A state or federal law or regulation preempts HIPAA when the state law is contrary to the HIPAA Privacy Rule, meaning it is impossible for a covered entity to comply with both the state law and HIPAA simultaneously. HIPAA preemption applies when the state law conflicts with the federal HIPAA requirements and does not provide stronger privacy protections than HIPAA. However, if a state law offers greater privacy protections or serves important public health or regulatory objectives, it is not preempted by HIPAA and both laws apply.
When State Law Preempts HIPAA
- If compliance with state law contradicts or makes it impossible to comply with HIPAA (for example, state law prohibits a disclosure of protected health information that HIPAA requires), then the state law is preempted.
- The U.S. Constitution's Supremacy Clause establishes that federal law generally takes precedence over conflicting state laws.
Exceptions to Preemption
- State laws that provide more stringent privacy protections or privacy rights regarding protected health information are not preempted and can offer a higher standard than HIPAA.
- State laws relating to public health reporting (e.g., disease, child abuse reporting) or health plan reporting for audits typically coexist with HIPAA.
- The Department of Health and Human Services (HHS) can grant exemptions from preemption when state laws are necessary for preventing fraud, regulating insurance, public health needs, or controlling substances.
- HIPAA does not preempt state common-law privacy claims related to breaches, allowing for state tort claims.
In summary, a state or federal law preempts HIPAA when it directly conflicts with HIPAA without providing greater privacy protections, making dual compliance impossible. Otherwise, state laws that strengthen privacy or serve public health oversight stand alongside HIPAA to provide robust protections.
