FAQ 403 How do I know if a state law is "more stringent" than the HIPAA Privacy Rule?
This is guidance regarding the HIPAA Privacy Rule and more stringent state laws
Final
Issued by: Office for Civil Rights (OCR)
How do I know if a state law is "more stringent" than the HIPAA Privacy Rule?
Answer:
In general, a State law is "more stringent" than the HIPAA Privacy Rule if it relates to the privacy of individually identifiable health information and provides greater privacy protections for individuals' identifiable health information, or greater rights to individuals with respect to that information, than the Privacy Rule does. See the definition of "more stringent" at 45 C.F.R. 160.202 for the specific criteria. For example, a State law that provides individuals with a right to inspect and obtain a copy of their medical records in a more timely manner than the Privacy Rule is "more stringent" than the Privacy Rule.
In the unusual case where a more stringent provision of State law is contrary to a provision of the Privacy Rule, the Privacy Rule provides an exception to preemption for the more stringent provision of State law, and the State law prevails. Where the more stringent State law and Privacy Rule are not contrary, covered entities must comply with both laws.
See 45 C.F.R. Part 160, Subpart B, for specific requirements related to preemption of State law. View an unofficial version of the Privacy Rule and the preemption requirements. - PDF
HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.
DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.