Pathology/Lab Coding Alert

Privacy Rule:

Watch Out for State Laws That Supersede HIPAA

Compliance depends on state regulation review.

Plenty of states have laws that regulate patient privacy just like the federal HIPAA law does. But what do you do if the state law is more or less stringent than HIPAA?

Answer: When states’ regulations go above and beyond HIPAA, you need to follow those state rules. But when a state’s laws aren’t as strict as the federal requirements or are contrary to the rule, then HIPAA prevails.

Lab jeopardy: Adding complexity for medical laboratories is deciding which state’s law to follow. Some states’ laws apply to the location of the lab, some to the location of the ordering provider, and some to the residence of the patient, so labs should check applicable states’ rules.

Let our experts help you get a handle on what all this means with the following insights.

See the Preemption Guidance

According to Office for Civil Rights (OCR) guidance, the following rules indicate when you can preempt HIPAA:

“In the unusual case where a more stringent provision of state law is contrary to a provision of the Privacy Rule, the Privacy Rule provides an exception to preemption for the more stringent provision of state law, and the state law prevails. Where the more stringent state law and Privacy Rule are not contrary, covered entities must comply with both laws,” the agency states (www.hhs.gov/hipaa/for-professionals/faq/403/how-do-i-know-if-a-state-law-is-more-stringent-than-hipaa/index.html).

Similarly, the Office of the National Coordinator for Health Information Technology (ONC) states that the “HIPAA Rules provide a floor of federal protections for PHI. However, the Rules are not the only laws that address the protection of health information. In some instances, a more protective state law may [apply]. The HIPAA Rules do not override such state laws that do not conflict with the Rules and offer greater privacy protections” (www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf).

Know Who Must Comply

HIPAA and the state privacy laws apply to covered entities (CEs) and their business associates (BAs).

CE: HIPAA defines CEs as healthcare providers, health plans, or healthcare clearinghouses who transmit health information electronically under Department of Health and Human Services (HHS) transaction standards. A CE can be a person, institution, or organization, such as hospitals, insurance companies, or physicians.

BA: A BA “is any person or entity that performs a function or activity on behalf of the practice involving the use and/or disclosure of protected health information (PHI) that is not a part of the practice’s staff,” says Kent Moore, senior strategist for physician payment at the American Academy of Family Physicians.

Do This to Bolster State Compliance for Your Lab

“Luckily, a good job with HIPAA compliance can provide a good framework for compliance with all of the state laws an entity could be subject to,” says Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems LLC in Charlotte, Vermont.

As part of your annual policy review process and risk assessment, you should crosscheck HIPAA against your state’s privacy provisions. Consider these seven steps to help you ensure you’re staying on target:

  1. Review applicable state and local laws.
  2. Look for differences between the various regulations and analyze your policies to ensure compliance with both.
  3. Take extra precautions to check state regulations on hot privacy topics like identity theft, consumer rights, data misuse, texting, and online patient engagement.
  4. Check state medical board policies on privacy, HIPAA, and state laws.
  5. Ensure your EHR vendor is aware of any differences between state and federal requirements.
  6. Implement practice policies that protect specialty-specific information that may extend beyond HIPAA.
  7. Monitor regulatory reform at the state and federal level as privacy and security requirements evolve to meet the changing healthcare landscape.

Bottom line: Both privacy and cybersecurity breaches have increased during the pandemic — and state laws have continued to diverge from the federal regulations. That’s why it’s critical that your lab revisits its policies often and covers all the privacy bases to remain compliant. “Many of these rules call for the same precautions, safeguards, and procedures, and it’s better to make your existing privacy documents more robust instead of creating parallel policies and procedures for each rule or law,” advises Sheldon-Dean.