NRPM: Standards for Privacy of Individually Identifiable Health Information. 9. Preemption.


The HIPAA provides that the rule promulgated by the Secretary may not preempt state laws that are in conflict with the regulatory requirements and that provide greater privacy protections. The HIPAA also provides that standards issued by the Secretary will not supercede certain other State laws, including: State laws relating to reporting of disease or injury, child abuse, birth or death, public health surveillance, or public health investigation or intervention; State regulatory reporting; State laws which the Secretary finds are necessary to prevent fraud and abuse, to ensure appropriate State regulation of insurance, for State reporting on health care delivery or costs, or for other purposes; or, State laws which the Secretary finds address controlled substances. These provisions are discussed in more detail in preamble section II.I.1.

This proposed rule also must be read in conjunction with other federal laws and regulations that address the use and disclosure of health information. These issues are discussed in preamble section II.I.2.

In general, the rule that we are proposing would create a federal floor of privacy protection, but would not supercede other applicable law that provide greater protection to the confidentiality of health information. In general, our rule would not make entities subject to a state laws to which they are not subject today.