HIPAA Compliance Guide

HIPAA Overview & Regulations

HIPAA Compliance Guide
What is HIPAA? What is a HIPAA BAA?
Regulations
General Administrative Requirements
Subpart A
General Provisions
Subpart B
Preemption Of State Law
Subpart C
Compliance and Investigations
Subpart D
Imposition of Civil Money Penalties
Subpart E
Procedures for Hearings
Administrative Requirements
Subpart A
General Provisions
Subpart D
Standard Unique Health Identifier For Health Care Providers
Subpart E
Standard Unique Health Identifier For Health Plans
Subpart F
Standard Unique Employer Identifier
Subpart I
General Provisions For Transactions
Subpart J
Code Sets
Subpart K
Health Care Claims Or Equivalent Encounter Information
Subpart L
Eligibility For A Health Plan
Subpart M
Referral Certification And Authorization
Subpart N
Health Care Claim Status
Subpart O
Enrollment And Disenrollment In A Health Plan
Subpart P
Health Care Electronic Funds Transfers (EFT) And Remittance Advice
Subpart Q
Health Plan Premium Payments
Subpart R
Coordination Of Benefits
Subpart S
Medicaid Pharmacy Subrogation
Security and Privacy
Subpart A
General Provisions
Subpart C
Security Standards For The Protection Of Electronic Protected Health Information
Subpart D
Notification In The Case Of Breach Of Unsecured Protected Health Information
Subpart E
Privacy Of Individually Identifiable Health Information

General Administrative Requirements   >   Preemption Of State Law

§ 160.203 General rule and exceptions

A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law. This general rule applies, except if one or more of the following conditions is met:

(a) A determination is made by the Secretary under § 160.204 that the provision of State law:

(1) Is necessary:

(i) To prevent fraud and abuse related to the provision of or payment for health care;

(ii) To ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation;

(iii) For State reporting on health care delivery or costs; or

(iv) For purposes of serving a compelling need related to public health, safety, or welfare, and, if a standard, requirement, or implementation specification under part 164 of this subchapter is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or

(2) Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.

(b) The provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter.

(c) The provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.

(d) The provision of State law requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals.

[65 FR 82798, Dec. 28, 2000, as amended at 67 FR 53266, Aug. 14, 2002]

HIPAA Regulations

§ 160.202: Definitions

HIPAA Regulations

§ 160.204: Process for requesting exception determinations