The third exception to the “general rule” that the federal requirements, standards, and implementation specifications preempt contrary State law concerns State laws relating to the privacy of individually identifiable health information. Section 1178(a)(2)(B) provides that a State law is excepted from this general rule, which, “subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information.” Section 264(c)(2) of HIPAA provides that the HIPAA privacy regulation, which is proposed in the accompanying proposed subpart B of proposed part 160, will not supersede “a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed” under the regulation at proposed subpart E of proposed part 164.
It is recognized that States generally have laws that relate to the privacy of individually identifiable health information. These laws continue to be enforceable, unless they are contrary to part C of title XI or the standards, requirements, or implementation specifications adopted or established pursuant to the proposed subpart x. Under section 264(c)(2), not all contrary provisions of State privacy laws are preempted; rather, the law provides that contrary provisions that are also “more stringent” than the federal regulatory requirements or implementation specifications will continue to be enforceable.