When federal law is promulgated, the law then supersedes any state laws put into effect. If you are a covered entity or a business associate, you should consult with a qualified attorney who can give a complete evaluation of the differences between your state’s laws, and the federal standards set forth by HIPAA.
Although HIPAA may annul state health laws that are more lax, particular states have more stringent regulations which may apply in conjunction with HIPAA.
States have the right to enact their own versions of healthcare data privacy and security laws, so long as they are aligned with HIPAA and not contrary to the overarching federal statute.
The basic tenets of this rule are that if state law is contrary to HIPAA, then HIPAA preempts the state law and controls, but if state law is more stringent than HIPAA, then the federal and state laws are complementary and both apply.
In the case of more stringent law, this generally applies laws which relates to the privacy of protected health information (PHI), and provides greater responsibility for the covered entity or business associate.
In general, state laws that are more stringent incorporate reporting requirements related to PHI, including laws regarding communicable diseases, child abuse, controlled substances, birth records, death records and others. As such, state laws often control how, and with whom, PHI can be shared, depending on various scenarios.
Covered entities and business associates must ensure they are fully compliant with state laws in which business is done, as well as federal HIPAA standards.
Matt DeNoncour is the owner of Magis Law Firm, a solo law firm based in Boston, MA, where he provides legal services to the healthcare, biotechnology, and business communities. You can reach Matt at magislawfirm.com, by phone at 857-242-6826 or by email at matt@magislawfirm.com. This post is not meant to be legal advice: learn more here.
