by Cherie Jones, J.D.

When federal rules and state laws address the same aspect of health care delivery, the question of which law or rule will apply is important for health professionals. Practicing psychologists must take appropriate steps to answer the question when the subject is privacy of protected health information in patient records. This process is far from simple, and there is increasing urgency to address the matter given the April 14, 2003 deadline for compliance with the HIPAA privacy rule.

The federal rule implementing privacy protections under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes requirements that health care providers must follow when they are using or disclosing “protected health information,” or PHI. The privacy rule from the U.S. Department of Health and Human Services (HHS) defines PHI as individually identifiable health information relating to the condition of a patient, the provision of patient care, or payment for care (click here for further details).

Since all states already have privacy laws that apply to PHI, practitioners need to determine when the federal privacy rule will take precedence over — or “preempt”— state laws, and when state laws will be upheld. Many practitioners likely will need assistance with such a complicated analysis. This article gives a general sense of what a state law preemption analysis involves.

Under the federal privacy rule, a preemption analysis focuses on a health consumer’s right to privacy. Generally speaking, any provision that is more protective of consumers’ right to privacy or right to access their own health information takes precedence, whether the provision is from federal or state law. The federal rule is intended to be a “floor,” or minimum set of requirements, with which health professionals and others subject to the rule must comply. “The privacy rule will not impair the effectiveness of state laws that are more protective of privacy,” said APA Executive Director for Professional Practice Russ Newman, Ph.D., J.D., “and it will raise the protection afforded health consumers in states that have not yet enacted protective laws.”

A Multi-Step Process

The first step in performing a state preemption analysis involves reviewing state law privacy provisions to determine whether they “relate to” PHI. By “law,” the federal privacy rule means all laws — including statutes, regulations, state court (“common”) law, and even constitutional provisions. These laws may be found in many locations — for example, the professional ethics code; laws governing health care facilities; laws covering judicial and administrative proceedings; laws on reporting disease and abuse, neglect or domestic violence; laws covering workers compensation claims; and laws restricting access to health information, among many others. As a practical matter, psychologists will need to be concerned with a narrower set of laws, such as those related to confidentiality and record keeping.

Comparisons to the HIPAA privacy rule must be made on a provision-by-provision basis, not on the basis of entire laws. And doing such an extensive comparison once is insufficient, since there is nothing in the federal privacy rule that prevents states from passing new laws or revising old ones.

Under the privacy rule, a provision “relates to” PHI if it has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear and substantial way. An example of a law “relating to” PHI is a domestic violence law that requires a victim to sign a waiver before a domestic violence counselor can disclose confidential communications by that person.

As the next step in a preemption analysis, the relevant provisions of state law must be compared with provisions of the federal privacy rule to find out if they are “contrary” to the HIPAA provisions. A provision is “contrary” to the privacy rule if a provider would find it impossible to comply with both the state and federal requirements, or if the provision of state law stands as an obstacle to accomplishing the full purposes and objectives of the privacy rule. For example, if the federal privacy rule requires patient consent before certain information is disclosed, but the state law permits that information to be disclosed without consent, then the state law would be contrary to the privacy rule. Not only would it be impossible for a provider to comply with both laws, but the state law provision also would be an obstacle to the consumer protection objectives of the HIPAA privacy rule.

A “contrary” state law provision may still stand if it is an exception to federal preemption as set forth in the HIPAA privacy rule. These exceptions include: state laws related to health care fraud and abuse; regulation of health plans; reporting on health care delivery or costs; public health, safety, or welfare; and the regulation of controlled substances. Under these exceptions, the federal rule will remain in effect until HHS has made a determination based on reviewing a request for an exception by the state governor (or his or her designee) as to whether the state law fits into the exception and will stay in effect.

More Stringent Provisions Take Precedence

Another important exception to federal preemption of state laws, as mentioned earlier, relates to state law privacy provisions that are more stringent than the privacy rule. The federal rule will not preempt more stringent state provisions. Stringency is determined from the standpoint of patient protection and access to records. A law is considered more stringent if it provides greater privacy protection for patients or permits greater access by patients to review and/or amend information in their health records.

For example, one provision in the federal privacy rule permits a public official such as a police officer to determine in certain circumstances whether protected health information can be disclosed. If under those same circumstances, a state’s law requires a court order for disclosure, the state law would be more stringent. Therefore, it would prevail and not be preempted by HIPAA. Disputes about whether a state law is more stringent than the corresponding provision in the HIPAA privacy rule will not be decided by HHS, but must be ruled on by state courts.

“We are pleased with the consumer protections provided by the federal privacy rule, including the fact that more stringent state law provisions are not preempted by HIPAA,” said APA Practice Director Executive Director Russ Newman, Ph.D., J.D.

“The HIPAA privacy rule assumes that psychologists know what state laws already regulate their practice,” says Dr. Newman. “But the process of doing a state preemption analysis may get complicated,” he added. The APA Practice Organization along with state psychological associations and the APA Insurance Trust are taking a lead role in analyzing and addressing the state preemption issue. “We’ll be giving practitioners further guidance on the state preemption issue as a result of our collaborative efforts,” he said.