When Does State Privacy Law Supersede HIPAA?

When does state privacy law supersede HIPAA? Congress passed HIPAA in 1996 to provide a uniform, nationwide standard of privacy and security with respect to protected health information. The HIPAA regulations provide that state health information privacy laws that are contrary to a HIPAA Privacy Rule provision are superseded, or overruled, by HIPAA. 

The regulations provide for an exception to this general rule. An exception exists when the state law is “more stringent” than the equivalent HIPAA provision. A state law is more stringent than HIPAA when it provides greater privacy protection for an individual than HIPAA does. When a state law is “more stringent,” state law supersedes HIPAA. The issue of when does state privacy law supersede HIPAA is discussed in greater detail below.

Avoid HIPAA fines by becoming HIPAA compliant today!

When Does State Privacy Law Supersede HIPAA: Types of Superseding Laws

When Does State Privacy Law Supersede HIPAA

In general, state privacy laws that fall under the “more stringent” exception to the “contrary to HIPAA” rule involve patient privacy rights, specifically what information a covered entity may and may not disclose.

Mental health professionals, for example, are subject to state privacy laws that are more stringent than HIPAA. Examples of “more stringent than” laws governing mental health professionals include the following.

Authorization for Payment, Treatment, and Healthcare Operations Laws.

Under HIPAA, a provider may generally use and disclose protected health information (PHI) for treatment, payment, and healthcare operations activities. Under Utah law, however, a psychologist must obtain signed consent to use PHI for these purposes. The Utah law will prevail over HIPAA, since the Utah law gives patients more privacy protection.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Psychotherapy Notes.

Under the HIPAA Privacy Rule right of access, patients can access, inspect, and copy their medical records, but not psychotherapy notes. However, in Vermont, a psychologist must allow a patient to access his or her psychotherapy notes. The Vermont law gives patients greater access rights, and therefore supersedes HIPAA.

Subpoena of Patient Records.

Psychologists frequently receive subpoenas requesting patient medical records. HIPAA requires that a psychologist attempt to reach the patient to give notice that the records are being requested. As long as the psychologist has made “diligent but unsuccessful” efforts to reach the patient, the psychiatrist may then produce the records in response to the subpoena. Under New Hampshire law, however, a psychologist may not produce patient records in response to a subpoena unless the patient has consented to the release of the records, or a court has ordered the psychologist to release the records. Since New Hampshire law gives patients greater protection with respect to subpoenas of medical records, New Hampshire law preempts HIPAA on the subject.  

When Does State Privacy Law Supersede HIPAA: Right of Access

The issue of when does state privacy law supersede HIPAA frequently arises with state right of access deadlines. Under HIPAA, healthcare providers must act on individual requests for access within 30 calendar days after receipt of the request. If the provider cannot provide the records within that time, the provider may have up to an additional 30 calendar days, as long as it provides the individual – within that initial 30-day period – with a written statement of the reasons for the delay and the date by which it will provide the records. In New York, by contrast, providers must generally provide patients access to their records within 10 days of a written request. Since New York law gives patients greater rights over their records than HIPAA, New York law supersedes HIPAA.

State privacy laws do not always supersede HIPAA. The issue of when does state privacy law supersede HIPAA may come up in the context of research. In a 2003 California court case, the California law permitted a health provider to release a patient’s medical information without the patient’s authorization for “bona fide research purposes” to public agencies, clinical investigators, and healthcare research organizations. HIPAA, however, permits the use of a patient’s health information without patient authorization for research purposes only if it is shared with an institutional review board and only when the review board provides a description of why the information is needed for research, as well as adequate written assurances that the information will not be reused. The court held that the