How does HIPAA impact state laws on privacy and security of health records?
The HIPAA Privacy Rule preempts State privacy laws that are contrary to the privacy rule. This means that the Federal HIPAA Privacy Rule will be applied instead of the state privacy laws. There are a few instances, however, where exceptions will be made if the State law:
Furthermore, the HIPAA Privacy Rule will not preempt the State law if it provides greater protection of PHI than the privacy rule.
Unlike the Privacy Rule, it is unlikely that any State laws would preempt the HIPAA Security Rule. According to the guide published by the American Bar Association entitled, A Guide to HIPAA Security and the Law , this is because there are very few State laws that cover security issues and because the Security Rule does allow for preemption of State laws that are more "stringent" than the rule itself. Under both the Privacy and Security rule, however, there is flexibility for covered entities to apply the rules in a manner that is reasonable and appropriate.
A Guide to HIPAA Security and the Law - Published by the American Bar Association (2007) as a reference between law and information security practices.
E-mail the HealthIT e-mail box: firstname.lastname@example.org