HIPAA's right of preemption refers to how HIPAA rules take priority over conflicting state laws unless the state laws provide stronger privacy protections. HIPAA sets a baseline for privacy standards across the U.S. If a state has laws that offer more stringent protections for personal health information, those state laws will override HIPAA regulations. On the other hand, if state laws are less protective, HIPAA's stricter rules will apply.
According to the HHS, “The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals' individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity.”
HIPAA’s Privacy Rules serve as a baseline, ensuring that every person across the United States enjoys a fundamental level of privacy for their health information. When HIPAA and state laws are at odds, the rule is straightforward: the law that offers more protection to the individual takes precedence. The flexibility respects the diverse legal landscapes of different states while ensuring that no one’s privacy falls below a national standard.
The rule's design recognizes that states may have unique needs or stronger opinions about patient privacy. For instance, some states may have stringent laws on genetic information or HIV status disclosures, reflecting local values or public health priorities. By allowing these laws to override HIPAA when they provide greater protection, the Privacy Rule allows states to cater to their populations' specific needs without compromising on privacy.
State laws take the lead over HIPAA when they offer tighter privacy protections or more rights for individuals. The setup ensures the highest level of privacy protection is always in effect. If a state's rules are stricter than HIPAA's, they dominate. It means that residents in different states can benefit from the strongest protections tailored to their specific needs.
Sometimes state laws cover issues that HIPAA does not, or they go into greater detail about particular types of health information. For instance, a state might have more explicit laws governing the confidentiality of psychiatric treatment records or adoption-related health information. These laws fill gaps, ensuring that sensitive areas of healthcare get the attention they deserve.
See also: HIPAA Compliant Email: The Definitive Guide
Health Insurance Portability and Accountability Act is a federal law that protects sensitive patient health information from being disclosed without the patient's consent or knowledge.
The Privacy Act of 1974 is a federal law that regulates the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies.
The Privacy Rule is a component of HIPAA that establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.