HIPPA v. State Laws

HIPPA v State Laws

NOTICE: This post is NOT legal advice nor may it be construed to be legal advice or opinion. You need to consult an attorney in your state for assistance.

What is HIPPA? The U.S. Health Insurance Portability and Accountability Act of 1996 was enacted by the 104th United States Congress and signed by President Bill Clinton in 1996.

There are strong rules and laws that govern how individuals’ health information is handled. Some of these are covered under the Health Insurance Portability and Accountability Act, better known as HIPAA. Some are established at the state level, whether through a law that pre-dates HIPAA or a later one that strengthens patient rights. To understand which cover your organization, you’ll need to understand both your state laws and how they interact with the law at the federal level.

HIPPA v State Law

In general, when a state and federal law conflict, federal provides an important guideline. HIPAA sets a federal floor for privacy protections for individuals. No state, commonwealth, territory, or protectorate may provide weaker protection for an individual than HIPPA. This is covered under a concept known as “preemption,” which is spelled out in HIPAA’s privacy rules.

The key sections are §160.201, §160.202, §160.203, §160.204 and §160.205. This is a dense language that describes where the HIPAA rules preempt state law, as well as, in general, where state law applies in addition to the HIPAA rules. If you have specific questions regarding conflicts between state and federal law then the only real option is advice of counsel.

  • With respect to the HIPAA Security Rule, we refer to the principle that underpins our approach as "Implement the necessary safeguards" and with respect to the HIPAA Privacy Rule as "Do the right thing."

State v Federal Law Regarding HIPPA

However, there are many exceptions. When a state’s law is more stringent than the law at the federal level, the state law is supreme. Some examples of more stringent laws can include:

  • stronger limits on provider disclosure of health information.
  • laws that allow individuals greater access to their personal health data.
  • laws that increase the minimum time period that a provider must retain medical records.


Additionally, state laws prevail in cases where there are compelling needs that are related to public health, safety or welfare.

State law also prevails in cases where the law provides for reporting on public welfare issues, such as child abuse, reporting death or injury, or for the purposes on public health investigation, surveillance or intervention. In these cases, a state law that is less stringent than HIPAA may be allowed to prevail over HIPAA’s stronger individual standard of privacy.

Examples of States with More Stringent Laws

Each locality is different and it is important to familiarize yourself with the laws where your organization does business. A few examples of laws where HIPAA is not the strongest rule of the land:

State of New York

In New York, patients are given wide access to their medical records. Providers must provide patients access to their records within 10 days of a written request, which is consistent with federal HIPAA protections. However, New York’s law also states that healthcare providers may deny clinician observation and notes to patients. This is an area where HIPAA does not have a clear and concise rule.

State of California

In California, patients may bring legal actions for violation of state law under the California Confidentiality of Medical Information Act. This state law provides for both compensatory and disciplinary damages for patients. HIPPA provides no such provision so the laws of the State of California prevail.

State of Illinois

In Illinois, there are patient access laws that allow individuals to file civil suits for equitable relief.

Understanding both the applicable state laws as well as HIPAA is vital if you are going to stay in compliance. We work with medical companies all over the country to help them understand their commitments and the ways they can stay on top of what is expected.

Other Areas with Potential Conflicts

Both HIPAA and state laws are constantly evolving. Because of this, HIPAA can potentially conflict with state law on any number of topics. There are, however, a few areas that are more likely to generate conflicts than others.

One big one is the allowable use and disclosure of protected health information (PHI). Many of the rules in HIPAA focus on what information is PHI and what an organization is and is not allowed to do with that data. A disclosure of PHI that is permitted under HIPAA may be forbidden by your specific state. If you are potentially disclosing data, make sure that it is allowed under both HIPAA and your state’s laws.

Another area ripe for conflict is patient rights. If your state law gives patients a greater degree of access than federal law, state law will supersede federal law.

You may also find conflicts when it comes to specific spans of time. For instance, your state may require that records be kept longer or that access may be provided more quickly. You may also have more stringent deadlines for reporting breaches of protected information under your state’s law. California, for instance, requires that a PHI breach be reported within 15 days. Under HIPAA, organizations have up to 60 days, thus, California law supersedes federal law.

Be sure to consult with your legal representation for help!

Ready to find out more?

Contact us a line today for a free quote!

%d bloggers like this: