Is HIPAA a Federal Law?
Although the answer to the question is HIPAA is federal law is yes, there are occasions when HIPAA is pre-empted by state laws or other federal laws – adding to the complexity of compliance.
When the Healthcare Insurance Portability and Accountability Act was passed in 1996, most references to preemption appeared in the Group Health Plan Portability, Access, and Renewability Requirements of Title I. These generally allowed for state law to preempt HIPAA if states required group health plans to cover pre-existing conditions not covered by HIPAA or required longer periods than HIPAA between enrollment in a plan and the payment for treatment of a pre-existing condition.
The sole mention of preemption in Title II of the original text of HIPAA (Section 264) appears in the instruction to the Secretary of Health and Human Services to submit recommendations to Congress on standards with respect to the privacy of individually identifiable health information. The instruction notes that, if a state law imposes more stringent privacy provisions than those recommended by the Secretary, then the state law will pre-empt HIPAA.
Consequently, when the Privacy Rule was published in 2003, it was described by the Department of Health and Human Services (HHS) as “a federal floor of privacy protections” that could be preempted by state law if the state law:
3 Steps To HIPAA Compliance
Please see HIPAA Journal
- Step 1 : Download Checklist.
- Step 2 : Review Your Business.
- Step 3 : Get Compliant!
The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.
- provided greater privacy protections or privacy rights,
- provided for the reporting of public health issues, or
- required certain health plan reporting, such as for management or financial audits.
Many states now have privacy laws with more stringent provisions than HIPAA, but many only apply to specific health information (i.e., genetics), to specific sectors of the healthcare industry (i.e., pharmacies), or to specific circumstances (i.e., emergencies). Some – for example, the Texas Medical Records Privacy Act – extend beyond state boundaries to impact Covered Entities that collect, maintain, or process individually identifiable health information belonging to a resident of the state.
When HIPAA is Preempted by Other Federal Laws
In addition to being preempted by state laws, there are multiple examples of when HIPAA is preempted by other federal laws or parts of other federal laws. For example, federal agencies that qualify as Covered Entities under HIPAA are also subject to the Privacy Act 1974. In circumstances when HIPAA is preempted by the Privacy Act, federal agencies are unable to disclose PHI – even when it is permitted by the HIPAA Privacy Rule.
Possibly the most complex relationship between HIPAA and other federal laws concerns students´ medical records. With a number of exceptions, medical services provided to students form part of their “education records” which are protected by the Family Education Rights and Privacy Act (FERPA) and the Individuals with Disabilities Education Act (IDEA). Consequently, educational institutions that meet the definition of a Covered Entity may not have to comply with the Privacy Rule because the institution´s only health records are protected education records.
It is also the case HIPAA can be preempted by any law that meets the criteria of 45 CFR § 164.512 (a)(1) – “A Covered Entity may use or disclose PHI to the extent that such use or disclosure is required by law”. While this standard is most often interpreted as relating to disclosures to public agencies, law enforcement, and judicial proceedings, the HHS has itself acknowledged circumstances exist in which patient consent is not required beyond this interpretation.
It is noticeable that changes have been made to the Privacy Rule since its original publication to address conflicts between HIPAA and other federal laws and make allowances for possible contradictions. For example, in 2013, the allowable uses and disclosures without patient consent were extended to include school immunization services and protective services to the President; while, in 2016, disclosures to the National Instant Criminal Background Check System were allowed.
Is HIPAA a Federal Rule? Summary
- HIPAA is a federal rule that creates a federal floor of privacy protections
- State laws with more stringent privacy protection pre-empt HIPAA.
- Where conflicts exist with federal laws, HIPAA often takes the back seat.
- The Privacy Rule is constantly evolving to address conflicts and possible contradictions.
- Covered Entities and Business Associates are advised to seek professional compliance help to determine which Rules they must comply with.
Is HIPAA a Federal Law? FAQs
Where can I found out what state laws may apply to my HIPAA-covered organization?
In 2009, a multi-agency report on State Law Requirements for Patient Permission to Disclose Health Information revealed numerous state laws that may pre-empt HIPAA (see Appendix A). Although out of date, this report is a good starting place to identify state laws that may apply to a HIPAA-covered organization. For further information, speak with a healthcare attorney or compliance professional.
What additional compliance issues exist when state laws extend beyond state boundaries?
This depends on the nature of the law. With regards to the Texas Medical Records Privacy Act, any organization that collects, maintains, or processes health information of a Texas resident is required to comply with the Act – even if the organization is not located in Texas or the individual was outside the state when the information was collected.
Are there federal laws that pre-date HIPAA that can impact the delivery of healthcare?
Certainly. In addition to the Privacy Act discussed above, some regulations relating to the confidentiality of substance use disorder patient records (42 CFR § Part 2) have their origins in the National Mental Health Act of 1946. To help Covered Entities incorporate the regulations into HIPAA-compliant operations, the Substance Abuse and Mental Health Service Administration (SAMHSA) has released a guide entitled “Does Part 2 Apply to Me?”
What happens if you violate HIPAA due to a more stringent state law?
If a state law has more stringent privacy protections and privacy rights than HIPAA, it is not possible to violate HIPAA by complying with the state law. However, if you comply with a state law that contradicts HIPAA, you could be sanctioned by HHS´ Office for Civil Rights. The type of sanction will depend on the nature of the violation and whether it was attributable to a lack of knowledge or willful neglect.
Will the Privacy Rule be revised again to address conflicts between HIPAA and other federal laws?
This is highly likely. Since the Privacy Rule was last revised, Congress has passed legislation such as the CARES Act, the HIPAA Safe Harbor Law, and the 21st Century Cures Act. The impact of these federal laws on HIPAA are expected to be addressed in new HIPAA regulations forecast to be published by the Secretary for Health and Human Services later this year or in early 2023.