Question: Is it a violation of the HIPAA Privacy Rule if we comply with our state’s disclosure law requirements? We weren’t sure whether the federal provisions trump the state mandates. California Subscriber Answer: The HIPAA Privacy Rule actually contains an exception specifically involving disclosures required by state law. Common state-law disclosure obligations include reporting cases of child abuse, reporting cases of vulnerable adult abuse, and reporting to law enforcement if an individual has certain types of wounds like a bullet wound. HIPAA’s “required by state law” disclosure exception makes reviewing and understanding your state’s mandatory reporting laws absolutely essential. Focusing only on the federal HIPAA regulations to inform your disclosure obligations is a mistake. Bottom line: Learning the types of health information disclosures that HIPAA prohibits and encourages will facilitate the proper flow of information, improve patient experience, and help avoid costly federal investigations and fines.