Yes. The Department of Health and Human Services (HHS) will promptly inform the public of exception determinations through publication of notice in the Federal Register, and on HHS’ web sites, including the OCR Privacy web site.

The Department of Health and Human Services (HHS) will not make determinations as to whether a provision of State law is “more stringent” than a provision of the Privacy Rule. HIPAA’s Administrative Simplification Rules provide a general exception to preemption for more stringent, contrary State laws. Because such an exception already exists, it is neither necessary nor appropriate to request a preemption exception determination from HHS. Further, HHS will not determine whether a provision is “contrary” to the Privacy Rule, except in the context of, and as necessary to, making an exception determination for State laws that meet one or more of the criteria listed at 45 CFR 160.203(a).

See 45 CFR 160.202 for the definitions of “more stringent” and “contrary.” View an unofficial version of the Privacy Rule and the preemption requirements. – PDF.

No. Preemption exception determinations issued by the Department of Health and Human Services (HHS) will apply generally to all persons subject to the particular provision of State law for which the exception was granted. When an exception determination is made, HHS will promptly inform the public through publication of notice in the Federal Register, and on HHS’ web sites, including the OCR Privacy web site.

No. The Privacy Rule permits covered health care providers and other covered entities to disclose reports of child abuse or neglect to public health authorities or other appropriate government authorities. See 45 CFR 164.512(b)(1)(ii). Thus, there is no conflict between the State law and the Privacy Rule, and no preemption. Covered entities may report such information and be in compliance with both the State law and the Privacy Rule.

Further, even in the unusual case where a State law that provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention is contrary to a provision of the Privacy Rule – that is, it is impossible for a covered entity to comply with both the Privacy Rule and the State law, or the State law is an obstacle to accomplishing the full purposes and objectives of HIPAA’s Administrative Simplification provisions – the Administrative Simplification Rules specifically provide an exception to preemption of State law. Thus, if a provision of State law provided for public health surveillance and was contrary to the Privacy Rule, the State law would prevail. Because the Administrative Simplification Rules except such contrary State laws from preemption, it is neither necessary nor appropriate to request a preemption exception determination from the Department of Health and Human Services.

See 45 CFR 160.202 for the definition of “contrary” and 45 CFR 160.203 for the general rule and exceptions to preemption. View an unofficial version of the Privacy Rule and the preemption requirements. – PDF.

No. The Privacy Rule establishes a floor of Federal privacy protections and rights for individuals. If a provision of State law provides greater privacy protection than a provision of the Privacy Rule, and it is possible to comply with both the State law and the Privacy Rule (e.g., where a State law prohibits the disclosure of HIV status while the Privacy Rule permits such disclosure), there is no conflict between the State law and the Privacy Rule, and no preemption.

Further, even in the unusual case where a “more stringent” provision of a State law is “contrary” to a provision of the Privacy Rule – that is, it is impossible to comply with both the Privacy Rule and the State law, or the State law is an obstacle to accomplishing the full purposes and objectives of HIPAA’s Administrative Simplification provisions – the Administrative Simplification Rules specifically provide an exception to preemption of State law. Thus, if a more stringent provision of State law protects HIV patient information and is contrary to the Privacy Rule, the “more stringent” State law would prevail. Because HIPAA’s Administrative Simplification Rules themselves except more stringent, contrary State law from preemption, it is neither necessary nor appropriate to request a preemption exception determination from the Department of Health and Human Services.

See 45 CFR 160.202 for the definitions of “more stringent” and “contrary,” and 45 CFR 160.203 for the general rule and exceptions to preemption. View an unofficial version of the Privacy Rule and the preemption requirements. – PDF.

The Department of Health and Human Services (HHS) may, upon specific request from a State or other entity or person, issue a determination that a contrary State law which meets certain criteria will not be preempted by the Federal requirements. Only State laws that are “contrary” to the Federal requirements are eligible for an exemption determination. As defined by HIPAA’s Administrative Simplification Rules, “contrary” means that it would be impossible for a covered entity to comply with both the State and Federal requirements, or that the State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA. See 45 CFR 160.202.

A contrary State law is not preempted by the Federal requirements if the Secretary or designated HHS official determines that the request meets one or more of the following criteria, which are set forth in 45 CFR 160.203(a):

1. The provision of State law is necessary
   • to prevent fraud and abuse related to the provision of or payment for health care,
   • to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation,
   • for State reporting on health care delivery and costs, or
   • for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or
2. The principal purpose of the provision of State law is to regulate the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.

Thus, States and other persons may request in writing that HHS except certain contrary provisions of State law from preemption by the Privacy Rule. The request for exception must explain how the State law in question is actually contrary to the Federal requirements, and how the contrary State law meets one or more of the specific criteria for which exceptions may be granted. Title 45 CFR Part 160, Subpart B, sets forth the specific requirements related to preemption of State law and the criteria and process for requesting exception determinations.

HHS will not make determinations as to whether a provision of State law is “more stringent” than a provision of the HIPAA Privacy Rule, and will not determine whether a provision is “contrary” to the Privacy Rule, except in the context of, and as necessary to, making an exception determination.

See 45 CFR Part 160, Subpart B, for specific requirements related to preemption of State law. View an unofficial version of the Privacy Rule and the preemption requirements. – PDF.

In general, a State law is “more stringent” than the HIPAA Privacy Rule if it relates to the privacy of individually identifiable health information and provides greater privacy protections for individuals’ identifiable health information, or greater rights to individuals with respect to that information, than the Privacy Rule does. See the definition of “more stringent” at 45 CFR 160.202 for the specific criteria. For example, a State law that provides individuals with a right to inspect and obtain a copy of their medical records in a more timely manner than the Privacy Rule is “more stringent” than the Privacy Rule.

In the unusual case where a more stringent provision of State law is contrary to a provision of the Privacy Rule, the Privacy Rule provides an exception to preemption for the more stringent provision of State law, and the State law prevails. Where the more stringent State law and Privacy Rule are not contrary, covered entities must comply with both laws.

See 45 CFR Part 160, Subpart B, for specific requirements related to preemption of State law. View an unofficial version of the Privacy Rule and the preemption requirements. – PDF.

A State law is “contrary” to the HIPAA Privacy Rule if it would be impossible for a covered entity to comply with both the State law and the Federal Privacy Rule requirements, or if the State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA. See the definition of “contrary” at 45 CFR 160.202.

For example, a State law that prohibits the disclosure of protected health information to an individual who is the subject of the information may be contrary to the Privacy Rule, which requires the disclosure of protected health information to an individual in certain circumstances. With certain exceptions, the Privacy Rule preempts “contrary” State laws. See 45 CFR Part 160, Subpart B. View an unofficial version of the Privacy Rule and the preemption requirements. – PDF.

The Privacy Rule is designed to minimize conflicts between Federal requirements and those of State law in the following ways:

– The Privacy Rule establishes a floor of Federal privacy protections and individual rights with respect to individually identifiable health information held by covered entities and their business associates. Covered entities may provide greater privacy rights to individuals and greater protections on such information. In addition, covered entities may comply with State laws that provide greater protections for individually identifiable health information and greater privacy rights for individuals.

– The Privacy Rule permits a covered entity to use or disclose protected health information if a State law requires the use or disclosure. See 45 CFR 164.512(a).

– The Privacy Rule permits a covered entity to disclose protected health information to a public health authority who is authorized by law to collect such information for the purposes of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions. (See 45 CFR 164.512(b) for all of the public health disclosures permitted by the Privacy Rule.) Thus, State laws that provide for the reporting of disease or injury, child abuse, birth or death, or for the conduct of public health surveillance, investigation, or intervention, likely will not conflict with the Privacy Rule. In the unusual case where there is a conflict, the State law would stand. See 45 CFR 160.203(c). Because the Administrative Simplification Rules themselves exempt such State laws from preemption, a request for the Department of Health and Human Services (HHS) to issue a preemption exception determination is unnecessary and inappropriate.

– The Privacy Rule permits a covered entity to disclose protected health information to a health oversight agency for oversight activities authorized by law, such as audits and licensure activities. See 45 CFR 164.512(d). Thus, State laws that provide for certain health plan reporting for the purpose of management or financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals, likely will not conflict with the Privacy Rule. In the unusual case where there is a conflict, the State law would stand. See 45 CFR 160.203(d). Because the Administrative Simplification Rules themselves exempt such State laws from preemption, a request for the Department of Health and Human Services (HHS) to issue a preemption exception determination is unnecessary and inappropriate.

View an unofficial version of the Privacy Rule and the preemption requirements. – PDF.

The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals’ individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies. These exceptions include if the State law:

1. relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information,
2. provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or
3. requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule.

In addition, the Department of Health and Human Services (HHS) may, upon specific request from a State or other entity or person, determine that a provision of State law which is “contrary” to the Federal requirements – as defined by the HIPAA Administrative Simplification Rules – and which meets certain additional criteria, will not be preempted by the Federal requirements. Thus, preemption of a contrary State law will not occur if the Secretary or designated HHS official determines, in response to a request, that one of the following criteria apply: the State law:

1. is necessary to prevent fraud and abuse related to the provision of or payment for health care,
2. is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation,
3. is necessary for State reporting on health care delivery or costs,
4. is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or
5. has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.

It is important to recognize that only State laws that are “contrary” to the Federal requirements are eligible for an exemption determination. As defined by the Administrative Simplification Rules, contrary means that it would be impossible for a covered entity to comply with both the State and Federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.

See 45 CFR Part 160, Subpart B, for specific requirements related to preemption of State law. View an unofficial version of the Privacy Rule and the preemption requirements. – PDF.