HIPAA Preemption: When Federal Law Overrides State Law

HIPAA preemption is the principle, established in 45 CFR § 160.203, that HIPAA supersedes contrary state privacy laws while preserving state laws that are more protective of patient privacy. HIPAA established a national floor for health information privacy - a minimum standard that applies everywhere in the United States. It was never intended to displace every state privacy law. The practical result is that HIPAA compliance alone is not always sufficient: your clinic must also identify and apply state standards that exceed what HIPAA requires.

Small-clinic example: A 4-provider behavioral health practice in California experiences a data breach. HIPAA gives your clinic 60 days to notify affected patients. California’s breach notification law requires notification without unreasonable delay and has been interpreted to require notification within 30 days. Your clinic must follow California’s 30-day standard - not HIPAA’s 60-day ceiling - for any California-resident patients. If you wait 45 days, you have complied with HIPAA and violated California law.

The General Preemption Rule

Under 45 CFR § 160.203, HIPAA preempts a provision of state law if the state law is “contrary to” the HIPAA provision.

“Contrary” means (45 CFR § 160.202) that a covered entity would find it impossible to comply with both the state and federal requirements, or that the state law is an obstacle to the purposes of HIPAA.

Direct conflict - where following state law would require violating HIPAA, or where following HIPAA would require violating state law - is the core preemption scenario. In those cases, HIPAA controls.

When State Law Controls Instead

The preemption rule has important exceptions. State law is not preempted - and controls - in these situations.

More-Stringent State Law

Under 45 CFR § 160.203(b), a state law that is “more stringent” than HIPAA is not preempted. The regulation defines “more stringent” in 45 CFR § 160.202 to mean a state law that:

• Prohibits or restricts a use or disclosure that HIPAA would permit
• Provides individuals with greater rights of access, amendment, or other rights with respect to PHI
• Provides a more substantial cause of action for violations
• Requires greater accountability for privacy violations

The operational rule: apply whichever standard is more protective of patient privacy. If the state allows less protection than HIPAA, HIPAA controls. If the state requires more protection than HIPAA, state law controls.

Other HIPAA-Preserved State Laws

45 CFR § 160.203 also preserves state laws that:

• Relate to public health surveillance or reporting
• Prevent fraud and abuse
• Regulate controlled substances
• Are required for state Medicaid programs
• Provide standards for certain government-administered health programs

These categories recognize that states have legitimate health regulation interests that HIPAA was not designed to displace.

Common Areas Where State Law Exceeds HIPAA

Breach Notification Timelines

HIPAA gives covered entities 60 days from discovery to notify individuals of a breach. Many states impose shorter deadlines. California requires notification within the most expedient time possible, without unreasonable delay, and has historically been interpreted to require notification within 30 days. Many states have adopted a 30-day standard; some require notification within 72 hours for certain breach types.

When a state’s breach notification deadline is shorter than HIPAA’s 60-day ceiling, the shorter deadline controls for patients who are residents of that state.

For your clinic: If you treat patients in multiple states, your breach notification obligations may vary by the patient’s state of residence. The safest operational approach is to adopt the shortest applicable deadline as your standard.

Mental Health and Substance Use Records

State mental health confidentiality laws frequently require patient authorization for disclosures that HIPAA would permit for treatment purposes. These laws reflect long-standing policy judgments that mental health records deserve stronger protection than general medical records.

Federal law independently governs substance use disorder treatment records under 42 CFR Part 2 (covering federally-assisted substance use disorder treatment programs), which is more restrictive than HIPAA on most disclosure points. Part 2 is federal law, not state law, but its interaction with HIPAA creates compliance complexity for clinics that treat substance use disorders.

HIV/AIDS Records

Multiple states have specific HIV/AIDS confidentiality statutes that restrict disclosure of HIV-related information beyond HIPAA’s requirements. These laws often require specific written authorization for disclosure even within the treatment context. New York, California, and Florida have such laws, among others.

Genetic Information

Some states have genetic privacy laws more restrictive than the Genetic Information Nondiscrimination Act (GINA) and HIPAA’s genetic information provisions. These laws may restrict disclosure of genetic test results more broadly than HIPAA would permit.

Minor Patients

States have varying laws about when minors may consent to their own care and whether parents have rights to access their child’s records for those services. In states where minors can consent independently (typically reproductive health, substance use, and mental health services), state law may restrict parental access to records in ways that exceed HIPAA’s parental access provisions.

Psychotherapy Notes

HIPAA already gives psychotherapy notes (separately maintained notes by a mental health clinician) stronger protection than general PHI. State laws may impose even greater restrictions on when those notes may be disclosed.

Applying the More-Stringent Standard in Practice

Step 1: Identify the applicable state law. Generally, the state where your clinic is located and where care was provided controls, but telehealth and multi-state practices require more nuanced analysis.

Step 2: Compare the state standard to HIPAA. Does the state law permit something HIPAA prohibits? (HIPAA controls.) Does the state law restrict something HIPAA permits? (State law controls.) Does the state impose greater process or patient rights requirements? (State law controls.)

Step 3: Apply the more protective standard. Where state law is more stringent, comply with state law. Where HIPAA is more stringent, comply with HIPAA. Where they align, either satisfies both.

Step 4: Document the analysis. For ambiguous situations, documenting why your clinic applied a specific standard helps in any subsequent regulatory inquiry.

Implications for Multi-State Practices and Telehealth

Clinics that provide care across state lines - through telehealth, satellite locations, or referral relationships - face a patchwork of applicable state standards. A telehealth practice licensed in five states must apply the most-stringent standards of each state to its operations or develop state-specific protocols.

For practices expanding into telehealth, preemption analysis across all licensed states is a necessary step before launch - not an afterthought. Variation in state breach notification deadlines, mental health record rules, and minor patient rights is significant enough to affect policy design and operational procedures.

For a detailed guide to managing HIPAA compliance across multiple state jurisdictions, see multi-state practice guide.

PHIGuard helps covered entities track and manage compliance requirements - including state-specific standards that exceed HIPAA - through its compliance platform designed for small to mid-size clinics. See PHIGuard’s HIPAA page for details.