their home states and, perhaps most importantly, with any points of conflict between the two.

HIPAA vs State Law: Preemption

Similar to other legal issues, when HIPAA conflicts with state law, HIPAA tends to win the fight. This is a concept called “preemption,” and it is codified and detailed in the HIPAA Privacy rule (see 45 C.F.R. Part 160, Subpart B for details). In the words of HHS, HIPAA “provides a Federal floor of privacy protections for individuals’ individually identifiable health information,” and no state can significantly weaken this.

The major exception to this rule of preemption occurs when the state law in question is “more stringent” than its HIPAA counterpart, in which case HIPAA specifies that the state law will prevail. Stringency is defined in HIPAA (see link above), but in general, a “more stringent” law is one that increases either the duties of providers or the rights of patients. More stringent laws might, for example, place stronger limits on provider disclosures of health information, allow patients greater access to their health data, or increase minimum times for medical record retention.

There are a few other exceptions, too, including when a state law serves “a compelling need related to public health, safety, or welfare” or when it “provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.” In such cases, HIPAA allows a less stringent state law to hold.

Likely Areas of Conflict

HIPAA can potentially conflict with your state’s laws on many topics, but if you have already achieved HIPAA compliance, then such conflicts are only relevant when the conflicting state law is more stringent. A few areas to analyze especially closely:

1. Anything that includes a number
   HIPAA contains many specific numbers on topics such as time lengths (for responding to record requests, for maintaining records, etc.) and monetary fines. These could easily conflict with more stringent numbers in state laws, so be aware of how this might affect your legal duties and the possible repercussions of not meeting them. In California, for example, breaches of protected health information (PHI) must be reported to the state within 15 days; whereas HIPAA provides a far longer timeframe of 60 days.
2. Allowable uses and disclosures of PHI
   Unsurprisingly, since HIPAA focuses so much on what you can and cannot do with PHI, this is an easy area for conflicts to emerge. A PHI disclosure that is permitted under HIPAA may easily be banned in a given state. For example, check out the patchwork appearance of state law on the topic of substance abuse record disclosure.
3. Patient rights
   Any state law that increases a patient’s rights and access with regard to their health information is likely to be considered “more stringent” than HIPAA, so be on the lookout for these. See this graphic of the various state laws relating to patient access to medical records; there are at least 11 states shown that have requirements stronger than those of HIPAA.

Learn More and Protect Yourself

This article is meant to highlight the fact that state law can differ from HIPAA in ways that increase your obligations (and potential damages) as a care provider; it isn’t meant to give a complete assessment of any particular state’s health privacy law.

Most importantly, if you are providing medical care, you should consult with a lawyer who is familiar with your state’s health privacy laws. In conjunction with that, you might also check out “Health Information and the Law,” which is a joint project of the George Washington University’s Hirsh Health Law and Policy Program and the Robert Wood Johnson Foundation.

By this point, everybody involved in U.S. healthcare is aware of HIPAA, but far fewer care providers realize that state laws might sometimes be even more important. Converting this set of “unknown” unknowns into “known” unknowns is the first crucial step in ensuring that your medical privacy efforts will be sufficient to protect yourself, your patients, and your practice; as always, Ignorantia juris non excusat.

This article is part of a series of posts relating to HIPAA law and regulation. The information provided is meant as general guidance only and is not intended to be legal advice.