Practice Brief: Preemption of the HIPAA Privacy Rule

This practice brief was reviewed following the publication of the August 2002 amendments to the HIPAA privacy rule. The content remains accurate.

The HIPAA privacy rule includes numerous requirements for the use and disclosure of individually identifiable health information. In some cases, covered entities will be able to comply with both the privacy rule and their state’s laws and regulations. In other cases, covered entities will have to make a choice between the privacy rule and state laws. How can covered entities ensure they are making the lawful choice?

This practice brief will explore what the privacy rule says about preemption. In addition, it will provide readers with a framework for making lawful preemption decisions.

Legal Requirements

Covered entities must comply with both federal and state privacy laws and regulations when they can. The privacy rule preempts state law when state law is contrary to the privacy rule. According to the rule, a state law is contrary when:

• a covered entity would find it impossible to comply with both state and federal requirements
  
• adhering to state law would stand as an obstacle to achieving the full purpose of the administrative simplification portions of HIPAA
  

As is the case with many of the standards within the HIPAA privacy rule, there are exceptions. According to the privacy rule, state law prevails in the following four situations:

• The state law relates to the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention
  
• State law requires a health plan to report or provide access to information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals
  
• A determination is made by the Secretary of Health and Human Services (HHS) under ß160.204. This section allows a state’s chief elected official or designee to petition for an exception from preemption when the state’s law is necessary to prevent healthcare fraud and abuse, regulate insurance and health plans, collect healthcare delivery or cost information, ensure public health, safety, or welfare, or regulate controlled substances
  
• State law relates to the privacy of health information and is more stringent than privacy rule requirements
  

More stringent means state law meets one or more of the following six criteria:

• State law further prohibits or restricts a use or disclosure permitted in the privacy rule. This exception does not apply, however, when the disclosure is required by the secretary of HHS to determine compliance with the rule or to the individual who is the subject of the individually identifiable health information
  
• State law permits greater rights of access to or amendment by the in-
  dividual who is the subject of the individually identifiable health information. This exception, however, is not intended to preempt state law that authorizes or prohibits disclosure of protected health information about a minor to a parent, guardian, or person acting in loco parentis of such minor
  
• State law permits greater rights of access to the individual who is the subject of the individually identifiable health information about its use, disclosure, or the individual’s rights or remedies with regard to individual’s health information
  
• State law contains authorization or consent requirements that narrow the scope or duration, reduce the coercive effect, or increase the privacy protections (such as by expanding the criteria) afforded the individual
  
• State law provides for more detailed record keeping or retention of information for a longer period
  
• State law provides greater privacy protection for the individual who is the subject of the individually identifiable health information (State and federal laws providing extra confidentiality protection for AIDS/HIV information, mental health, alcohol and drug abuse, other sexually transmitted and communicable diseases, and genetic information laws will almost certainly provide greater privacy protection and therefore not be preempted)
  

Recommendations

Covered entities may find that the number of preemption decisions needed number in the tens or hundreds. Although they can certainly address preemption questions as the need arises, covered entities may find that decisions made by employees will vary. As a result, application of the privacy rule may be inconsistent. Referring such preemption decisions to legal counsel, however, can create difficulties meeting turnaround requirements and may prove costly.

As an alternative option, covered entities may find it advantageous to work together as an alliance. For example, they might want to work with the state health information management association, state hospital association, and legal counsel to assess variations between federal and state privacy rules. This alliance might determine whether covered entities can adhere to both federal and state requirements, or whether covered entities must apply the federal or state law.

This alliance might also determine whether an exception should be requested of the secretary or if changes in state law should be introduced. Should they decide to pursue either course, they could work together to achieve such an end.

The benefits of such an alliance would include:

• generation of a preemption database containing considered preemption decisions
  
• more consistent practice in applying state and federal privacy provisions
  
• more effective efforts seeking changes in state law or exceptions through the secretary of HHS
  

In the absence of a preemption database, covered entities may want to create their own database using a preemption decision form as a starting point (see “Sample Preemption Decision Form”). This form could be completed and retained in a preemption database for reference by others in the organization when faced with similar questions of preemption. If the matter needs to be referred to legal counsel, the preemption decision form could be forwarded to legal counsel and a copy retained in the preemption database. On receipt of the attorney’s reply, the reply could be matched to the copy of the preemption decision form in the preemption database. Covered entities may wish to summarize preemption decisions using an electronic table accessible throughout the organization (see “Sample Preemption Decision Summary Log”).

Once you have made a preemption decision, incorporate that decision in your policies and procedures where appropriate. In addition, incorporate some type of ongoing monitoring process to make sure staff are aware of an adherence to preemption determinations.

Prepared by

Gwen Hughes, RHIA, HIM practice manager

Acknowledgments

Holly Ballam, RHIA
Jill Callahan Dennis, JD, RHIA
Michelle Dougherty, RHIA
Beth Hjort, RHIA
Mary Thomason, RHIA
Jonathan P. Tomes, JD

References

“Health Insurance Portability and Accountability Act of 1996.” Public Law 104-191. Available at www.access.gpo.gov/nara/cfr/index.html.

“Standards for the Privacy of Individually Identifiable Health Information; Final Rule.” 45 CFR Part 160. Federal Register 65, no. 250 (December 28, 2000). Available at http://aspe.hhs.gov.admnsimp/.

Tomes, Jonathan P. The Compliance Guide to HIPAA and the HHS Regulations. Overland Park, KS: Veterans Press, 2001.

Sample Preemption Decision Form

Sample Preemption Decision Summary Log

This sample form was developed by AHIMA for discussion purposes only. It should not be used without review by your organization’s legal counsel to ensure compliance with local and state laws.