HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAAdvisor Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAAdvisor: Q & A with Steve Fox

State Law Pre-emption -- Not So Simple

QUESTION: Are state laws preempted by HIPAA's Administrative Simplification regulations?

ANSWER: Generally, HIPAA's Administrative Simplification subtitle preempts state law provisions that are contrary to the provisions or requirements of the subtitle or that are contrary to the standards or implementation specifications adopted or established pursuant to the subtitle.  However, there are three exceptions to this rule for:

  1. State laws, which the Secretary of the Department of Health and Human Services (the "Secretary") determines are necessary to prevent fraud and abuse, ensure appropriate state regulation of insurance and health plans, for state reporting on health care delivery, and other purposes;

  2. State laws which address controlled substances; and

  3. State laws relating to the privacy of individually identifiable health information that are contrary to and more stringent than the federal requirements.

The preemption rule does not:

  • invalidate or limit state authority, power, or procedures established under any law that provides for the reporting, surveillance, investigation or intervention in the interest of public health; or  
  • limit a state's ability to require a health plan to report or provide access to information for audit, evaluation, licensure, or certification.

What does it mean for a state law to be "contrary"?  Basically, state law is "contrary" when it conflicts with federal law. Courts make the determination that state law conflicts with federal law when

  • it is impossible to comply with both the state and federal law; or 
  • the state law is an impediment to the accomplishment and execution of the full purposes and objective of Congress in enacting the federal law.

Incidentally, the proposed privacy regulation dissects the meaning of some of the other terminology utilized in the preemption rule (including a discussion of what is meant by, "state law", "relates to individually identifiable health information", "stringent" and "provision of state law") that is particularly helpful in understanding and interpreting the scope of preemption.

The stated purpose of the Administrative Simplification subtitle is to, ". . . improve the efficiency and effectiveness of the health care system . . . by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information."  As noted in the proposed privacy rule, many HIPAA regulations will preempt state law.  Indeed, Congress' very purpose and intent was, in certain instances, to create uniform national standards.   A perfect example is the final rule on standards for electronic transactions.  The rule mandates the use of national standardized formats during certain electronic health care transactions and clearly states that "covered entities may not use local codes in standard transactions after compliance with this regulation is required."

As noted earlier, there are exceptions to the rule that says HIPAA preempts contrary state law provisions.  The Secretary is left to make determinations about whether certain state law provisions fall within one of the first two exceptions listed above. But how will the Secretary make these determinations?  The proposed rule on security and electronic signature standards is silent on the issue and the electronic transactions rule defers to the final privacy regulation.  The proposed privacy regulation sets forth a process that would permit the states to request exemption determinations or advisory opinions from the Secretary.  There are specific reasons for why these requests must come from the states, but that discussion is beyond the scope of this article.  See Standards for Privacy of Individually Identifiable Information, 64 Fed. Reg. 59918, 59997 (proposed Nov. 3, 1999) (to be codified at 45 C.F.R. pts. 160 - 164).

Read past HIPAA Legal Q/A articles.

Steve Fox, Esq., is a partner in the Washington, D.C. office of Pepper Hamilton LLP. Pepper Hamilton LLP is a multi-practice law firm with more than 400 lawyers in ten offices. A specialist in healthcare, Steve is a frequent writer and speaker on healthcare information management and technology issues. www.pepperlaw.com/

This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton.

Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.