HIPAA Forms  
HIPAA HIPAA Healthcare Practice Products HIPAA Documentation Notices HIPAA HIPAA Notices and Forms HIPAA Home
 

 


We may be the only provider of HIPAA compliance tools that has this information on their website. The reason for this is simple: even though HIPAA explicitly requires that your Notice contains information about your state's privacy laws, only HIPAAeasy's Notices are customized to incorporate the information specific to your state. This means that if you use someone else's Notice, it will not be legally compliant until you include state law preemption information. Our Notices are the most legally complete products on the market. Here's why:

In enacting HIPAA, Congress intended to establish a minimum set of standards for the protection of patient privacy. HIPAA regulations state that HIPAA supercedes state law only where state law is "contrary" to HIPAA. According to HIPAA, a state law is "contrary" if (1) it is not possible to comply with both state law and HIPAA; and (2) the state law stands as an obstacle to the purposes of HIPAA.9

The question of when state law is "contrary" to HIPAA is a very complicated matter which may require a health care provider to seek the assistance of legal counsel in order to analyze the laws of his or her particular state. Though this tutorial is intended to help you in understanding some circumstances in which HIPAA supersedes state law, we strongly urge you to obtain competent professional assistance.

The HIPAA regulations state that HIPAA will not supersede state law in the following three situations:

• The state law is necessary to prevent fraud or to meet a compelling state interest in public health or safety; or
• The state law is more "stringent" than HIPAA; or
• The state law provides for the reporting of disease, child abuse, birth, death or public health surveillance. 

In the above three areas, providers must continue to follow state laws because they will not be superseded by HIPAA. Let’s discuss each of the above three situations.

First, HIPAA does not supersede state law that is necessary to prevent fraud or to meet a compelling state interest regarding public health or safety. Certain states have laws designed to prevent fraud and abuse in billing by health care providers. Many states also have laws regarding inspection of health care facilities for purposes of quality assurance, safety and cleanliness. HIPAA will not supersede these laws to the extent that they are legitimately necessary to prevent fraud or to ensure public health and safety.

Second, HIPAA does not supersede state law that is "more stringent" than HIPAA. According to HIPAA, a state law is "more stringent" where:

• It prohibits disclosure of patient health information when HIPAA would otherwise allow it;
• It grants greater patient rights or greater patient access to health information;
• It requires that a greater amount of information be given to the patient about the use, rights and remedies with respect to their health information than does HIPAA;
• It relates to the form, substance or need for the patient’s permission to disclose health information, and it narrows the scope or duration of the written permission to release health information, or increases privacy protection for the patient;
• It requires retention of, or reporting of, more detailed information by health care providers, or requires that such must occur for a greater length of time, than HIPAA; or
• It provides greater privacy protection as to any other matter in addition to the above.

If a state law meets any of the above criteria, it will continue in effect and will not be superseded by HIPAA. The following are some practical examples of when the above criteria may apply.

• HIPAA allows information regarding a patient who has AIDS to be freely disclosed among treating health care providers, health plans and insurance companies without written patient permission. Many states, however, have laws which prohibit the disclosure of information regarding patients with AIDS unless the patient has signed a written permission. In these states, state law would not be superseded and health care providers would have to continue to strictly guard the health information of patients with AIDS, even though HIPAA would allow greater latitude in disclosing that information.
• HIPAA states that if a patient asks a health care provider for access to the patient’s health information, the health care provider must respond to that request within thirty (30) days. In some states, however, access must be allowed within a shorter period of time than thirty days. For example, in Virginia, the health care provider must respond within fifteen (15) days from the receipt of a written request by the patient for copies of his or her medical records. Because Virginia law gives greater rights of access to health information, it will continue to apply and will not be superseded by HIPAA.
• HIPAA says that health care providers may charge a fee for providing copies of medical records to their patients. Under HIPAA, the health care provider may only charge a patient for the actual cost of the copies, including labor, as well as postage if the patient requests that the copies be mailed to him or her. In some states, however, the law requires that a free copy of medical records be provided to the patient in some situations. For example, in Ohio, a free copy of medical records must be provided to the patient if the records are necessary to support a claim under Title II or Title XVI of the Social Security Act (for purposes of a Social Security disability claim). Ohio also requires that a free copy of the medical records be provided to the Bureau of Workers Compensation, to the Industrial Commission and to the Department of Job and Family Services. Because Ohio law provides for greater access by the patient to his or her health information, it is not superseded by HIPAA.
• HIPAA requires health care providers to give a Notice of Privacy Practices to their patients describing how the health care provider will use and disclose health information and describing the rights that patients have as to their health information. Some state laws, however, require that more extensive and detailed notices be given to patients on certain issues. Because the law in those states provides for a greater amount of information to the patient regarding the use and disclosure of their health information, or regarding their rights, state law will continue to apply and will not be superseded by HIPAA.
• HIPAA requires that a signed authorization or permission must be obtained from the patient in order to release his or her health information under certain circumstances. Though HIPAA sets forth certain guidelines as to the content of a written authorization form, it does not require that a particular form be used verbatim. In some states, however, a specific form must be used to authorize the release of health information. For example, in the State of Oregon, a specific release form is set forth and required by state law. Accordingly, in the State of Oregon, health information may only be released pursuant to that particular authorization form, because the law specifies the form and substance for legal permission to disclose patient health information.
• HIPAA requires that certain documents be retained by health care providers for at least six (6) years. It also provides for health care providers to give patients an accounting as to those to whom their health information has been disclosed. Some states have laws that require a longer period of time for retention of patient health information. In addition, some states, such as California, may give patients greater rights as to the receipt of an accounting from health care providers as to the disclosures of their health information. In those situations, state law is more stringent and will continue to apply.
HIPAA Compliance
Hipaa Information
Hipaa Compliance
Contact Us | About Us  |  Some HIPAA Myths  |  Free Newsletter  |  The Law  |  Privacy Statement  |  HIPAA FAQ
copyright 2006 Docuforms. All rights reserved.