SUBPART B-Preemption of State Law
The key sections are §160.201, §160.202, §160.203, §160.204 and §160.205. This is dense language that describes where the HIPAA rules preempt (read trump) state law, as well as, in general, where state law applies in addition to the HIPAA rules. If you have specific questions regarding conflicts between state and federal law then the only real option is advice of counsel.
That said, this is a survival guide and the intent here is to help providers navigate this maze in order to further their compliance strategies. With that objective in mind we will cover the highlights of the general rule (§160.203) and provide some commentary. In addition, the subsequent coverage of the HIPAA Privacy Rule, in particular, will highlight where state law may be implicated and the compliance requirements that will likely ensue.
Unless otherwise specified, any subsequent reference to HIPAA refers only to the rules generally contained in CFR §160, §162, and §164 (see Appendix Figure 1).
§160.203 The General Rule
The basic tenets of this rule are that if state law is "contrary" to HIPAA, then the latter preempts and is controlling, but if state law is "more stringent" than HIPAA, then in essence the federal and state laws are complementary and both apply. Both "contrary" and "more stringent" are terms of art defined in Subpart B.
There is really nothing new here in that most providers understand that HIPAA compliance implicates both federal and state law. Where there is a state law on point it is almost certainly "more stringent." If it is not, then that is a legal battle that individual providers will not likely be able to fight on their own. Such a law is certain to garner widespread attention from both state and federal lawmakers, as well as from other policy stakeholders. In short, assume that state law is more stringent and comply with it, unless and until you get better information.
In general, state laws that fall under the category of "more stringent" have to do with reporting requirements related to public health information, including laws regarding communicable diseases, child abuse, controlled substances, birth records, death records, etc. As such, state laws often control how, and with whom, protected health information can be shared, depending on various scenarios. As previously mentioned, the HIPAA Privacy Rule has language that provides additional "guidance" regarding where state law may be applicable. We will highlight that in the appropriate section of this document.
Commentary Regarding Conflict of Laws
This "conflict of laws" issue is likely to become even more confusing as the implications of the HIPAA Security Rule (i.e. regarding the protection of electronic health records) are better understood, especially as it pertains to state laws that purport to provide similar protections. What's a provider to do? The best answer to this question is a practical one and not a legal one.
We expand on this philosophy throughout the remainder of this guide, but for now it can be summarized as follows: "document the processes, training and other safeguards that you have put in place that will allow you (or more likely your lawyer) to make a compelling argument regarding your 'good faith' efforts to comply with all applicable law."
Once you have documented what you propose to do, you must (subsequently) be prepared to provide demonstrable evidence that you have lived by it (i.e. conducted your practice in conformance thereto). Will this approach relieve you of all legal liability? The safe answer to this question is "LIKELY NOT." That said, our recommended approach may go a long way toward mitigating your liability under general principles of equity and fairness, if in fact it does not eliminate liability altogether under the theory of "reasonable cause" (see Subpart C).
With respect to the HIPAA Security Rule we refer to the principle that underpins our recommended approach as "Implement the necessary safeguards" and with respect to the HIPAA Privacy Rule as "Do the right thing." We believe these principles are your keys to survival and are therefore further elaborated upon in the remaining sections of this guide. From a strategic practice perspective, the principles target a provider's "sweet spot" which requires significantly more than paying lip service to applicable law on the one hand, and allowing the weight of applicable law to crush your otherwise ethical practice on the other.
The latter serves no one's best interest and is ultimately, from the perspective of society as a whole, self-defeating. To be clear, we are in no way implying that a provider can ignore applicable law, but rather that HIPAA compliance spans a continuum and inherent in the rules is a degree of flexibility that, in certain instances, allows for the consideration of relevant factors (e.g. the capabilities and resources of the practice).
Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.