NRPM: Standards for Privacy of Individually Identifiable Health Information. ii. What is a “State law”?


It is unclear what the term “provision of State law” in sections 1178 and 264(c) means. The question is whether the provision in question must, in order to be considered to have preemptive effect, be legislatively enacted or whether administratively adopted or judicially decided State requirements must also be considered. Congress explicitly addressed the same issue in a different part of HIPAA, section 102. Section 102 enacted section 2723 of the Public Health Service Act, which is a preemption provision that applies to issuers of health insurance to ERISA plans. Section 2723 contains in subsection (d)(1) the following definition of “State law”: “The term “State law” includes all laws, decisions, rules, regulations, or other State action having the effect of law, of any State. A law of the United States applicable only to the District of Columbia shall be treated as a State law rather than a law of the United States.

By contrast, Congress provided no definition of the term “State law” in section 264. This omission suggests two policy options. One is to adopt the above definition, as a reasonable definition of the term and as an indication of what Congress probably intended in the preemption context (the policy embodied in section 2723 is analogous to that embodied in section 264(c)(2), in the sense that the State laws that are not preempted are ones that provide protections to individuals that go above and beyond the federal requirements). The other option is to argue by negative implication that, since Congress could have but did not enact the above definition in connection with sections 264 and 1178, it intended that a different definition be used, and that the most reasonable alternative is to limit the State laws to be considered to those that have been legislatively enacted.

The Department does not consider the latter option to be a realistic one. It is legally questionable and is also likely to be extremely confusing and unworkable as a practical matter, as it will be difficult to divorce State “laws”from implementing administrative regulations or decisions or from judicial decisions. Also, much State “privacy law” – e.g., the law concerning the physician/patient privilege – is not found in statutes, but is rather in State common law. Finally, since health care providers and others are bound by State regulations and decisions, they would most likely find a policy that drew a line based on where a legal requirement originated very confusing and unhelpful. As a result, we conclude that the language in section 102 represents a legally supportable approach that is, for practical reasons, a realistic option, and it is accordingly proposed in proposed §160.202 below.