FAQ 401 How does the HIPAA Privacy Rule reduce the potential for conflict with state laws?
This is guidance regarding the HIPAA Privacy Rule and potential conflicts with state laws.
Final
Issued by: Office for Civil Rights (OCR)
How does the HIPAA Privacy Rule reduce the potential for conflict with state laws?
Answer:
The Privacy Rule is designed to minimize conflicts between Federal requirements and those of State law in the following ways:
- The Privacy Rule establishes a floor of Federal privacy protections and individual rights with respect to individually identifiable health information held by covered entities and their business associates. Covered entities may provide greater privacy rights to individuals and greater protections on such information. In addition, covered entities may comply with State laws that provide greater protections for individually identifiable health information and greater privacy rights for individuals.
- The Privacy Rule permits a covered entity to use or disclose protected health information if a State law requires the use or disclosure. See 45 C.F.R. 164.512(a).
- The Privacy Rule permits a covered entity to disclose protected health information to a public health authority who is authorized by law to collect such information for the purposes of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions. (See 45 C.F.R. 164.512(b) for all of the public health disclosures permitted by the Privacy Rule.) Thus, State laws that provide for the reporting of disease or injury, child abuse, birth or death, or for the conduct of public health surveillance, investigation, or intervention, likely will not conflict with the Privacy Rule. In the unusual case where there is a conflict, the State law would stand. See 45 C.F.R. 160.203(c). Because the Administrative Simplification Rules themselves exempt such State laws from preemption, a request for the Department of Health and Human Services (HHS) to issue a preemption exception determination is unnecessary and inappropriate.
- The Privacy Rule permits a covered entity to disclose protected health information to a health oversight agency for oversight activities authorized by law, such as audits and licensure activities. See 45 C.F.R. 164.512(d). Thus, State laws that provide for certain health plan reporting for the purpose of management or financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals, likely will not conflict with the Privacy Rule. In the unusual case where there is a conflict, the State law would stand. See 45 C.F.R. 160.203(d). Because the Administrative Simplification Rules themselves exempt such State laws from preemption, a request for the Department of Health and Human Services (HHS) to issue a preemption exception determination is unnecessary and inappropriate.
View an unofficial version of the Privacy Rule and the preemption requirements. - PDF
HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.
DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.