The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology and Quality

A-Z Index  |  Questions?  |  Order Publications  |  HRSA Mobile

How does HIPAA impact state laws on privacy and security of health records?

The HIPAA Privacy Rule preempts State privacy laws that are contrary to the privacy rule.  This means that the Federal HIPAA Privacy Rule will be applied instead of the state privacy laws.  There are a few instances, however, where exceptions will be made if the State law:

  • Is necessary to prevent fraud and abuse related to the provision of or payment for health care,
  • Is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation,
  • Is necessary for State reporting on health care delivery or costs,
  • Is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or
  • Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.

Furthermore, the HIPAA Privacy Rule will not preempt the State law if it provides greater protection of PHI than the privacy rule.

Unlike the Privacy Rule, it is unlikely that any State laws would preempt the HIPAA Security Rule.  According to the guide published by the American Bar Association entitled, A Guide to HIPAA Security and the Law go to exit disclaimer, this is because there are very few State laws that cover security issues and because the Security Rule does allow for preemption of State laws that are more "stringent" than the rule itself.  Under both the Privacy and Security rule, however, there is flexibility for covered entities to apply the rules in a manner that is reasonable and appropriate.


A Guide to HIPAA Security and the Law go to exit disclaimer - Published by the American Bar Association (2007) as a reference between law and information security practices.

Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed