Question: With all the new state laws going into effect to protect patients’ privacy, we’re not sure which rule to follow. Do we abide by HIPAA or our individual state’s law? New York Subscriber Answer: Actually, it’s a good idea to know the nuances and requirements of both to protect your patients and your practice. Why? If your state’s laws regarding privacy are more stringent than those under the HIPAA Privacy Rule, following the HHS Office for Civil Rights (OCR) guidance will do your facility more harm than good. “In the unusual case where a more stringent provision of state law is contrary to a provision of the Privacy Rule, the Privacy Rule provides an exception to preemption for the more stringent provision of state law, and the state law prevails,” stresses OCR guidance. The agency goes on to explain that “where the more stringent state law and Privacy Rule are not contrary, covered entities must comply with both laws.” So, even though it may seem like an extra step in compliance planning, it is essential for you to review and integrate your state’s requirements into your protocols on protecting and securing patients’ protected health information (PHI). “Luckily, a good job with HIPAA compliance can provide a good framework for compliance with all of the state laws an entity could be subject to,” says Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems, LLC in Charlotte, Vermont. Put these five extra steps in your plan to ensure you’re compliant with state regulations: It’s better to be safe than sorry and cover all your bases in regard to your state’s laws. “Many of these rules call for the same precautions, safeguards, and procedures, and it’s better to make your existing privacy documents more robust instead of creating parallel policies and procedures for each rule or law,” Sheldon-Dean explains.