The HIPAA Privacy Rule and
Preemption of State Law

The HIPAA Privacy Rule provides a federal floor of privacy protections for individuals’ protected health information (PHI), where that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to the HIPAA Privacy Rule are preempted by the federal requirements, unless a specific exception applies. 

The concept of preemption is not specific to HIPAA. The Constitution of the United States contains what is, in effect, a preemption provision. Article 6 of the Constitution contains a clause that is known as the “Supremacy Clause.” The Supremacy Clause states, simply, that the Constitution, and federal laws created under the Constitution, are the “supreme law of the land.” This has been interpreted to mean that a state law that contradicts, or is contrary to, a federal law, is “trumped” by the federal law.  

The part of the Constitution that HIPAA was enacted under, is referred to the “interstate commerce clause.”  Under this clause, the Congress of the United States has the power to regulate commerce – commercial activity – among the states. Health care transactions contain a commercial component (i.e., people pay for health care; doctors are paid to provide it; payments are made from residents to one state to laboratories headquartered in another state, and so forth)  and are therefore regarded as “interstate commerce.” 

When is a State Law “Contrary” to the HIPAA Privacy Rule?

A State law is “contrary” to the HIPAA Privacy Rule if:

  • It would be impossible for a covered entity to comply with both the State law and the HIPAA Privacy Rule; or 
  • If the State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA. 

For example, a state law that prohibits the disclosure of protected health information (PHI) to an individual who is the subject of the information may be contrary to the HIPAA Privacy Rule, which requires the disclosure of protected health information to an individual in certain circumstances.

The state law is contrary to the HIPAA Privacy Rule because:

  • The covered entity cannot, as a simple logistical matter, comply with both the State law and the HIPAA Privacy Rule. If the covered entity discloses the information to the individual under the HIPAA Privacy Rule, the covered entity has failed to comply with the state law. If the covered entity follows the state law and does not disclose the information to the individual, the covered entity has failed to comply with the HIPAA Privacy Rule.
  • The state law is an obstacle to accomplishing the purposes and objectives of HIPAA’s administrative simplification provisions. Those provisions were created for the purpose of protecting the privacy of individuals’ PHI, without compromising the ability of individuals to receive and review their own health records.   

Are there Exceptions to the HIPAA Privacy Rule’s Preemption of Contrary State Laws?

There are three recognized exceptions to the general rule that the HIPAA Privacy Rule preempts contrary state law.  These exceptions include if the state law:

    1. Relates to the privacy of PHI and provides greater privacy protections or privacy rights with respect to such information, than the HIPAA Privacy Rule does. As noted above, HIPAA sets a privacy “floor.” States may, if they so choose, to provide greater privacy protections than are provided 
  • Provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention. Generally, states have the authority to create and enforce laws related to the health and safety of their residents. States also possess what is referred to as the “police power” – the power to define what constitutes a crime, and the power to conduct law enforcement activities, such as criminal investigations. 
  1. Requires certain health plan reporting, such as for management or financial audits. States possess broad power to regulate insurance companies that do business in the state. This power to regulate includes the power to require health plans to (among other things) conduct and report the findings of financial audits.

Are There Other Exceptions to Privacy Rule “Preemption”?

The Department of Health and Human Services (HHS) may, upon specific request from a state or other entity or person, determine that a provision of state law which is “contrary” to the HIPAA regulations, and which meets certain additional criteria, will not be preempted by the Federal requirements. 

Therefore, preemption of a contrary state law will not occur if the HHS Secretary determines, in response to a specific request, that one of the following criteria apply: The state law: 

  1. Is necessary to prevent fraud and abuse related to the provision of or payment for health care,
  2. Is necessary to ensure appropriate state regulation of insurance and health plans to the extent expressly authorized by statute or regulation,
  3. Is necessary for state reporting on health care delivery or costs,
  4. Is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a HIPAA Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served, or
  5. Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of controlled substances.

Compliancy Group Simplifies HIPAA Compliance

Compliancy Group was founded to help simplify the HIPAA compliance challenge. We give health care organizations everything they need to address the full extent of the HIPAA regulations.

Our ongoing support and web-based compliance app, The Guard™, gives health care organizations the tools to address the law so they can get back to confidently running their business. 

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and MaintainTM their HIPAA compliance!