NRPM: Standards for Privacy of Individually Identifiable Health Information. § 160.203 General rule and exceptions.


General rule. A standard, requirement, or implementation specification adopted under or pursuant to this subchapter that is contrary to a provision of State law preempts the provision of State law. This general rule applies, except where one or more of the following conditions is met:

(a) A determination is made by the Secretary pursuant to § 160.204(a) that the provision of State law:

(1) Is necessary:

(i) To prevent fraud and abuse;

(ii) To ensure appropriate State regulation of insurance and health plans;

(iii) For State reporting on health care delivery or costs; or

(iv) For other purposes related to improving the Medicare program, the Medicaid program, or the efficiency and effectiveness of the health care system; or

(2) Addresses controlled substances.

(b) The provision of State law relates to the privacy of health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter.

(c) The provision of State law, or the State established procedures, are established under a State law providing for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.

(d) The provision of State law requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, facility licensure or certification, or individual licensure or certification.