FAQ 405 My state law provides greater privacy protections on patients’ HIV information than the HIPAA Privacy Rule. Is this more protective state law preempted by the Privacy Rule?
This is guidance for state law preemptions regaring patient HIV information
Final
Issued by: Office for Civil Rights (OCR)
My state law provides greater privacy protections on patients’ HIV information than the HIPAA Privacy Rule. Is this more protective state law preempted by the Privacy Rule?
Answer:
No. The Privacy Rule establishes a floor of Federal privacy protections and rights for individuals. If a provision of State law provides greater privacy protection than a provision of the Privacy Rule, and it is possible to comply with both the State law and the Privacy Rule (e.g., where a State law prohibits the disclosure of HIV status while the Privacy Rule permits such disclosure), there is no conflict between the State law and the Privacy Rule, and no preemption.
Further, even in the unusual case where a "more stringent" provision of a State law is "contrary" to a provision of the Privacy Rule – that is, it is impossible to comply with both the Privacy Rule and the State law, or the State law is an obstacle to accomplishing the full purposes and objectives of HIPAA's Administrative Simplification provisions – the Administrative Simplification Rules specifically provide an exception to preemption of State law. Thus, if a more stringent provision of State law protects HIV patient information and is contrary to the Privacy Rule, the "more stringent" State law would prevail. Because HIPAA’s Administrative Simplification Rules themselves except more stringent, contrary State law from preemption, it is neither necessary nor appropriate to request a preemption exception determination from the Department of Health and Human Services.
See 45 C.F.R. 160.202 for the definitions of "more stringent" and "contrary," and 45 C.F.R. 160.203 for the general rule and exceptions to preemption. View an unofficial version of the Privacy Rule and the preemption requirements. - PDF
HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.
DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.