Generally, HIPAA Takes Precedence

Article excerpt

BALTIMORE -- With the HIPAA privacy compliance deadline in the past, health care providers are now turning their attention to whether their state laws preempt provisions of the regulation, according to analysts who attended a meeting sponsored by the health care education company Train for HIPAA.

When drafting HIPAA regulations, policy makers noted that all the states already have statutes on health care issues, so HIPAA preempts all contrary state law except in four cases, said Katherine M. Keefe, a partner at the law firm Reed Smith LLP.

The exceptions are for state reporting laws, health plan reporting and information, specific exemptions determined by the HHS secretary, and when state health privacy provisions are more stringent.

"HIPAA sets a floor of privacy," Ms. Keefe said, but the states can regulate above that floor.

"More stringent" state law provisions are those that prohibit or restrict disclosure, permit greater access or amendment rights, require tighter consents or authorizations, require longer or more detailed accountings of disclosures, and provide more privacy protection, she said.

But state laws don't just include statutes, Ms. Keefe said, they also include statements in the state constitution, regulations, rules, common law, and other state actions that have the force and effect of laws.

"Every subrequirement within a state's regulatory scheme has to be parsed through," Ms. Keefe said, and matched to HIPAA.

The notice of privacy practices must reflect more stringent state laws, and the privacy policies and procedures need to include compliance with all relevant laws and regulations, including appropriate state laws, Ms. …