Does Your State Law Pass the Preemption Test? (part 2)

by Michael C. Roach, JD

Part two in a two-part series

This is the second of two articles on the subject of HIPAA preemption of state privacy law. This article will discuss some practical effects of the preemption rules and where covered entities might turn for assistance in addressing the question of preemption.

While many people talk in terms of the effect of preemption of state law, it is more important from a practical perspective to think in terms of state laws that are not preempted. State laws that are preempted will have no practical effect, but covered entities will need to continue to adhere to state laws that are not preempted.

Additionally, covered entities must incorporate more stringent state law into the notice of privacy practices that they must develop (see section 45 C.F.R. ß 164.520(b)(1)(ii)(c) of the Federal Register). According to HHS, this means that a covered entity (CE) that conducts business in multiple states with different health information privacy laws may be required to produce a different notice for each state (65 Fed. Reg. 82462, 82548 (Dec. 28, 2000).

Preemption Provisions Get Practical

Consider the following hypothetical situation. Hospital A is licensed in and physically located in state X. It also has an outpatient facility across the state line in state Y. There is a provision of law in state Y regarding the rights of residents of state Y that is more stringent than the privacy rules.1 Under HHS’ interpretation, hospital A must either develop one notice for individuals who are residents of state X and a different notice for individuals who are residents of state Y, or the hospital must abide by the more stringent provision of state Y for all of its patients and have one notice that incorporates the state Y provisions.

There is some question as to what it means to “conduct business” as that term is used in the preamble to the privacy regulations. Most people would agree that in this hypothetical situation, hospital A is conducting business in both state X and state Y because it has a physical presence in both states. However, the question is less clear if hospital A does not have a physical presence in state Y. Is hospital A conducting business in state Y if it does not have a physical presence there but advertises in electronic and print media that it knows reach across the state line to residents of state Y? What if hospital A does not advertise in state Y, but 20 percent of its patients are residents there? Is hospital A doing business in other states just because it draws patients from those states?

Arguably not, but it is unclear what position HHS will take on this issue. Hospital A is confronted with trying to determine whether or not the requirements to incorporate more stringent state law into its notice applies to notices given to residents of a foreign state who come to the hospital. This question of determining when an entity is “conducting business” in another state has gotten little attention. Perhaps HHS will provide guidance in the future as to how CEs are to address this situation.

In the meantime, CEs must determine (at least for the states in which they are physically located) those state laws governing the use or disclosure of protected health information that are more stringent than the privacy rules.

Additional Resources

CEs should check professional societies or associations of which they are members to determine if those societies or associations are conducting analyses that they will make available to their members regarding the preemption issue. For instance, hospitals located in state Y might contact the state Y hospital association. Likewise, physicians in state Y might contact the state Y medical society. Other health-related state agencies might be conducting state law preemption analyses. For instance, the Illinois Department of Public Health has contracted to have a preemption analysis completed. The California Health Care Foundation has posted the results of a preemption analysis done on California state law on its Web site at (to access the report, click on “HIPAA” under “Browse Topics.” The report is in the document entitled “Implementing the Federal Health Privacy Rule in California”).


1Laws that are worded in such a way that they protect the residents of the state that has passed the law and that reach entities that are outside the borders of the state are frequently referred to as being “extraterritorial.”

Michael C. Roach, JD, is a partner in the Chicago office of the law firm of Michael Best & Friedrich LLC. He can be reached at (312) 836-6190 or via e-mail at Michael Best & Friedrich’s Web site is

Article citation:
Roach, Michael C. "Does Your State Law Pass the Preemption Test?." In Confidence 10:9 (September 2002), p.3.