42 U.S.C. § 1320d–7
Effect on State Law
(1) General rule
Except as provided in paragraph (2), a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d–1 through 1320d–3 of this title, shall supersede any contrary provision of State law, including a provision of State law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.
A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d–1 through 1320d–3 of this title, shall not supersede a contrary provision of State law, if the provision of State law—
(A) is a provision the Secretary determines—
(i) is necessary—
(I) to prevent fraud and abuse;
(II) to ensure appropriate State regulation of insurance and health plans;
(III) for State reporting on health care delivery or costs; or
(IV) for other purposes; or
(ii) addresses controlled substances; or
(B) subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information.
(b) Public health
Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.
(c) State regulatory reporting
Nothing in this part shall limit the ability of a State to require a health plan to report, or to provide access to, information for management audits, financial audits, program monitoring and evaluation, facility licensure or certification, or individual licensure or certification.
45 CFR Part 160
Electronic Code of Federal Regulations (e-CFR)
Title 45. Public Welfare
Chapter A. Department of Health and Human Services
Subchapter C. ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS
Part 160. GENERAL ADMINISTRATIVE REQUIREMENTS
Subpart B. Preemption of State Law
- 160.201 Statutory basis.
- 160.202 – Definitions.
- 160.203 General rule and exceptions.
A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law. This general rule applies, except if one or more of the following conditions is met:
(a) A determination is made by the Secretary under § 160.204 that the provision of State law:
(1) Is necessary:
(i) To prevent fraud and abuse related to the provision of or payment for health care;
(ii) To ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation;
(iii) For State reporting on health care delivery or costs; or
(iv) For purposes of serving a compelling need related to public health, safety, or welfare, and, if a standard, requirement, or implementation specification under part 164 of this subchapter is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or
(2) Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.
(b) The provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter.
(c) The provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.
(d) The provision of State law requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals.
- 160.204 Process for requesting exception determinations.
- 160.205 Duration of effectiveness of exception determinations.
Rule: Zuckerman holds that HIPAA preempts any contrary state law unless the state law is more stringent than HIPAA. In Nat’l Abortion Fed’n v. Ashcroft, the court measured the requirements of HIPAA against federal law privileges and the Federal Rules of Evidence. Consequently, the court found HIPAA controls enforceability of subpoenas
S.C. Med. Ass’n v. Thompson, 327 F.3d 346 (4th Cir. 2003)
Facts: Appellants filed suit for declaratory relief from several provisions of HIPAA. The complaint argued HIPAA’s non-preemption of “more stringent” state privacy laws is unconstitutionally vague and should be declared unconstitutional under the Due Process Clause of the 5th Amendment. However, the regulation explains four criteria that show when a law is “more stringent” than HIPAA.
Holding: HIPAA’s non-preemption of “more stringent” state privacy laws is not unconstitutionally vague.
Law v. Zuckerman, 307 F. Supp. 2d 705 (D.Md. 2004)
Facts: Plaintiff sued Defendant, her surgeon, for medical malpractice. Defendant’s counsel engaged in ex parte pre-trial communications with Plaintiff’s treating physician without Plaintiff’s knowledge or consent. Plaintiff alleges this is a violation of HIPAA. Parties are debating if HIPAA or the Maryland Confidentiality of Medical Records Act (MCMRA) controls. HIPAA provides that a provider may disclose patient records after using certain procedures, whereas MCMRA states a provider shall do so.
Holding: MCMRA is not more restrictive than HIPAA, so HIPAA preempts the statute. Therefore, HIPAA controls.
Nat’l Abortion Fed’n v. Ashcroft, 2004 U.S. Dist. LEXIS 1701 (N.D. Ill. 2004)
Facts: Appellants filed a civil suit against the US Attorney General, challenging the constitutionality of the Partial Birth Abortion Ban Act of 2003 (PBABA). During the lawsuit, the Government served Northwestern Hospital with a subpoena, seeking “all medical records associated with those medical record numbers to be identified by [Dr. Hammond]” as those who received medically necessary abortion procedures. Northwestern moved to quash the subpoena as privileged from disclosure under HIPAA, the Illinois Medical Privacy Law (IMPL), and federal statutory and common law. The IMPL has strict disclosure protections under physician-patient privilege; in the situation at hand, the IMPL would not allow the disclosure.
Holding: The IMPL is not preempted.
Nat’l Abortion Fed’n v. Ashcroft, 2004 U.S. Dist. LEXIS 1701 (7th Cir. 2004)
**Note – this is the same case as above, but the Seventh Circuit gives a different discussion. The Seventh Circuit weighs the concerns of the hospital and women in Illinois, mainly that the hospital will lose the confidence of its patients to protect their privacy, and “skillful Googlers” could identify the anonymous women based on their medical history.
Kirk Nahra, Moving Toward a New Health Care Privacy Paradigm, Wiley Rein, 2014
Kirk J. Nahra, The New HIPAA NPRM – The Latest and Greatest in the Evolution of the HIPAA Privacy Rule, American Health L. Ass’n Health L. Wkly (December 18, 202