The issue of when a provision of State law is “more stringent” than the comparable “requirements, standards, or implementation specifications” of the HIPAA privacy regulation is not an easy one. In general, it seems reasonable to assume that “more stringent” means “providing greater privacy protection” but, such an interpretation leads to somewhat different applications, depending on the context. For example, a State law that provided for fewer and more limited disclosures than the HIPAA privacy regulation would be “more stringent.” At the same time, a State law that provides for more and/or greater penalties for wrongful disclosures than does the HIPAA privacy regulation would also be “more stringent.” Thus, in the former case, “more stringent” means less or fewer, while in the latter case, “more stringent” means more or greater. In addition, some situations are more difficult to characterize. For example, if the HIPAA privacy regulation requires disclosure to the individual on request and a State law prohibits disclosure in the circumstance in question, which law is “more stringent” or “provides more privacy protection”?
A continuum of regulatory options is available. At one end of the continuum is the minimalist approach of not interpreting the term “more stringent” further or spelling out only a general interpretation, such as the “provides more privacy protection”standard, and leaving the specific applications to later case-by-case determinations. At the other end of the continuum is the approach of spelling out in the regulation a number of different applications, to create a very specific analytic framework for future determinations. We propose below the latter approach for several reasons: specific criteria will simplify the determination process for agency officials, as some determinations will be already covered by the regulation, while others will be obvious; specific criteria will also provide guidance for determinations where issue of “stringency” is not obvious; courts will be more likely to give deference to agency determinations, leading to greater uniformity and consistency of expectation; and the public, regulated entities, and States will have more notice as to what the determinations are likely to be.
The specific criteria proposed at proposed § 160.202 are extrapolated from the principles of the fair information practices that underlie and inform these proposed rules and the Secretary’s Recommendations. For example, limiting disclosure of personal health information obviously protects privacy; thus, under the criteria proposed below, the law providing for less disclosure is considered to be “more stringent.” Similarly, as the access of an individual to his or her protected health information is considered to be central to enabling the individual to protect such information, the criteria proposed below treat a law granting greater rights of access as “more stringent.” We recognize that many State laws require patients to authorize or consent to disclosures of their health information for treatment and/or payment purposes. We consider individual authorization generally to be more protective of privacy interests than the lack of such authorization, so such State requirements would generally stand, under the definition proposed below.
However, we would interpret a State law relating to individual authorization to be preempted if the law requires, or would permit a provider or health plan to require, as a condition of treatment or payment for health care, an individual to authorize uses or disclosures for purposes other than treatment, payment and health care operations, and if such authorization would override restrictions or limitations in this regulation relating to the uses and disclosures for purposes other than treatment, payment and health care operations. For example, if a State law permitted or required a provider to obtain an individual authorization for disclosure as a condition of treatment, and further permitted the provider to include in the authorization disclosures for research or for commercial purposes, the State law would be preempted with respect to the compelled authorization for research or commercial purposes. At the same time, if a State law required a provider to obtain an individual authorization for disclosure as a condition of treatment, and further required the provider to include an authorization for the provider to disclosure data to a State data reporting agency, such a law would not be preempted, because State laws that require such data reporting are saved from preemption under section § 1178(c) of the statute.
In addition, to the extent that a State consent law does not contain other consent or authorization requirements that parallel or are stricter than the applicable federal requirements, those detailed federal requirements would also continue to apply. We solicit comment in particular on how these proposed criteria would be likely to operate with respect to particular State privacy laws.