The HIPAA Privacy Rule's preemption of state law

The HIPAA Privacy Rule preempts state laws that are contrary to HIPAA's requirements. If a state law conflicts with or weakens HIPAA's privacy and security standards, federal law takes precedence, and covered entities must comply with HIPAA.

Related: What is the HIPAA Privacy Rule?

What is HIPAA Privacy Rules preemption of state law?

According to the HHS, “The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals' individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity.”

HIPAA Privacy Rule's preemption of state law refers to the concept that, in certain circumstances, federal law (HIPAA) takes precedence over state laws regarding the privacy and security of individually identifiable health information. The preemption ensures a consistent and uniform standard for protecting individuals' health information across the United States, especially when healthcare organizations operate in multiple states.

Who does it apply to?

1. Covered entities: The Privacy Rule applies to specific entities involved in the healthcare industry, referred to as "covered entities." Covered entities include health plans, healthcare providers, and healthcare clearinghouses.
2. Business associates: The Privacy Rule also applies to business associates, which are individuals or organizations that perform certain functions or activities on behalf of covered entities and involve the use or disclosure of individually identifiable health information. 
3. Individually identifiable health information: The Privacy Rule applies to protected health information (PHI) or individually identifiable health information. PHI includes any health information that can identify an individual.
4. Electronic transactions: The Privacy Rule focuses on individually identifiable health information that is transmitted, received, or maintained in electronic form. This means the rule applies to electronic health records (EHRs), electronic billing, and other electronic healthcare transactions.

See also: What is the OCR (Office for Civil Rights)?

Exceptions to the preemption of state laws

There are certain exceptions to the preemption of state laws that conflict with the federal requirements. These exceptions allow certain state laws to continue to apply despite potential conflicts with HIPAA. Note that in these cases, covered entities must follow the specific provisions of the state law alongside complying with HIPAA's requirements. These include

1. Greater privacy protections: If a state law provides greater privacy protections or privacy rights to individuals concerning individually identifiable health information, then the state law is not preempted by HIPAA. 
2. Public health reporting and surveillance: State laws that relate to the reporting of disease or injury, child abuse, birth, death, or public health surveillance, investigation, or intervention are not preempted by HIPAA. These laws are allowed to coexist with HIPAA.
3. Health plan reporting: Certain state laws may require health plans to report certain information for management or financial audits. In such cases, the state law's reporting requirements are not preempted by HIPAA.

Additionally, a provision in the HIPAA Administrative Simplification Rules allows the Department of Health and Human Services (HHS) to consider requests from states or other entities for an exemption determination. In specific cases, HHS may determine that a provision of a state law that is "contrary" to HIPAA's requirements will not be preempted by federal law. For example, if the state law is necessary to prevent fraud and abuse related to healthcare provision or payment or if it serves a compelling public health, safety, or welfare need, an exemption from preemption may be granted.

Overall, these exceptions and potential exemptions ensure that critical public health reporting and certain state-specific privacy protections can continue to function alongside the federal HIPAA Privacy Rule while maintaining a baseline level of privacy protection for individuals' health information nationwide.

FAQs

What is the Privacy Rule?

The Privacy Rule is a part of HIPAA that sets national standards for the protection of individuals' medical records and personal health information handled by certain entities.

What is the HHS?

The HHS, or Department of Health and Human Services, is a U.S. government department responsible for protecting the health of all Americans and providing human services.

What is HIPAA’s administrative simplification?

It aims to improve the efficiency and effectiveness of the healthcare system by standardizing the electronic exchange of administrative and financial data.

See also: HIPAA Compliant Email: The Definitive Guide