Practice Management Alert

Compliance:

Don't Look to Federal Law if State Law More Stringent

Some states’ rules on patient privacy exceed even HIPAA requirements.

It may seem like there’s increasing tension between federal laws, which seem to be loosening all the time, and state laws, which are becoming increasingly strict. But the Health Information Portability and Accountability Act (HIPAA) privacy rule has been a point of contention between states and the feds since its inception. However, the privacy rule was designed to minimize potential conflicts with state law.

But how do you figure out whether your state’s laws concerning patient privacy are stricter than federal law?

To qualify as “more stringent” a state law must meet one of the following criteria, according to Code of Federal Regulations Title 45 - Public Welfare:

(1) “With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:

(i) “Required by the Secretary in connection with determining whether a covered entity is in compliance with this subchapter; or

(ii) “To the individual who is the subject of the individually identifiable health information.”

Basically, you can consider state law stricter than the HIPAA privacy rule if it does more than the feds require in order to protect a patient’s privacy.

“In general, a state law is ‘more stringent’ than the HIPAA Privacy Rule if it relates to the privacy of individually identifiable health information and provides greater privacy protections for individuals’ identifiable health information, or greater rights to individuals with respect to that information, than the Privacy Rule does,” says the U.S. Department of Health and Human Services Office of Civil Rights (OCR).

“For example, a state law that provides individuals with a right to inspect and obtain a copy of their medical records in a more timely manner than the Privacy Rule is ‘more stringent’ than the Privacy Rule,” OCR says.

There are approximately 12 states that have legislated that a provider has fewer than 30 days to provide a patient with her individual medical records, once requested, according to Health Information & the Law Project, a collaboration between George Washington University’s Hirsh Health Law and Policy Program and the Robert Wood Johnson Foundation.

“In the unusual case where a more stringent provision of state law is contrary to a provision of the Privacy Rule, the Privacy Rule provides an exception to preemption for the more stringent provision of state law, and the state law prevails. Where the more stringent state law and Privacy Rule are not contrary, covered entities must comply with both laws,” OCR says.

Caveat: If a covered entity cannot comply with both the HIPAA privacy rule and state law, then the state’s laws are “contrary.”

For example: “A state law that prohibits the disclosure of protected health information to an individual who is the subject of the information may be contrary to the Privacy Rule, which requires the disclosure of protected health information to an individual in certain circumstances. With certain exceptions, the Privacy Rule preempts ‘contrary’ state laws,” OCR says.

Resource: See where your state’s laws fall here: http://www.healthinfolaw.org/comparative-analysis/individual-access-medical-records-50-state-comparison.