Jumping through Two Hoops HIPAA and State Law Compliance: the Problem of the Failure of Federal Preemption. Bruce Merlin Fried, Esq. HIPAA Summit West II March 14, 2002. HIPAA: The Law of the Land?. Sort of, or is it maybe? One national privacy standard would: Be easier to administer
Bruce Merlin Fried, Esq.
HIPAA Summit West II
March 14, 2002
§ 1178 (2)
Is the provision of State law “contrary to” the Privacy rule (i.e., is it impossible to comply with both the Privacy rule and the provision of State law?) Few truly contrary.
Is it merely a general provision providing for the confidentiality or privacy of information (e.g., physician must keep patient records confidential
As a matter of law, provision is not preempted by the Rule. Therefore, CEs must comply with both state law and the Rule. We will conduct a “practical” analysis, comparing provision to the Privacy Rule.
· Where no analogous provisions in the Rule, describe additional state law requirements in the database. Not Contrary, Not Preempted, Both Apply; State Law Supplements Rule.
· Where analogous provisions in the Rule, determine which “controls” as a practical matter. Use the Rule’s definition of “more stringent” to guide analysis. Not Contrary, Not Preempted, Both Apply, But, as a Practical Matter, Either State Law or the Rule Will Control.
Include cite on list in database NOTCONTRARY, NOT PREEMPTED
Is the provision within the scope of the project?
(direct & indirect plan impact
Is the provision of state law more “stringent” than the Privacy rule?
Does the provision relate to the privacy of health information (or any other topic discussed in the Privacy Rule)?
Analysis complete, do not include anywhere in database.
This provision is wholly preempted (less stringent).
Contrary and Less Stringent; Preempted
State law controls over the Privacy Rule; include in analysis Contrary and More Stringent