HIPAA State Law

There is no such thing as HIPAA state law.

There is no such thing as HIPAA state law, because HIPAA is a law that was passed by the Congress of the United States and then signed into law by the President of the United States.  Laws passed by the US Congress and signed into law the President are referred to as federal laws (or “statutes”). 

The federal government, and only the federal government, has the power to amend or repeal federal laws.  Congress has the power to pass federal laws, if one or more of Congress’ enumerated powers allow it to do so. An “enumerated” power is a power that is specifically mentioned in the United States Constitution. The enumerated powers of Congress can be found in Article 1 of the Constitution (the Executive Branch, which enforces federal laws, is the subject of Article 2; the federal judicial branch, which interprets federal laws, is the subject of Article 3).

What Power Does Congress Have to Pass and Amend HIPAA?


One of Congress’ powers is the power “To regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes.” The “among the states language” means that Congress has the power to regulate commerce between states. Commerce between states is known as “interstate commerce.” Congress’ power to regulate commerce between states is referred to its “interstate commerce clause power” or “interstate commerce” power.

HIPAA was passed under (or pursuant to) Congress’ power to regulate interstate commerce.

What’s the Actual Importance of This?

The need for the federal government to pass laws is of real-world importance.  

Picture this: You are a healthcare provider, operating in multiple states. The year is 1995 – pre-HIPAA. The misnomer “HIPAA state law” does not exist. Each state has its own requirements (if they have any requirements at all) regarding how patient medical information should be kept private and secure. What does that mean? You must become familiar with each law.

Let’s change the facts, slightly. Say you are doing business in all 50 states. The year is 1995. Since , as you are aware, entities that conduct business in a state are generally subject to that state’s business laws, you, as a healthcare provider, to conduct business in each state, may be required to know and comply with the unique laws on privacy and security of patient health information of all 50 different states. Some of these laws impose requirements others do not.

Imagine the terrifying prospect of having to come up with a way to comply with all of these different laws. Sounds pretty difficult. 

As if it weren’t difficult enough, in 1995, the Internet age is dawning. You’re becoming familiar with this whole “World Wide Web” thing, and, to save space, you are looking for ways to store patient information online. Yet there are no laws in your state telling you whether you can do this, or how you can do this.

Flash-forward to 1996. HIPAA is signed into law.

How is this law different from any state law regulating privacy and security of patient records?   

A significant reason for why HIPAA was passed, was the need for one, national standard, to protect PHI – as opposed to 50 patchwork state standards. HIPAA is different because it provides uniformity – subjecting entities in different states to the same obligations.

What Did Passage of HIPAA Mean to States?

If a valid federal law regulates a subject, the subject here being the privacy and security of medical information, the part of the Constitution known as the “Supremacy Clause” kicks in, in terms of whether states may pass their own laws regulating the same subject.

Under the Supremacy Clause, the U.S. Constitution, and federal laws made under it constitute establishes that the Constitution, and federal laws made under it, (i.e., HIPAA) are the “supreme law of the land”. 

Does this mean that a state has no power to regulate the same subject that is regulated by federal law? No. That has never been the case. What it means is that a state law that seeks to regulate the same subject cannot contradict the federal law, or conflict with it. If the state law contradicts or conflicts with the federal law, or frustrates the purpose of the federal law, the federal law controls. 

Therefore, under long standing legal principles, if a state law does not contradict, conflict with, or frustrate the purpose of a federal law, the state may pass and enforce that law – in this case, laws regarding matters such as data breaches, the privacy of patient medical information, and the security of that information.

A state that attempts to regulate the subject matter of HIPAA can, if it chooses, provide greater protection (to patients, to PHI, etc.) than HIPAA does. Recall that HIPAA was created to impose national standards. Congress intended these national standards to act as a “floor” – a minimum amount of privacy and security protection that all covered entities must afford. State laws, therefore, may act as a “ceiling,” by providing protections HIPAA does not. For example, states may (and some of them have) pass identity theft laws that prevent the hacking information HIPAA considers to be PHI. HIPAA doesn’t have an anti-identity theft provision; a state law that does, has filled in a regulatory gap. 

State laws and HIPAA, therefore, can work to complement each other. Examples of state laws that provide protection to what HIPAA considers to be PHI include:

  • Data Breach Notification Laws
  • Identity Theft Laws
  • Privacy Protection and Data Security Protection Laws

These laws can regulate the different entities – insurers, doctors, and medical offices – that HIPAA applies to. These laws can provide greater protection than HIPAA by regulating other entities as well – entities such as Internet Service Providers and insurers other than health insurers. Such laws providing enhanced protection can co-exist with HIPAA, so long as those laws do not contradict HIPAA, and do not impose obligations such that an entity’s compliance with both the state and HIPAA law is impossible.

States may choose – and have indeed chosen – to give their own names to their equivalents of HIPAA legislation. As such, there is no law entitled “The New York Health Insurance Portability and Accountability Act,” or “Kansas Health Insurance Portability and Accountability Act.”  When the phrase “state HIPAA law” or “HIPAA state law” is used, what is meant by “HIPAA state law” is “state law equivalent to HIPAA,” or “state law that is the state equivalent of HIPAA” or “HIPAA state-law equivalent.”