When State law requirements are tougher than HIPAA, then it’s likely that the State law is the one you need to follow.
When does it not? When it’s “contrary.” Then, it may be submitted for exemption – in other words, may be up for consideration to “trump” the federal regulations. However, it’s rare that a State law will even be considered for exemption. Generally, the federal law preempts the States when it comes to HIPAA privacy and security requirements.
As a general rule, if your State’s law around privacy and security requirements is more stringent that the federal regulations, you need to toe the line accordingly. So if the State law gives even greater individual rights and calls for greater protections around PHI that the federal codes do? You’re better off erring on the side of the State than protesting, “But the federal law says…”
The toughest part of the whole does it or doesn’t it may actually be interpreting the lingo of what’s “contrary” and what’s “more stringent”!
Julia Huddleston, CIPP/CIPM, works with Apgar & Associates clients on compliance assessments, security risk analysis and policy and procedure review and implementation. She also oversees and directs Apgar & Associates’ day-to-day business functions, including finance, operations and marketing.
