HIPAA is a federal law that protects sensitive patient health information. However, there are instances where state or federal law regulations can take precedence over HIPAA.
State laws can preempt HIPAA if they are more stringent than HIPAA requirements. For example, California's Confidentiality of Medical Information Act is considered more protective than HIPAA, allowing patients to opt out of data sharing.
Federal laws can also preempt HIPAA, particularly those related to national security and law enforcement. The USA PATRIOT Act, for instance, allows the Department of Justice to access protected health information without patient consent in certain situations.
HIPAA Preemption Basics
HIPAA preemption basics are essential to understand the relationship between state and federal laws and HIPAA regulations. A state law is "contrary" to the HIPAA Privacy Rule if it's impossible for a covered entity to comply with both the state law and the HIPAA Privacy Rule.
This can happen when a state law prohibits the disclosure of protected health information (PHI) to an individual who is the subject of the information, while the HIPAA Privacy Rule requires disclosure in certain circumstances. If a covered entity discloses the information under HIPAA, it fails to comply with the state law, and vice versa.
A state law is also "contrary" to the HIPAA Privacy Rule if it's an obstacle to accomplishing the full purposes and objectives of HIPAA's administrative simplification provisions. These provisions aim to protect the privacy of individuals' PHI while allowing them to receive and review their own health records.
To determine if a state law is "contrary", consider whether a covered entity can comply with both the state law and HIPAA. If not, the state law is likely "contrary" and subject to HIPAA preemption.
Here's a summary of the key factors that determine if a state law is "contrary" to the HIPAA Privacy Rule:
If a state law meets one of these factors, it's likely "contrary" to the HIPAA Privacy Rule and subject to preemption. However, there are exceptions to this rule, which we'll explore in the next section.
Exceptions to HIPAA Preemption
There are several exceptions to HIPAA preemption, which means that state laws can sometimes take precedence over federal HIPAA regulations.
One exception is when a state law provides greater privacy protections or rights than the HIPAA Privacy Rule does. This is known as the "privacy floor" set by HIPAA, and states can choose to provide more robust protections if they want to.
If a state law relates to the privacy of PHI and provides greater protections, it is not subject to HIPAA preemption. This means that states can create laws that go beyond what HIPAA requires, as long as they don't contradict the federal rule.
There are also exceptions for state laws that require certain health plan reporting, such as for management or financial audits. States have the authority to regulate insurance companies and require health plans to conduct and report the findings of financial audits.
Additionally, the Department of Health and Human Services (HHS) may determine that a provision of state law that is contrary to the HIPAA regulations will not be preempted, if the state law meets certain criteria. These criteria include preventing fraud and abuse related to healthcare, ensuring state regulation of insurance and health plans, or serving a compelling public health, safety, or welfare need.
Here are the specific criteria that HHS considers when evaluating requests for exception determinations:
- Necessary to prevent fraud and abuse related to the provision of or payment for health care
- Necessary to ensure appropriate state regulation of insurance and health plans to the extent expressly authorized by statute or regulation
- Necessary for state reporting on health care delivery or costs
- Necessary for purposes of serving a compelling public health, safety, or welfare need
- Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of controlled substances
A state law is not considered "contrary" to the HIPAA Privacy Rule if it is impossible for a covered entity to comply with both the state law and the HIPAA Privacy Rule. For example, if a state law prohibits the disclosure of PHI to an individual, but the HIPAA Privacy Rule requires disclosure in certain circumstances, the state law would be considered contrary to the HIPAA Privacy Rule and would be preempted.
Preemption Process
A state law is preempted by HIPAA if it's impossible for a covered entity to comply with both the state law and the HIPAA Privacy Rule. This is known as a "contrary" law.
For example, a state law that prohibits the disclosure of protected health information (PHI) to an individual who is the subject of the information may be contrary to the HIPAA Privacy Rule. The HIPAA Privacy Rule requires the disclosure of protected health information to an individual in certain circumstances.
A covered entity can't comply with both laws because disclosing the information would violate the state law, while not disclosing it would violate the HIPAA Privacy Rule. This creates a logical contradiction that makes the state law preempted.
Duration of Effectiveness
An exception granted under this process remains in effect until a change occurs in the State law or federal standard that provided the basis for the exception.
The exception can be revoked by the Secretary if it's determined that the ground supporting the need for the exception no longer exists.
Either a material change in the State law or federal standard, or a decision by the Secretary, can end the effectiveness of an exception.
The Secretary's decision to revoke an exception is based on a determination that the ground supporting the need for the exception is no longer valid.
If the basis for an exception is materially changed, the exception will cease to be effective.
Subpart B—Preemption
A state law is considered "contrary" to the HIPAA Privacy Rule if it's impossible for a covered entity to comply with both the state law and the HIPAA Privacy Rule.
This can happen when a state law prohibits the disclosure of protected health information (PHI) to an individual who is the subject of the information, which contradicts the HIPAA Privacy Rule's requirement to disclose PHI to individuals in certain circumstances.
The state law is contrary to the HIPAA Privacy Rule because it's a logistical impossibility for the covered entity to comply with both laws. If the covered entity discloses the information to the individual under the HIPAA Privacy Rule, they've failed to comply with the state law. If they follow the state law and don't disclose the information, they've failed to comply with the HIPAA Privacy Rule.
There are three exceptions to the general rule that the HIPAA Privacy Rule preempts contrary state laws. These exceptions include:
In the case of the appeals court ruling, the court stated that allowing state law claims in this context would not result in contradiction of HIPAA. The court noted that additional state law remedies encourage compliance with HIPAA by providing further means for patients to recover for harms suffered due to non-compliance with HIPAA.
Preemption and Lawsuits
Preemption can be a complex issue in HIPAA, but it's essential to understand how it applies to lawsuits. A state law is considered "contrary" to the HIPAA Privacy Rule and therefore subject to preemption if it's impossible for a covered entity to comply with both the state law and HIPAA.
In such cases, the state law is preempted because it contradicts the HIPAA Privacy Rule. For example, a state law that prohibits the disclosure of protected health information (PHI) to an individual who is the subject of the information may be contrary to the HIPAA Privacy Rule, which requires the disclosure of PHI to an individual in certain circumstances.
The appeals court has also weighed in on preemption in the context of lawsuits. The court ruled that HIPAA does not preempt state negligence law, even if the negligence claim does not arise under HIPAA. The court reasoned that allowing state law claims would not result in contradiction of HIPAA.
HIPAA's requirements can inform the standard of care in state law negligence actions. This means that even if HIPAA doesn't apply directly to a lawsuit, it can still influence the outcome.
Introduction and Background
HIPAA, the Health Insurance Portability and Accountability Act, is a federal law that protects sensitive patient health information. It's a crucial regulation in the healthcare industry.
HIPAA was enacted in 1996 to improve the efficiency and effectiveness of the healthcare system, while also reducing healthcare costs. The law was a response to the rising costs of healthcare and the need for more efficient data management.
HIPAA's preemption rules are complex and can be confusing, especially for healthcare providers and organizations that deal with sensitive patient information. Federal law preempts state law in areas where the federal law specifically addresses a particular issue.
For example, the Genetic Information Nondiscrimination Act (GINA) of 2008 prohibits health plans from discriminating against individuals based on genetic information.
Sources
- https://privacyruleandresearch.nih.gov/pr_05.asp
- https://compliancy-group.com/hipaa-privacy-rule/
- https://compliancy-group.com/hipaa-preemption-of-state-law/
- https://www.law.utah.edu/news-articles/does-hipaa-preempt-state-law-claims-related-to-privacy-of-individually-identifiable-health-information/
- https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-B
Featured Images: pexels.com
