HIPAA Compliance Guide

HIPAA Overview & Regulations

HIPAA Compliance Guide
What is HIPAA? What is a HIPAA BAA?
Regulations
General Administrative Requirements
Subpart A
General Provisions
Subpart B
Preemption Of State Law
Subpart C
Compliance and Investigations
Subpart D
Imposition of Civil Money Penalties
Subpart E
Procedures for Hearings
Administrative Requirements
Subpart A
General Provisions
Subpart D
Standard Unique Health Identifier For Health Care Providers
Subpart E
Standard Unique Health Identifier For Health Plans
Subpart F
Standard Unique Employer Identifier
Subpart I
General Provisions For Transactions
Subpart J
Code Sets
Subpart K
Health Care Claims Or Equivalent Encounter Information
Subpart L
Eligibility For A Health Plan
Subpart M
Referral Certification And Authorization
Subpart N
Health Care Claim Status
Subpart O
Enrollment And Disenrollment In A Health Plan
Subpart P
Health Care Electronic Funds Transfers (EFT) And Remittance Advice
Subpart Q
Health Plan Premium Payments
Subpart R
Coordination Of Benefits
Subpart S
Medicaid Pharmacy Subrogation
Security and Privacy
Subpart A
General Provisions
Subpart C
Security Standards For The Protection Of Electronic Protected Health Information
Subpart D
Notification In The Case Of Breach Of Unsecured Protected Health Information
Subpart E
Privacy Of Individually Identifiable Health Information

General Administrative Requirements   >   Preemption Of State Law

§ 160.202 Definitions

For purposes of this subpart, the following terms have the following meanings:

Contrary, when used to compare a provision of State law to a standard, requirement, or implementation specification adopted under this subchapter, means:

(1) A covered entity or business associate would find it impossible to comply with both the State and Federal requirements; or

(2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act, section 264 of Public Law 104-191, or sections 13400-13424 of Public Law 111-5, as applicable.

More stringent means, in the context of a comparison of a provision of State law and a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter, a State law that meets one or more of the following criteria:

(1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:

(i) Required by the Secretary in connection with determining whether a covered entity or business associate is in compliance with this subchapter; or

(ii) To the individual who is the subject of the individually identifiable health information.

(2) With respect to the rights of an individual, who is the subject of the individually identifiable health information, regarding access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable.

(3) With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, provides the greater amount of information.

(4) With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable.

(5) With respect to recordkeeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailed information or for a longer duration.

(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.

Relates to the privacy of individually identifiable health information means, with respect to a State law, that the State law has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way.

State law means a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.

[65 FR 82798, Dec. 28, 2000, as amended at 67 FR 53266, Aug.14, 2002; 74 FR 42767, Aug.24, 2009; 78 FR 5689, Jan. 25,2013]

HIPAA Regulations

§ 160.201: Statutory basis

HIPAA Regulations

§ 160.203: General rule and exceptions