Practice Management Alert

Reader Questions:

Defer to State Law if More Stringent

Question: What does the Centers for Medicare & Medicaid Services (CMS) mean when they say that some state laws may be “more stringent” than the Health Insurance Portability and Account­ability Act (HIPAA) Security and Privacy Rules?

Texas Subscriber

Answer: Some state laws may enact stronger privacy protections for residents’ identifiable health information. One example of “more stringent” would be a state law requiring accounting of disclosures, or retention or reporting of information that is more detailed or must be kept for a longer duration. You can find all of the definitions of “more stringent” here: www.govinfo.gov/content/pkg/CFR-2003-title45-vol1/xml/ CFR-2003-title45-vol1-sec160-202.xml.

For practical purposes, the U.S. Department of Health and Human Services (HHS) provides two important working definitions to figure out what to do when a state law is more stringent than a HIPAA rule:

  • “In general, a State law is ‘more stringent’ than the HIPAA Privacy Rule if it relates to the privacy of individually identifiable health information and provides greater privacy protections for individuals’ identifiable health information, or greater rights to individuals with respect to that information, than the Privacy Rule does.”
  • “In the unusual case where a more stringent provision of State law is contrary to a provision of the Privacy Rule, the Privacy Rule provides an exception to preemption for the more stringent provision of State law, and the State law prevails.”