Preemption Analysis Under HIPAA: Proceed with Caution

by Joy Pritts, JD

April 14, 2003, might mark the beginning of HIPAA compliance, but it does not signify the end of state health privacy laws. HIPAA does not preempt (supersede) state laws that either don’t conflict with HIPAA or are more stringent than the federal regulation. Figuring out which state laws remain in place after HIPAA and how to comply with both sets of laws can present a real challenge.

Preemption Under HIPAA

The interaction between state law and HIPAA is complicated. In general, HIPAA preempts state law that is “contrary” to the federal rule. A provision of state law is contrary to HIPAA if:

  • a covered entity would find it impossible to comply with both the state and federal law provisions
  • the provision of state law would be an obstacle to the accomplishment and execution of the goals of HIPAA

Of course, there are a number of exceptions to this general rule. First, HIPAA does not preempt most state laws that relate to public health. HIPAA also preserves certain state laws related to the oversight of health plans. Finally, a contrary state law provision is not preempted if it relates to the privacy of individually identifiable health information and is “more stringent” than HIPAA. (For a list of when a law is considered more stringent than HIPAA, see below.)

Determining whether a state law is “contrary” to or is “more stringent” than HIPAA is complicated by the fact that the analysis must be done on a provisionby- provision basis. This approach requires a line-by-line (and sometimes a clause-by-clause) comparison. It’s easy to see how undertaking a preemption analysis can be a time-consuming and expensive process. But there are a number of ways to make the process easier.

The Easy Route

Perhaps the easiest way to obtain a preemption analysis is to purchase one. In a few states, the state provider or hospital associations have commissioned preemption studies and made them available to members, and in some cases, the general public. These studies are generally focused on preemption as it affects a particular type of provider (such as hospitals) in the association’s state. The price for these studies varies widely, with most in the range of a few hundred dollars.

A few state or local bar associations offer similar products.While limited to a particular state, a bar association’s analysis generally encompasses a broader range of covered entities. These studies generally cost under $500 and are probably geared towards lawyers.

There is also a national coalition that has commissioned a “global” preemption analysis intended to cover a multitude of covered entities. A single state’s analysis will run $5,000–$10,000, depending on the complexity of the state’s laws.

Most of these studies are available for purchase through the Web sites of the sponsoring organizations. However, most of the sites do not include a sample of their preemption analysis. This makes it difficult to determine whether purchasing the study would be worthwhile. These methods should be reviewed by your organization to see which fits, financially and otherwise.

If you buy a preemption analysis, you should consider it as one of your first steps in the preemption analysis process. Because all of these products warn that they are not providing legal advice, your legal counsel should review the study for accuracy. Furthermore, because there is no uniform approach to conducting a preemption analysis, you need to reconcile the approach of the preemption analysis (strict or practical) with the philosophy of your organization.

You should also recognize a preemption analysis for what it is-a comparison of laws. It does not factor in ethical obligations or professional judgment. You will need to supply those yourself.While prepared preemption analyses may not be the answer to all your problems, they may save time and money compared to undertaking the analysis from scratch.

The Harder Route

You always have the option of undertaking a preemption analysis yourself. Because this is a time-consuming and difficult task, it is imperative that it be undertaken by someone who is well versed in both HIPAA and relevant state laws. You may want to form a coalition of similarly situated healthcare organizations in your area and divide the preemption analysis among the members of the coalition. There are benefits and drawbacks to this approach. The work is more likely to be completed on time, but you may lose some quality control.

As for the work itself, there are countless ways of doing a preemption analysis, which is essentially comparing provisions of HIPAA with provisions of state law. To focus on the needs of your organization, you may want to take a bottom-up approach and start with your organization’s existing handbooks, manuals, and guidelines on the disclosure of health information. These existing materials will highlight the areas of law that are most relevant to your organization and may also identify the source of the state confidentiality requirements.

Once you have identified relevant state laws (statutes, regulations, and case law) you might want to use a side-by-side chart to compare them to provisions in HIPAA. List the HIPAA requirements in one column and the comparable (if any) state requirements in a column alongside the HIPAA provision. The final column on the right lists the outcome of the comparison. You can see an example of a preemption analysis chart on the Web site of the North Carolina Healthcare Information and Communications Alliance at: Hipaasort.pdf.

Decide your analytical approach. Are you going to interpret HIPAA strictly in a practical fashion? Make sure your approach is consistent with the philosophy of your organization. For each provision, ask yourself:

  • Does the state law fall within one of the carve outs for public health? If so, the state law is not preempted.
  • Can I comply with both state law and HIPAA? The answer will often be yes. Remember that with respect to disclosures, HIPAA is usually permissive, not mandatory. For example, if a state law requires a covered entity to report a disease, the state law would not be preempted because HIPAA permits disclosures “required by law.”
  • How can I comply with both? In many cases, complying with the stronger standard will allow you to comply with both state law and HIPAA. For example, if state law gives a provider 10 days to respond to a patient’s request for a copy of his medical records, and HIPAA allows 30 days, you can comply with both state and federal law by responding within 10 days.

Figuring out which state laws remain in effect and which are preempted by HIPAA is a time-consuming and difficult process. But it is doable with enough time and effort.

What Is More Stringent?

A state law is “more stringent” than HIPAA when the state law:

  • gives a person greater rights to see, copy, or amend his or her own health information
  • prohibits or restricts a disclosure that would be allowed under HIPAA
  • narrows the scope or duration of an authorization, reduces the coercive effect of the circumstances surrounding an authorization, or increases the privacy protections afforded by authorization
  • requires more detailed record keeping for a longer duration
  • provides greater privacy protection for the person who is the subject of the individually identifiable health information

Joy Pritts, JD, is an assistant research professor at Georgetown University’s Institute for Health Care Research and Policy. She can be contacted at (202) 687-0880 or via e-mail at

Article citation:
Pritts, Joy. "Preemption Analysis Under HIPAA-Proceed with Caution." In Confidence 11:4 (April 2003), [extended online version].