Skip to main content
U.S. flag

An official website of the United States government

Return to Search

FAQ 399 Does the HIPAA Privacy Rule preempt state laws?

This is guidance for the HIPAA Privacy Rule's preemption of state laws

Final

Issued by: Office for Civil Rights (OCR)

Does the HIPAA Privacy Rule preempt state laws?

Answer:

The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals' individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies. These exceptions include if the State law:

  1. relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information,

  2. provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or

  3. requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule.

In addition, the Department of Health and Human Services (HHS) may, upon specific request from a State or other entity or person, determine that a provision of State law which is "contrary" to the Federal requirements – as defined by the HIPAA Administrative Simplification Rules – and which meets certain additional criteria, will not be preempted by the Federal requirements. Thus, preemption of a contrary State law will not occur if the Secretary or designated HHS official determines, in response to a request, that one of the following criteria apply: the State law:

  1. is necessary to prevent fraud and abuse related to the provision of or payment for health care,

  2. is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation,

  3. is necessary for State reporting on health care delivery or costs,

  4. is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or

  5. has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.

It is important to recognize that only State laws that are "contrary" to the Federal requirements are eligible for an exemption determination. As defined by the Administrative Simplification Rules, contrary means that it would be impossible for a covered entity to comply with both the State and Federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.

See 45 C.F.R. Part 160, Subpart B, for specific requirements related to preemption of State law. View an unofficial version of the Privacy Rule and the preemption requirements. - PDF

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.