State privacy law supersedes HIPAA when it has more stringent privacy protections or more patient rights than HIPAA, when a state law permits disclosures of PHI for public health surveillance, investigation, or intervention, or when disclosures are required by a state to audit, evaluate, or certify facilities or individuals. Because it may be a single provision of a state law that supersedes a single provision of HIPAA – not the whole law – it is important to understand when these exceptions to HIPAA exist.
There are many examples of when state privacy law supersedes HIPAA. However, some state privacy laws exempt HIPAA covered entities from complying with them, while others apply across state boundaries to HIPAA covered entities throughout the country.
Additionally, in some jurisdictions, only one or two provisions of state privacy law supersede HIPAA; while, in others, multiple provisions of more than one state privacy law supersede HIPAA. Furthermore, the regulatory landscape is constantly changing.
This article focuses on a limited cross-section of state privacy laws to demonstrate what covered entities need to be aware of when developing policies and procedures and training members of the workforce on the policies and procedures.
What HIPAA Says about State Privacy Laws
Prior to the passage of HIPAA, many states already had privacy laws. Because of an imbalance between existing laws, HIPAA provided a federal floor of privacy protections – preempting state privacy laws that offered less privacy protections or patient rights.
Acknowledging that some states had privacy laws with more stringent privacy protections or greater patient rights, Subpart B of the HIPAA General Provisions (§160.203) allows a provision of state law to supersede HIPAA in the following circumstances:
- The provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 [the Privacy Rule].
- The provision of State law, including State procedures established under such law, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.
- The provision of State law requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals.
State Privacy Laws that Exempt HIPAA Covered Entities
A number of state privacy laws have HIPAA-related exemptions, but it is important to understand exactly how the exemptions apply. For example, in Virginia, §59.1-576 of the Consumer Data Protection Act exempts HIPAA covered entities and business associates regardless of the nature of data created, collected, maintained, or transmitted.
However, in California, only HIPAA covered entities are exempted from complying with the California Privacy Rights Act (§1798.145(c)). Business associates are exempted with regards to the collection of data that meets the definition of Protected Health Information, but not for any other data that might be created, collected, maintained, or transmitted.
Additionally, it was mentioned previously that the regulatory landscape is constantly changing. At the time of publication, a court case is being heard in Illinois that will determine if the exemption for HIPAA Covered Entities from compliance with the Biometrics Information Privacy Act applies to members of the workforce in their roles as members of the workforce.
State Privacy Laws that Apply Across State Boundaries
Most state privacy laws apply to data collected about individuals who are a resident of the state regardless of where the individual is at the time data is created, collected, maintained, or transmitted. However, most state privacy laws only apply to organizations located within the state, so rarely impact organizations operating in neighboring states.
A notable exception to this “rule of thumb” is the Chapter of the Texas Health and Safety Code relating to Medical Records Privacy (Chapter 181). Chapter 181 applies to all individuals and organizations that assemble, collect, analyze, use, evaluate, store, or transmit the PHI of a Texas resident regardless of where the individual or organization is located.
Furthermore, Chapter 181 applies to individuals and organizations that may not qualify as HIPAA covered entities or business associates – for example, sports teams, website owners, and IT service providers. This may matter to HIPAA covered entities with regards to who they share data with as business associates or with the authorization of the subject of the PHI.
When One or Two Provisions of State Privacy Law Supersede HIPAA
An issue that can cause confusion is the language used to explain when state privacy laws supersede HIPAA. For example, many resources use language similar to “HIPAA applies unless a state privacy law offers more stringent privacy protections or greater individual rights”. This could be interpreted as the whole state privacy law applies rather than individual provisions.
It is important to emphasis that, when one or two provisions of state privacy law supersede HIPAA, it is just those one or two provisions of state privacy law – or parts thereof – that supersede HIPAA, not the whole law. For example, the requirement in Oregon to store coded genetic data in password protected files applies only to coded genetic data, not all data.
A further issue is when state breach notifications are required quicker and/or to more agencies than required by the HIPAA Breach Notification Rule. For example, notifications of data breaches are required within 30 days in Colorado and Florida; while, in New York, breaches must be notified to the State Attorney General, NY Department of State, and NY State Police.
When Provisions of More than One State Privacy Law Supersede HIPAA
New York provides a good example of when provisions of more than one state privacy law supersede HIPAA. The state of New York has numerous laws that can impact HIPAA covered entities and businesses associates including (but not limited to) the SHIELD Act, the Mental Hygiene Act, and Article 27-F of New York’s Public Health Law relating to HIV testing and patient confidentiality.
In theory, provisions of all three state laws could impact the treatment provided to an individual and how the treatment records are safeguarded due to all three state laws having (some) more stringent privacy protections than HIPAA and greater patient rights. Of particular relevance is how these three laws can supersede HIPAA regarding how the Privacy Rule applies to minors.
The state of New York currently has two further privacy laws passing through the legislature – the New York Privacy Act and the It’s Your Data Act. Both these Acts include provisions that could potentially supersede HIPAA – notwithstanding that, if a covered entity in New York collects data relating to a resident of Texas, the Texas Health and Safety Code also applies.
Conclusion – The Importance of Knowing Which Laws Apply to Whom
It was mentioned in the introduction to this article that when does state privacy law supersede HIPAA is a complicated question to answer. Nonetheless, it is important for covered entities to know when provisions of state privacy law supersede HIPAA to avoid penalties for non-compliance or for the delayed notification of data breaches.
Additionally, it is important to know when local laws can further impact HIPAA compliance. For example, in the city of New York, the local government has passed a Biometric Identifier Information Law which may or may not be applied to HIPAA covered entities depending on the outcome of the previously mentioned court case in Illinois.
Consequently, if your organization is not fully aware of which laws apply to your operations, it is important you seek professional compliance advice – not only so your organization operates in compliance with HIPAA and state privacy laws, but also that your workforce is trained in which provisions of state privacy law supersede HIPAA.