FAQ 553 Does the HIPAA Privacy Rule inhibit electronic health information exchange across different states or jurisdictions?
This is an FAQ for regulated entities and stakeholders.
Issued by: Office for Civil Rights (OCR)
Does the HIPAA Privacy Rule inhibit electronic health information exchange across different states or jurisdictions?
No. The Privacy Rule establishes a federal baseline of privacy protections and rights, which applies to covered entities consistently across state borders. The Privacy Rule, however, as required by HIPAA, does not preempt State laws that provide greater privacy protections and rights. Thus, as with covered entities that conduct business today on paper in a multi-jurisdictional environment, covered entities participating in electronic health information exchange need to be cognizant of States with more stringent privacy laws that will affect the exchange of electronic health information across State lines. In addition, other Federal laws also may apply more stringent or different requirements to such exchanges depending on the circumstances. Covered entities and health information organizations (acting as their business associates) which participate in multi-jurisdictional electronic health information exchange should establish privacy policies for the network that accommodate these variances.
HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the email@example.com.
DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.