Question: Sometimes our state’s disclosure law requirements are different from provisions in the HIPAA Privacy Rule. Are we violating HIPAA if we follow our state’s mandates instead? California Subscriber Answer: The HIPAA Privacy Rule actually contains an exception specifically involving disclosures required by state law. Common state-law disclosure obligations include reporting cases of child abuse, reporting cases of vulnerable adult abuse, and reporting to law enforcement if an individual has certain types of wounds like a bullet wound. HIPAA’s “required by state law” disclosure exception makes reviewing and understanding your state’s mandatory reporting laws absolutely essential. Focusing only on the federal HIPAA regulations to inform your disclosure obligations is a mistake. Bottom line: Learning the types of health information disclosures that HIPAA prohibits and encourages will facilitate the proper flow of information, improve patient experience, and help avoid costly federal investigations and fines.