State pre-emption

June 4, 2004

I've been told that laws in my state that are less strict than the federal privacy rule are pre-empted by it. Is this right?

Q:I've been told that laws in my state that are less strict than the federal privacy rule are pre-empted by it. Is this right?

A: Yes. Generally speaking, HIPAA sets a minimum privacy standard for all states. Where this standard exceeds the standard set by the state, you must obey HIPAA. If, on the other hand, your state requires more than the minimum standard set by HIPAA, you're required to obey both your state law and the federal privacy rule. For instance, let's say your state requires that requests for release of HIV information contain very specific and highly protective language relating to safeguards, patient confidentiality, and the like. In such cases, authorizations for release of information must contain the precise state language, as well as the less restrictive federal language.