Question: What does the Centers for Medicare & Medicaid Services (CMS) mean when they say that some state laws may be “more stringent” than the Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy Rules? Texas Subscriber Answer: Some state laws may enact stronger privacy protections for residents’ identifiable health information. One example of “more stringent” would be a state law requiring accounting of disclosures, or retention or reporting of information that is more detailed or must be kept for a longer duration. You can find all of the definitions of “more stringent” here: www.govinfo.gov/content/pkg/CFR-2003-title45-vol1/xml/ CFR-2003-title45-vol1-sec160-202.xml. For practical purposes, the U.S. Department of Health and Human Services (HHS) provides two important working definitions to figure out what to do when a state law is more stringent than a HIPAA rule: