skip to: page content | links on this page | site navigation | footer (site information)

 

Company | Support | Contact Us
Privacy | Transactions and Code Sets | Security | Identifiers
HIPAA Navigator | HIPAA SLP | Manuals
Approach | Assessment | Implementation | Training | Evaluation | Maintenance
For Providers | For Health Plans | FAQ | Free Downloads
For Providers | For Health Plans | For Attorneys | For Security Professionals
subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link
subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link

State Privacy

In addition to requiring healthcare entities to comply with federal Privacy regulations, HIPAA requires that covered entities analyze state privacy statutes and follow preemption guidelines to determine which state law may preempt HIPAA Privacy.

This presents a challenge to most healthcare entities as state laws differ from state to state, Privacy regulations are strewn about in the statutes (rather than being conveniently lumped together as in HIPAA) and change frequently; the preemption guidelines are complex, requiring intensive analysis. For this reason, many HIPAA service providers and products (like the ADA HIPAA manual) have ignored the state laws entirely, leaving the covered entities to fend for themselves.

In general, state statutes govern:

  • Use and disclosure of PHI
  • Access to PHI
  • Safeguards
  • Protected classes of individuals (HIV, minors, etc.)
  • Required reporting of infectious diseases, abuse and domestic violence, etc.

Why worry about state laws?

There are two main reasons why covered entities should pay attention to state Privacy laws: the enforcement mechanism, and the fines and penalties involved.

Enforcement mechanism

While HIPAA Privacy regulations do not give you the right to sue a covered entity for privacy violations (instead, there is a complaint process and possible investigation by the Office of Civil Rights), state laws do give individuals the right to sue and recover for damages.

Fines and penalties

Covered entities may take some solace in the fact that OCR has indicated that in case of privacy violations, they will work with the covered entity to correct the violation before imposing any penalties. States, however, have given no such indication, and have in many cases been quite vigilant in prosecuting violations on behalf of individuals.

Our approach

The Health Privacy Project at Georgetown University produced a number of summaries of state privacy laws. We started with these summaries, and followed a top down approach in analyzing all of the state privacy regulations and comparing them with the HIPAA Privacy Rule, in cooperation with our partner Tyler, Cooper & Alcorn, LLP.

   
Privacy Policy | Legal Notice | ©2001-2008 HIPAAssociates, Inc.