NRPM: Standards for Privacy of Individually Identifiable Health Information. IX. Executive Order 12612: Federalism


The Department has examined the effects of provisions in the proposed privacy regulation on the relationship between the Federal government and the States, as required by Executive Order 12612 on "Federalism." The agency concludes that preempting State or local proposed rules that provide less stringent privacy protection requirements than Federal law is consistent with this Executive Order. Overall, the proposed rule attempts to balance both the autonomy of the States with the necessity to create a Federal benchmark to preserve the privacy of personally identifiable health information.

It is recognized that the States generally have laws that relate to the privacy of individually identifiable health information. The HIPAA statute dictates the relationship between State law and this proposed rule. Except for laws that are specifically exempted by the HIPAA statute, State laws continue to be enforceable, unless they are contrary to Part C of Title XI of the standards, requirements, or implementation specifications adopted or pursuant to subpart x. However, under Section 264(c)(2), not all contrary provisions of State privacy laws are preempted; rather, the law provides that contrary provisions that are also “more stringent” than the federal regulatory requirements or implementation specifications will continue to be enforceable.

Section 3(b) of Executive Order 12612 recognizes that Federal action limiting the discretion of State and local governments is appropriate "where constitutional authority for the action is clear and certain and the national activity is necessitated by the presence of a problem of national scope." Personal privacy issues are widely identified as a national concern by virtue of the scope of interstate health commerce. HIPAA’s provisions reflect this position. HIPAA attempts to facilitate the electronic exchange of financial and administrative health plan transactions while recognizing challenges that local, national, and international information sharing raise to confidentiality and privacy of health information.

Section 3(d)(2) of the Executive Order 12612 requires that the Federal government refrain from “establishing uniform, national standards for programs and, when possible, defer to the States to establish standards.” HIPAA requires HHS to establish standards, and we have done so accordingly. This approach is a key component of the proposed privacy rule, and it adheres to Section 4(a) of Executive Order 12612, which expressly contemplates preemption when there is a conflict between exercising State and Federal authority under Federal statute. Section 262 of HIPAA enacted Section 1178 of the Social Security Act, developing a “general rule” that State laws or provisions that are contrary to the provisions or requirements of Part C of Title XI, or the standards or implementation specifications adopted, or established thereunder are preempted. Several exceptions to this rule exist, each of which is designed to maintain a high degree of State autonomy.

Moreover, Section 4(b) of the Executive Order authorizes preemption of State law in the Federal rule making context when there is "firm and palpable evidence compelling the conclusion that the Congress intended to delegate to the * * * agency the authority to issue regulations preempting State law." Section 1178 (a)(2)(B) of HIPAA specifically preempts State laws related to the privacy of individually identifiable health information unless the State law is more stringent. Thus, we have interpreted State and local laws and regulations that would impose less stringent requirements for protection of individually identifiable health information as undermining the agency's goal of ensuring that all patients who receive medical services are assured a minimum level of personal privacy. Particularly where the absence of privacy protection undermines an individual’s access to health care services, both the personal and public interest is served by establishing Federal rules.

The proposed rule would establish national minimum standards with respect to the collection, maintenance, access, transfer, and disclosure of personally identifiable health information. The Federal law will preempt State law only where State and Federal laws are “contradictory” and the Federal regulation is judged to establish “more stringent” privacy protections than State laws.

As required by the Executive Order, States and local governments will be given, through this notice of proposed rule making, an opportunity to participate in the proceedings to preempt State and local laws (Section 4(e) of Executive Order 12612). However, it should be noted that the preemption of state law is based on the HIPAA statute. The Secretary will also provide a review of preemption issues upon requests from States. In addition, under the Order, appropriate officials and organizations will be consulted before this proposed action is implemented (Section 3(a) of Executive Order 12612).

Finally, we have considered the cost burden that this proposed rule would impose on State-operated health care entities, Medicaid, and other State health benefits programs. We do not have access to reliable information on the number of State-operated entities and programs, nor do we have access to data on the costs these entities and programs would incur in order to comply with the proposed rule. A discussion of possible compliance costs that covered entities may incur is contained in the Unfunded Mandates section above. We believe that requiring State health care entities covered by the proposed rule to comply with the proposed rule would cost less than one percent of a State’s annual budget.

The agency concludes that the policy proposed in this document has been assessed in light of the principles, criteria, and requirements in Executive Order 12612; that this policy is not inconsistent with that Order; that this policy will not impose significant additional costs and burdens on the States; and that this policy will not affect the ability of the States to discharge traditional State governmental functions.

During our consultation with the States, representatives from various State agencies and offices expressed concern that the proposed regulation would pre-empt all State privacy laws. As explained in this section, the regulation would only pre-empt state laws where there is a direct conflict between state laws and the regulation, and where the regulation provides more stringent privacy protection than State law. We discussed this issue during our consultation with State representatives, who generally accepted our approach to the preemption issue. During the consultation, we requested further information from the States about whether they currently have laws requiring that providers have a “duty to warn” family members or third parties about a patient’s condition other than in emergency circumstances. Since the consultation, we have not received additional comments or questions from the States.