A State law is “contrary” to the HIPAA Privacy Rule if it would be impossible for a covered entity to comply with both the State law and the Federal Privacy Rule requirements, or if the State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA. See the definition of “contrary” at 45 CFR 160.202.
For example, a State law that prohibits the disclosure of protected health information to an individual who is the subject of the information may be contrary to the Privacy Rule, which requires the disclosure of protected health information to an individual in certain circumstances. With certain exceptions, the Privacy Rule preempts “contrary” State laws. See 45 CFR Part 160, Subpart B. View an unofficial version of the Privacy Rule and the preemption requirements. – PDF.