HIPAA Preemption of State Law

The HIPAA Privacy Rule provides a federal floor of privacy protections for protected health information (PHI) held by a HIPAA-covered entity or by a business associate of the covered entity. State laws that are contrary to the HIPAA Privacy Rule are subject to HIPAA preemption- that is, the state laws give way to the federal HIPAA requirements, unless a specific exception applies. 

The concept of HIPAA preemption is not specific to HIPAA. The Constitution of the United States, states that the Constitution, and federal laws created under the Constitution, are the “supreme law of the land.” This has been interpreted by courts to mean that a state law that contradicts, or is contrary to, a federal law, is “trumped” by the federal law.  

When Does Preemption Apply?

A State law is “contrary” to the HIPAA Privacy Rule – and therefore subject to HIPAA preemption –  if it impossible for a covered entity to comply both with the state law and the HIPAA Privacy Rule. For example, a state law that prohibits the disclosure of protected health information (PHI) to an individual who is the subject of the information may be contrary to the HIPAA Privacy Rule, which requires the disclosure of protected health information to an individual in certain circumstances. 

Here, the state law is contrary to the HIPAA Privacy Rule because the covered entity cannot, logistically, comply with both the State law and the HIPAA Privacy Rule. If the covered entity discloses the information to the individual under the HIPAA Privacy Rule, the covered entity has failed to comply with the state law. If the covered entity follows the state law and does not disclose the information to the individual, the covered entity has failed to comply with the HIPAA Privacy Rule. Since the state law contradicts the HIPAA Privacy Rule, the state law is preempted.

Is There an Exception to the HIPAA Privacy Rule’s Preemption of Contrary State Laws?

One exception to the HIPAA preemption rule applies when the state law relates to the privacy of PHI, and provides greater privacy protections or privacy rights with respect to such information, than the HIPAA Privacy Rule does.

As noted above, HIPAA sets a privacy “floor.” States may, if they so choose, to provide greater privacy protections than are provided by HIPAA.

A recent Arizona appeals court case demonstrates how certain state laws are not subject to HIPAA preemption.  In this case, Plaintiff, during a visit to his physician to obtain a prescription he regularly received, was also offered an erectile dysfunction (“E.D.”) sample by the doctor. Plaintiff accepted the sample. Shortly after, Costco Pharmacy told Plaintiff that his regular prescription, as well as a full prescription of the E.D. medication, were ready for pickup. Plaintiff told Costco he did not want the E.D. medication, and Costco acknowledged Plaintiff’s cancellation request.

About a month later, Plaintiff called Costco to check on another refill of the regular prescription, was told that this medicine, as well as a full prescription of the E.D medication, were ready for pickup. Again, Plaintiff told Costco he did not want the E.D. medication.

The next day, Plaintiff called Costco to authorize his ex-wife, with whom he was exploring possible reconciliation, to pick up the regular prescription. Costco gave the ex-wife the regular prescription AND the E.D. medication. The ex-wife did not accept or pay for the E.D. medication, but joked with a Costco employee about Plaintiff “not picking it up yet” and told Plaintiff’s children and some friends about the E.D. medication. She also stopped reconciliation efforts.

Plaintiff complained to Costco headquarters upon learning what happened. He then sued Costco in Arizona state court, alleging state law claims for (among other things) negligence based on a state law duty of care informed by HIPAA.

The trial court dismissed this claim. The appeals court reversed, finding Plaintiff had stated a valid negligence claim.

What Does the Appeals Court Ruling Have to Do with HIPAA?

The appeals court stated that, although the negligence claim did not arise under HIPAA, the parties agreed that the pharmacy owed the plaintiff a duty of care to act as a reasonably prudent pharmacist would under the circumstances (i.e., to act to maintain Plaintiff’s privacy). 

The pharmacy had argued before the appeals court that HIPAA preempted the state negligence law.  The appeals court disagreed, reasoning that allowing state law claims in this context would not result in contradiction of HIPAA. As the appeals court noted, additional “state law remedies encourage compliance with HIPAA by providing further means for patients to recover for harms suffered due to non-compliance [with HIPAA].”

Of particular significance, the appeals court stated: “HIPAA’s requirements may inform the standard of care [the duty of a pharmacist to honor patient’s privacy] in state law negligence actions.”