My state law provides greater privacy protections on patients’ HIV information than the HIPAA Privacy Rule. Is this more protective state law preempted by the Privacy Rule?
No. The Privacy Rule establishes a floor of Federal privacy protections and rights for individuals. If a provision of State law provides greater privacy protection than a provision of the Privacy Rule, and it is possible to comply with both the State law and the Privacy Rule (e.g., where a State law prohibits the disclosure of HIV status while the Privacy Rule permits such disclosure), there is no conflict between the State law and the Privacy Rule, and no preemption.
Further, even in the unusual case where a "more stringent" provision of a State law is "contrary" to a provision of the Privacy Rule – that is, it is impossible to comply with both the Privacy Rule and the State law, or the State law is an obstacle to accomplishing the full purposes and objectives of HIPAA's Administrative Simplification provisions – the Administrative Simplification Rules specifically provide an exception to preemption of State law. Thus, if a more stringent provision of State law protects HIV patient information and is contrary to the Privacy Rule, the "more stringent" State law would prevail. Because HIPAA’s Administrative Simplification Rules themselves except more stringent, contrary State law from preemption, it is neither necessary nor appropriate to request a preemption exception determination from the Department of Health and Human Services.
See 45 C.F.R. 160.202 for the definitions of "more stringent" and "contrary," and 45 C.F.R. 160.203 for the general rule and exceptions to preemption. View an unofficial version of the Privacy Rule and the preemption requirements.