Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • Radical Transparency
  • Big Wins
  • HIPAA for Individuals
  • Filing a Complaint
  • HIPAA for Professionals
  • Newsroom
Breadcrumb
  1. HHS
  2. HIPAA Home
  3. For Professionals
  4. FAQ
  5. 464-Must a covered entity revise the whole notice every time one state law materially changes
  • Authorizations (30)
  • Business Associates (41)
  • Compliance Dates (2)
  • Covered Entities (14)
  • Decedents (9)
  • Disclosures for Law Enforcement Purposes (5)
  • Disclosures for Rule Enforcement (1)
  • Disclosures in Emergency Situations (2)
  • Disclosures Required by Law (6)
  • Disclosures to Family and Friends (28)
  • Disposal of Protected Health Information (6)
  • Facility Directories (7)
  • Family Medical History Information (3)
  • FERPA and HIPAA (10)
  • Group Health Plans (3)
  • Incidental Uses and Disclosures (10)
  • Judicial and Administrative Proceedings (8)
  • Minimum Necessary (14)
  • Notice of Privacy Practice (20)
  • Preemption of State Law (10)
  • Privacy Rule: General Topics (12)
  • Protected Health Information (2)
  • Public Health Uses and Disclosures (13)
  • Research Uses and Disclosures (20)
  • Right to an Accounting of Disclosures (8)
  • Right to File a Complaint (1)
  • Right to Request a Restriction (4)
  • Safeguards (13)
  • Security Rule (24)
  • Smaller Providers and Businesses (145)
  • Student Immunizations (8)
  • Transition Provisions (3)
  • Treatment, Payment, and Health Care Operations Disclosures (30)
  • Workers Compensation Disclosures (5)
  • Limited Data Set (6)
  • Marketing (17)
  • Marketing - Refill Reminders (16)
  • Personal Representatives and Minors (12)
  • Right to Access and Research (58)
  • Mental Health (35)
  • Health Information Technology (41)
  • Telehealth (11)

Must a covered entity with a Notice of Privacy Practices that reflects more stringent state laws of multiple states, revise the whole Notice every time one state law materially changes?

Answer:

The Privacy Rule requires the Notice of Privacy Practices (Notice) to identify, among other things, what uses and disclosures the covered entity may make of protected health information. The Notice must reflect any State law(s) that is more stringent than the Privacy Rule with respect to the use or disclosure of this information. Where the covered entity is subject to the privacy laws of multiple States, the more stringent use and disclosure laws of each of the States, if any, must be reflected in the Notice. See 45 CFR 164.520(b)(1)(ii)(C).

When there is a material revision to the Notice based on a change in State law, covered entities must use the revised Notice to meet the Rule’s requirements for distribution of the Notice that occur on or after the effective date of the revised Notice. See, generally, §§164.520(c)(1)-(3). In particular, a health plan must provide individuals (in most cases, the named insured) then covered by the plan with the revised Notice within 60 days of the revision. See §164.520(c)(1)(i)(C).

The Notice requirements are intended to ensure that individuals are fairly informed about how a covered entity may use or disclose their personal health information, including important limitations imposed by State law. Although a covered entity can describe more stringent State privacy laws in the uses and disclosures section of its Notice, this may be more confusing than informative to the individual, particularly where multiple and varying State laws may be applicable. There are other ways a covered entity can design its Notice that may make this information easier for the individual to read and understand, as well as to facilitate the covered entity’s ability to keep the information current and accurate. For instance, a general statement could be included in the uses and disclosures section of the Notice that clearly identifies and refers the reader to a separate section of the Notice which describes the more stringent State privacy law(s) and more fully informs the reader about how protected health information may be used and disclosed. Thus, when more stringent State privacy laws materially change the covered entity’s privacy practices, the covered entity would need to revise only the section of the Notice that contains the State law specific information.

Having a separable section on more stringent State laws can also facilitate distribution of the revised Notice when material changes occur in this section of the Notice. The revised State law section, if on a separate page, may be more readily inserted in or associated with existing Notices in place of the out-dated material.

Date Created: 08/25/2003
Content created by Office for Civil Rights (OCR)
Content last reviewed January 9, 2023
Back to top

Subscribe to Email Updates

Receive the latest updates from the Secretary and Press Releases.

Subscribe
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

Follow HHS

Follow Secretary Kennedy