HIPAA vs State: Which Privacy Laws Do I Follow?

In one of our previous blogs, Director of Services Emily Roche discusses what an agency needs to know before entering new states for further growth. As stated by Emily, “As insurance coverage continues to expand for Applied Behavior Analysis (ABA Therapy), locations with new or expanding laws may have caught your eye and have you wondering if an opportunity exists to provide services.” You need to know, for sure, whether any new mandates have passed. You need to know whether there are any differing licensure requirements. And, you need to know what insurance companies are covering that potential area. Knowing these things before you begin working in a new state will also prepare you for what you might encounter when it comes to privacy for that or any other state.

HIPAA Rules (Most of the Time)

The HIPAA privacy rule governs how health care providers handle the use or disclosure of protected health information (PHI). In effect, PHI is defined as individually identifiable health information relating to the condition of a patient, the provision of health care or payments for care. All states already have privacy laws that apply to such information.

The Department of Health and Human Services provides a framework for understanding where HIPAA preempts state law. State law takes effect only if there is no HIPAA provision on a specific subject, if state law is more stringent, or if there is an exception under HIPAA.

Per HHS rules, if a provision of HIPAA is contrary to state law, federal law will preempt it. There are exceptions to this general rule. For instance, if state regulations governing the privacy of health information are more stringent than HIPAA standards, state law stands. The same is true if a state’s law prevents fraud and abuse, ensures regulation of insurance, or serves a compelling public health need. Another exception has to do with reporting of disease, injury, or child abuse. A fourth exception relates to laws requiring health plans to report information for management and financial audit purposes.

State laws are “more stringent” when they prohibit or restrict disclosures that would otherwise have been allowed under HIPAA. “More stringent” includes authorization or consent procedures that are more detailed than those described by HIPAA, that cover a longer period, or that provide greater protection to the patient.

These principles serve as a basis for comparison when trying to determine which provisions of state law will be superseded by HIPAA.

How to Know Which Law to Follow

HIPAA assumes that practitioners know the ins and outs of their state laws, but figuring out which law will take precedence involves a complicated analysis of state statutes, regulations, and common law decisions. There are a few states with their own laws regarding medical privacy. In these cases, you must know both the state and the HIPAA regulations in order to determine which law takes precedence.

Example: California Law

The most detailed California regulation is the Confidentiality of Medical Information Act. In applying the basic rubrics of preemption to California law, the ensuing analysis would seem to follow.

Where There Are NO Conflicting Laws

There is no California law similar to the HIPAA requirements related to business associates. Under HIPAA, organizations such as claims processors that handle information for covered entities (e.g., hospitals or insurers) must establish a “business associate” agreement and agree to follow HIPAA rules.

Regarding amount of disclosure, HIPAA requires that a physician group, health plan, or other covered entity not ask for—or release more than—the minimum personal health information needed for whatever purpose its release is sought. Moreover, HIPAA requires that patients be notified about how their personal health information is handled. California, itself, has no such requirements.

Finally, HIPAA requires patient consent for use of that information for treatment, payment, and operations. Again, California has no requirement for such disclosures.

So, with respect to these provisions, the analysis is simple: no California laws in these areas exist and HIPAA prevails.

Where There ARE Conflicting Laws

In examining the provisions of HIPAA and California law that are equivalent, trying to determine whether state law is more stringent than federal law depends on the issue in question.

Consent for treatment

Under HIPAA, a provider must obtain patients’ consent before using or disclosing their information for treatment purposes, except when the provider has an indirect treatment relationship with the patient—such as a lab or consulting physician—in which case, consent is unnecessary. The California equivalent says a provider may release a patient’s information to other providers, without authorization, for purposes of diagnosis or treatment. Here, HIPAA is more stringent than California law because it requires consent; state law does not.


The HIPAA law permits use of a patient’s health information for research if it is shared with an institutional review board. This is an exception to the patient-authorization requirement. HIPAA also requires a description of why the information is needed for research, as well as assurances that the information will not be reused. California law, by contrast, provides that medical and research information may be released for “bona fide research purposes” to public agencies, clinical investigators, health care research organizations, and not-for-profit educational institutions. Here again, federal law is more stringent and would prevail under any conflict.


The California Confidentiality of Medical Information Act says that patients may bring legal action for violations of the state law, and are entitled to compensatory and punitive damages. HIPAA, by contrast, has no private right of action. In this case, California law is more stringent and will not be preempted.

HIPAA does provide, however, for civil and criminal penalties if a person knowingly discloses, obtains, or uses a patient’s medical information outside the law—resulting in a fine of $100 per violation, up to $25,000 in one year. Under California law, any violation of the Confidentiality Act is a misdemeanor, and negligent disclosure is subject to a $2,500 fine. While it would appear that federal statute would supersede state law, there are differences. For a case to be made under federal law, there must be specific intent. California requires only negligent disclosure to trigger a fine.

Federal criminal and civil penalties can be brought under HIPAA for knowingly disclosing, obtaining, or using identifiable health information under false pretenses, resulting in fines of up to $100,000 and/or five years in prison. Similarly, California law has a “knowing and willful” violation requirement that involves a $25,000 penalty.

Finally, HIPAA provides that anyone who violates the law for commercial or personal gain that results in malicious harm may be fined up to $250,000 and/or imprisoned for 10 years. The California law, by contrast, provides that where a violation occurs for financial gain, fines of up to $250,000 can be levied—plus, any proceeds resulting from the crime must be forfeited.

The two statutes are somewhat different regarding false pretenses and commercial gain; the federal statute is more stringent about false pretenses, while state law seems to be tougher with respect to financial gain.

Bottom Line: Know Your Laws or Seek Professional Advice

HIPAA compliance and state-law-preemption analysis is still a work in progress. HIPAA regulations are extremely extensive and have yet to be fully implemented and interpreted.

There are many areas of overlap between state and HIPAA laws, and it is still unclear in many cases which will apply. However, from my initial review of these statutes, I believe that in most cases the more stringent provisions are to be found within HIPAA, and therefore, many state statutes will give way. Still, YOU MUST KNOW YOUR OWN STATE LAWS and do your own analysis to be certain.

If HIPAA applies to you or your organization, do your own research and become familiar with relevant state laws and compare them to HIPAA. Not doing so could result in substantial penalties under state or federal law. You may be able to find sites that contain previously determined precedence related to your state as it deals with medical privacy and HIPAA. But when in doubt, seek the advice of local attorneys to help you make the best decisions.

More Information

For further information please use the links below:

Summary of the HIPAA Privacy Rule from the Dept of Health and Human Services

More on HIPAA Privacy Laws from HIPAA Journal

HIPAA, the Privacy Rule, and Its Application to Health Research from the National Center for Biotechnology Information