NRPM: Standards for Privacy of Individually Identifiable Health Information. 1. Relationship to State laws.


Congress addressed the issue of preemption of State law explicitly in the statute, in section 1178 of the Act. Consonant with the underlying statutory purpose to simplify the financial and administrative transactions associated with the provision of health care, the new section 1178(a)(1) sets out a “general rule” that State law provisions that are contrary to the provisions or requirements of part C of title XI or the standards or implementation specifications adopted or established thereunder are preempted by the federal requirements. The statute provides three exceptions to this general rule: (1) for State laws which the Secretary determines are necessary to prevent fraud and abuse, ensure appropriate State regulation of insurance and health plans, for State reporting on health care delivery, and other purposes; (2) for State laws which address controlled substances; and (3) for State laws relating to the privacy of individually identifiable health information which, as provided for by the related provision of section 264(c)(2), are contrary to and more stringent than the federal requirements. Section 1178 also carves out, in sections 1178(b) and 1178(c), certain areas of State authority which are not limited or invalidated by the provisions of part C of title XI; these areas relate to public health and State regulation of health plans.

Section 264 of HIPAA contains a related preemption provision. Section 264(c)(2) is, as discussed above, an exception to the “general rule” that the federal standards and requirements preempt contrary State law. Section 264(c)(2) provides, instead, that contrary State laws that relate to the privacy of individually identifiable health information will not be preempted by the federal requirements, if they are “more stringent” than those requirements. This policy, under which the federal privacy protections act as a floor, but not a ceiling on, privacy protections, is consistent with the Secretary’s Recommendations.

Aside from the cross-reference to section 264(c)(2) in section 1178(a)(2)(B), several provisions of section 1178 relate to the proposed privacy standards. These include the general preemption rule of section 1178(a)(1), the carve-out for public health and related reporting under section 1178(b), and the carve-out for reporting and access to records for the regulation of health plans by States under section 1178(c). Other terms that occur in section 264(c)(2) also appear in section 1178: the underlying test for preemption – whether a State law is “contrary” to the federal standards, requirements or implementation specifications – appears throughout section 1178(a), while the issue of what is a “State law” for preemption purposes applies throughout section 1178. In light of these factors, it seems logical to develop a regulatory framework that addresses the various issues raised by section 1178, not just those parts of it implicated by section 264(c)(2). Accordingly, the rules proposed below propose regulatory provisions covering these issues as part of the general provisions in proposed part 160, with sections made specifically applicable to the proposed privacy standard where appropriate.