Medicare Compliance & Reimbursement

Reader Question:

Understand Both Your State Privacy Laws and HIPAA

Question: With all the new state laws going into effect to protect patients’ privacy, we’re not sure which rule to follow. Do we abide by HIPAA or our individual state’s law?

New York Subscriber

Answer: Actually, it’s a good idea to know the nuances and requirements of both to protect your patients and your practice.

Why? If your state’s laws regarding privacy are more stringent than those under the HIPAA Privacy Rule, following the HHS Office for Civil Rights (OCR) guidance will do your facility more harm than good.

“In the unusual case where a more stringent provision of state law is contrary to a provision of the Privacy Rule, the Privacy Rule provides an exception to preemption for the more stringent provision of state law, and the state law prevails,” stresses OCR guidance. The agency goes on to explain that “where the more stringent state law and Privacy Rule are not contrary, covered entities must comply with both laws.”

So, even though it may seem like an extra step in compliance planning, it is essential for you to review and integrate your state’s requirements into your protocols on protecting and securing patients’ protected health information (PHI).

“Luckily, a good job with HIPAA compliance can provide a good framework for compliance with all of the state laws an entity could be subject to,” says Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems, LLC in Charlotte, Vermont.

Put these five extra steps in your plan to ensure you’re​ compliant with state regulations:

  • “Coordinate a review of applicable local laws,” advises Sheldon-Dean.
  • Check with your EHR vendor to ensure state requirements are met as well as federal ones.
  • Analyze the differences between state and federal rules for encryption, breach notification and timelines, and personal information, covering both sets of standards in your plan.
  • Evaluate and implement state policies that protect specialty-specific sensitive information that may extend beyond HIPAA.
  • “Add the necessary pieces and changes to your existing privacy and security policy and procedure set,” stresses Sheldon-Dean.

It’s better to be safe than sorry and cover all your bases in regard to your state’s laws. “Many of these rules call for the same precautions, safeguards, and procedures, and it’s better to make your existing privacy documents more robust instead of creating parallel policies and procedures for each rule or law,” Sheldon-Dean explains.