Final Rule for Standards for Privacy of Individually Identifiable Health Information. What the Rule Covers

Analysis by the AHIMA Policy and Government Relations Team

Preemption of State [and other] Law[s]

{The preemption of state law remains one of the more controversial issues with Privacy. Parties generally disagreed on three specific issues. First, various groups that include AHIMA support complete preemption to establish a uniform national standard for the release and disclosure of health information. The standard would be a federal "ceiling" where states could not enact more stringent laws. Second, a number of groups support the creation of a federal "floor" of protections where a federal standard would exist but states would have the ability to pass something stronger. Finally, various groups believe that the federal government has no constitutional authority to enact any type of federal privacy rule. This is the "states rights" position.

HIPAA was limited in its ability to preempt state laws. The legislative language specifically provided for establishing a federal "floor" of protections where states can enact more stringent health information privacy protections. Therefore, the December 28, 2000 Rule did not solve the preemption issue in accordance with AHIMA’s position. The Rule, in accordance with HIPAA’s legislative language, created a federal "floor" of protections.}

General Rule and Exception

The Rule states (§160.203) that "a standard, requirement, or implementation specification adopted under the [Rule] that is contrary to a provision of State law preempts the provision of State law." This general rule applies, except if one or more of the following conditions is met:

  • "A determination is made by the Secretary [See: Exception Determinations below] that the provision of State law
    • Is necessary;
      • To prevent fraud and abuse related to the provision of or payment for health care;
      • To ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation;
      • For State reporting on health care delivery costs; or
      • For purposes of serving a compelling need related to public health, safety, or welfare, and, if a standard, requirement, or implementation specification under…[other parts of this Rule]…, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served;
    • Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law." [65FR82801]

{This determination will be made by the Secretary after receiving a request to exempt from a state. Until such an exempt is approved, the preemption of the state law exists. The following three points do not require a request from the state.}

  • "Relates to the PHI and is more stringent than a standard, requirement, or implementation specification adopted under…[this Rule]."

  • "Provides for the reporting of disease or injury child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention [under procedures established by such law]."

  • "Requires a health plan to report, or to provide access, to, information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals."

Process for Requesting Exception Determinations

The Rule (§160.204) indicates that a request to exempt a provision of state law from preemption may be submitted to the Secretary. The request must be submitted through the chief elected official of the state or his or her designee. The request must be in writing and include the following information:

  • The state law for which the exception is requested;

  • The particular standard, requirement, or implementation specification [in this Rule] for which the exception is requested;

  • The part of the standard or other provision [of the Rule] that will not be implemented based on the exception or the additional data to be collected based on the exception, as appropriate;

  • How healthcare providers, health plans, and other entities would be affected by the exception;

  • The reasons by which the State law should not be preempted by the federal standard, requirement, or implementation specification [of this Rule], including how the State law meets one or more of the criteria [first listed under "general rule and exception" above].

  • Any other information the Secretary may request in order to make the determination.

Requests for exception must be submitted to the Secretary. "Until the Secretary’s determination is made, the standard, requirement, or implementation specification under this [Rule] remains in effect." The Secretary’s determination …"will be made on the basis of the extent to which the information provided and other factors demonstrate that one or more of the [acceptable under the Rule] criteria has been met."

{As this Rule is newly published, it is unclear to what extent, and how, the Secretary will allow public comment into the decisions allowed here. Other modifications under HIPAA essentially include advisory bodies and published requests for comments. This may be the case, but, currently, this is not spelled out.

Since exceptions to exemption and all the preemption issues are statewide, HIM professionals and covered entities interested in the impact of the Rule with state law should be working with state associations and the state’s attorney general or similar officer to review situations where conflicts might exist. Federal legislation may also be forthcoming that would add to or decrease what aspects of the Rule are open to preemption.}

Duration of Effectiveness of Exception Determinations

Once an exception is granted by the Secretary, it remains in effect until either the state law or the federal standard, requirement, or implementation specification [of this Rule] that provided the basis for the exception is materially changed, such that the ground for the exception no longer exists. The Secretary can also revoke the exception based on a determination that the ground supporting the need for the exception no longer exists.

{Relation to Other Federal Laws:

The Rule does not generally refer to other federal statutes and regulations. In the preamble to the Rule (65FR82481) there is an extended discussion with regard to potential overlaps. In this discussion DHHS suggests that there should be few conflicts, and that many times one rule might state may while another states must; leading to a situation where must overides may and, according to DHHS, therefore resolves the conflict. Readers should note that this same situation exists between the Rule and some state laws as well.

In the discussion on other federal statutes and regulations that interact with the Rule, DHHS lists several situations were federal statutes might be considered overlapping. We list them here for your benefit, although we will not provide any analysis regarding the potential interaction. The rules listed include (we note the 65FR page where discussion occurs):

  • The Privacy Act of 1974 (5 U.S.C.)—65FR82482
  • The Freedom of Information Act (5 U.S.C.)—65FR82482
  • Federal Substance Abuse Act—Confidentiality Requirements (42 U.S.C.)—65FR82482
  • Employee Retirement Income Security Act of 1974 (ERISA) (29 U.S.C.)—65FR824883
  • The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C.)—65FR82483
  • Gramm-Leach-Bliley (Pub.L. 106—102)—65FR82483
  • Various federally funded health programs’ requirements—65FR82484
  • Food, Drug, and Cosmetic Act(FDA) (21 U.S.C.)—65FR82484
  • Clinical Laboratory Improvement Amendments (CLIA)(42 U.S.C.)—65FR82485
  • Other Mandatory Federal or State Laws—65FR82485
  • Federal Disability Nondiscrimination Laws—65FR82485
  • US Safe Harbor Privacy Principles—65FR82486}

"Contrary" and "More Stringent"

The definitions for contrary and more stringent were listed above. Contrary is specified when comparing a state law to a standard, requirement, or implementation specification under this Rule, the covered entity would find it impossible to comply with both requirements and or "stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act or section 264 of Pub.L. 104-191, as applicable." (HIPAA).

The term more stringent comes into play (§160.202) when a State law meets one or more of the following criteria with respect to:

  • Use or Disclosure—The State law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this Rule with two exceptions
    • The disclosure is required by the Secretary to determines a covered entity’s compliance with the Rule, or
    • The disclosure is to the individual who is the subject of information.

  • Rights of an Individual—who is the subject of the individually identifiable health information of access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable; provided that nothing in this [Rule] may be construed to preempt any state law to the extent that it authorizes or prohibits disclosure of PHI about a minor to a parent, guardian, or person acting in loco parentis of such minor.
  • Information to be Provided to an Individual—who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, provides the greater amount of information.

  • Form or Substance of an Authorization or Consent—for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the authorization or consent, as applicable.

  • Recordkeeping or Requirement Relating to Accounting of Disclosures—provides for the retention or reporting of more detailed information or for a longer duration.

  • Any other Matter—provides greater privacy protection for the individual who is the subject of the individually identifiable health information.

{Patently, this preceding section is very legalistic. Covered entities will need to work with their state associations and representatives of the state to determine if there are situations that ought to be defined and determine, with regard to "more stringent," so that such issues are identified and resolved as soon as possible.

Go to next section, Uses and Disclosure of Protected Health Information: General Rules.

Go to previous section, Definitions.

Go to document index.