State Law Pre-emption
State laws that are contrary to the HIPAA regulations are pre-empted by the federal requirements, which means the federal requirements will apply. “Contrary” means it would be impossible for the entity to comply with both the state and federal requirements, or the provision of state law is an obstacle to accomplish the full purposes and objectives of the Administrative Simplification provisions of HIPAA.
Keep in mind that if the state law is more stringent than the federal law, then the state law should be followed to ensure compliance at both the state and federal level.
Summary of the HIPAA Privacy Rule
Permitted Uses and Disclosures: Exchange for Health Care Operations
The Health Insurance Portability and Accountability Act (HIPAA) governs how the organization protects and secures Protected Health Information (PHI).
HIPAA also provides regulations that describe the circumstances in which organizations are permitted, but not required, to use and disclose PHI for certain activities without first obtaining an individual’s authorization, including for treatment and health care operations of the disclosing organization when the appropriate relationship exists.
Before utilizing PHI for treatment or health care operations without prior authorization, ensure the use is allowed by the provisions.