Listen to: "Which Matters More: HIPAA or State Law?"
There are strong rules and laws that govern how individuals’ health information is handled. Some of these are covered under the Health Insurance Portability and Accountability Act, better known as HIPAA. Some are established at the state level, whether through a law that pre-dates HIPAA or a later one that strengthens patient rights. To understand which cover your organization, you’ll need to understand both your local laws and how they interact with law at the federal level.
What you need to know about HIPAA
HIPAA is a federal law that was established in 1996. HIPAA regulations were put into place as a multi-prong approach to improve the country’s health insurance system. It’s administered by the Department of Health and Human Services and applies to all entities in the United States that handle personal health information.
What happens when HIPAA and state law conflict?
A number of states already had patient privacy laws on the books when HIPAA took effect. In other cases, states passed additional laws that expanded on the privacy rights guaranteed under HIPAA. Sometimes, these state and federal laws with contradict one another.
In general, when a state and federal law conflict, the federal law is the one that reigns supreme. HIPAA sets a federal floor for privacy protections for individuals. No state has the right to provide weaker protection for an individual than what is available at the federal level. This is covered under a concept known as “preemption,” which is spelled out in HIPAA’s privacy rules.
However, there is an exception. When a state’s law is more stringent than the law at the federal level, the state law will typically prevail. Some examples of more stringent laws can include:
- stronger limits on provider disclosure of health information.
- laws that allow individuals greater access t their personal health data.
- laws that increase the minimum time period that a provider must retain medical records.
Additionally, a state law might prevail in cases were there are compelling needs that are related to public health, safety or welfare. State law could also win out in cases where the law provides for reporting on public welfare issues, such as child abuse, reporting death or injury, or for the purposes on public health investigation, surveillance or intervention. In these cases, a state law that is less stringent than HIPAA may be allowed to prevail over HIPAA’s stronger individual standard of privacy.
Examples of States with More Stringent Laws
Each locality is different and it is important to familiarize yourself with the laws where your organization does business. A few examples of laws where HIPAA is not the strongest rule of the land:
In New York, patients are given wide access to their medical records. Providers must provide patients access to their records within 10 days of a written request, which is consistent with federal HIPAA protections. However, New York’s law also states that healthcare providers may deny clinician observation and notes to patients. This is an area where HIPAA does not have a clear and concise rule.
In California patients may bring legal actions for violation of state law under the California Confidentiality of Medical Information Act. This state law provides for both compensatory and disciplinary damages for patients, which is not a right spelled out under HIPAA.
In Illinois there are patient access laws that allow individuals to file civil suits for equitable relief.
Understanding both the applicable state laws as well as HIPAA is vital if your organization is going to stay in compliance. We work with organizations all over the country to help them understand their commitments and the ways they can stay on top of what is expected.
Other Areas with Potential Conflicts
Both HIPAA and state laws are constantly evolving. Because of this, HIPAA can potentially conflict with state law on any number of topics. There are, however, a few areas that are more likely to generate conflicts than others.
One big one is the allowable use and disclosure of protected health information (PHI). Many of the rules in HIPAA focus on what information is PHI and what an organization is and is not allowed to do with that data. A disclosure of PHI that is permitted under HIPAA may be forbidden by your specific state. If you are potentially disclosing data, make sure that it is allowed under both HIPAA and your state’s laws.
Another area ripe for conflict is patient rights. If your state law gives patients a greater degree of access than federal law, there is a good chance that state law will supersede federal in this case.
You may also find conflicts when it comes to specific spans of time. For instance, your state may require that records be kept longer or that access may be provided more quickly. You may also have more stringent deadlines for reporting breaches of protected information under your state’s law. California, for instance, requires that a PHI breach be reported within 15 days. Under HIPAA, organizations have up to 60 days.
Helping You Protect Patients and Your Organization
At I.S. Partners, we are passionate about helping organizations and individuals understand their responsibilities and developing plans that help them stay in compliance. We work with you to clarify labyrinthine laws and to make it easy for your team members to develop and follow proper procedures.