25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Is HIPAA a Federal Law?

Posted By on Apr 9, 2024

HIPAA is a Federal law that was passed in 1996 with the objective of reforming the health insurance industry in order to improve the portability of health insurance between jobs and to protect the coverage of employees with preexisting conditions. Due to concerns that the cost of the reforms would be passed onto employers and employees – and that this would negatively affect federal tax revenues – measures were introduced to counter the costs of the reforms.

The measures included a “Fraud and Abuse Program” to prevent unscrupulous healthcare providers fraudulently charging for services provided (or not provided) to group plan members, and the “Administrative Simplification Requirements” – which instructed the Secretary of Health and Human Services to:

  • Standardize codes used in electronic healthcare transactions to simplify the administration and improve the efficiency of healthcare transactions,
  • Develop security standards for health information used and disclosed in healthcare transactions, and
  • Make recommendations with respect to the privacy of certain health information.

HIPAA is a Federal Law – Healthcare HIPAA Consists of Federal Regulations

Although HIPAA is a Federal law, the Rules that resulted from the instructions to the Secretary of Health and Human Services (e.g., the Transaction Rules and the Security and Privacy Rules) are Federal regulations. The difference between the two is that Federal laws are passed by Congress and signed by the President, while Federal regulations are published by executive branch agencies to clarify their interpretation of the law and how the law will be interpreted.

In the case of HIPAA, the Rules that govern healthcare organizations and other covered entities (“Healthcare HIPAA”) are published as regulations rather than laws. This makes it easier for an HHS agency to change a Rule if a subsequent Federal law, an amendment to a Federal law, or an Executive Order impacts HIPAA compliance. An example of how a law can result in changes to regulations is the HIPAA Omnibus Rule introducing changes to HIPAA mandated by the HITECH Act.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The Preemption of Federal HIPAA by State Laws

The sole mention of preemption in Title II of the original text of HIPAA (Section 264) appears in the instruction to the Secretary of Health and Human Services to submit recommendations to Congress on standards with respect to the privacy of certain health information. The instruction notes that, if a provision of state law imposes more stringent privacy provisions than those recommended by the Secretary, then the provision of state law will pre-empt HIPAA.

When the Privacy Rule was published in 2003, it was described by the Department of Health and Human Services (HHS) as “a federal floor of privacy protections” that could be preempted by state law if the state law:

  • provided greater privacy protections or privacy rights,
  • provided for the reporting of public health issues, or
  • required certain health plan reporting, such as for management or financial audits.

Many states now have privacy laws with more stringent provisions than HIPAA, but many only apply to specific health information (i.e., genetics), to specific sectors of the healthcare industry (i.e., pharmacies), or to specific circumstances (i.e., emergencies). Some – for example, the Texas Medical Records Privacy Act – extend beyond state boundaries to impact covered entities that collect, maintain, or process individually identifiable health information belonging to a resident of the state.

When HIPAA is Preempted by Other Federal Laws

In addition to being preempted by state laws, there are multiple examples of when HIPAA is preempted by other federal laws or parts of other federal laws. For example, federal agencies that qualify as covered entities under HIPAA are also subject to the Privacy Act 1974. In circumstances when HIPAA is preempted by the Privacy Act, federal agencies are unable to disclose PHI – even when it is permitted by the HIPAA Privacy Rule.

Possibly the most complex relationship between HIPAA and other federal laws concerns students´ medical records. With a number of exceptions, medical services provided to students form part of their “education records” which are protected by the Family Education Rights and Privacy Act (FERPA) and the Individuals with Disabilities Education Act (IDEA). Consequently, educational institutions that meet the definition of a covered entity may not have to comply with the Privacy Rule because the institution´s only health records are protected education records.

It is also the case HIPAA can be preempted by any law that meets the criteria of 45 CFR § 164.512 (a)(1) – “A covered entity may use or disclose PHI to the extent that such use or disclosure is required by law”. While this standard is most often interpreted as relating to disclosures to public agencies, law enforcement, and judicial proceedings, HHS has itself acknowledged circumstances exist in which patient consent is not required beyond this interpretation.

It is noticeable that changes have been made to the Privacy Rule since its original publication to address conflicts between HIPAA and other federal laws and make allowances for possible contradictions. For example, in 2013, the allowable uses and disclosures without patient consent were extended to include school immunization services and protective services to the President; while, in 2016, disclosures to the National Instant Criminal Background Check System were allowed.

Is HIPAA a Federal Law? Summary

  1. HIPAA is a Federal law, but “Healthcare HIPAA” consist of Federal regulations.
  2. State laws with more stringent privacy provisions preempt HIPAA.
  3. Where conflicts exist with other Federal laws, preemption is case specific.
  4. The Privacy Rule is constantly evolving to address conflicts and possible contradictions.
  5. Covered entities and business associates are advised to seek professional compliance help to determine which regulations they must comply with.

Is HIPAA a Federal Law? FAQs

Where can I found out what state laws may apply to my HIPAA-covered organization?

In 2009, a multi-agency report on State Law Requirements for Patient Permission to Disclose Health Information revealed numerous state laws that may pre-empt HIPAA (see Appendix A). Although out of date, this report is a good starting place to identify state laws that may apply to a HIPAA-covered organization. For further information, speak with a healthcare attorney or compliance professional.

What additional compliance issues exist when state laws extend beyond state boundaries?

This depends on the nature of the law. With regards to the Texas Medical Records Privacy Act, any organization that collects, maintains, or processes health information of a Texas resident is required to comply with the Act – even if the organization is not located in Texas or the individual was outside the state when the information was collected.

Are there federal laws that pre-date HIPAA that can impact the delivery of healthcare?

Certainly. In addition to the Privacy Act discussed above, some regulations relating to the confidentiality of substance use disorder patient records (42 CFR § Part 2) have their origins in the National Mental Health Act of 1946. To help covered entities incorporate the regulations into HIPAA-compliant operations, the Substance Abuse and Mental Health Service Administration (SAMHSA) has released a guide entitled “Does Part 2 Apply to Me?”

What happens if you violate HIPAA due to a more stringent state law?

If a state law has more stringent privacy protections and privacy rights than HIPAA, it is not possible to violate HIPAA by complying with the state law. However, if you comply with a state law that contradicts HIPAA, you could be sanctioned by HHS´ Office for Civil Rights. The type of sanction will depend on the nature of the violation and whether it was attributable to a lack of knowledge or willful neglect.

Will the Privacy Rule be revised again to address conflicts between HIPAA and other federal laws?

This is highly likely. Since the Privacy Rule was last revised, Congress has passed legislation such as the CARES Act, the HIPAA Safe Harbor Law, and the 21st Century Cures Act. The impact of these federal laws on HIPAA are expected to be addressed in new HIPAA regulations forecast to be published by the Secretary for Health and Human Services later this year or in early 2025.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist