The HIPAA Privacy Rule is a federal baseline for safeguarding individuals' protected health information (PHI).
However, state laws can sometimes take precedence over HIPAA, especially when it comes to public health concerns like disease reporting, surveillance, and child abuse investigations.
“State laws that are contrary to the Privacy Rule are preempted by the Federal requirements unless a specific exception applies,” the U.S. Department of Health and Human Services (HHS) Health Information Privacy page explains.
More specifically, exceptions include if the state law:
In simple terms, if a state law offers greater privacy rights or safeguards for patient data, it will take precedence over HIPAA.
Additionally, when state laws mandate the reporting of diseases, injuries, child abuse, births, or deaths, these laws override HIPAA to allow for data collection and monitoring.
Furthermore, if a state law requires specific health plan disclosures for financial audits or management purposes, HIPAA will not preempt it.
HIPAA allows state laws to override its privacy protections for disease reporting. It allows state and local health departments to track outbreaks, implement preventive measures, and contain public health threats.
For example, if a healthcare provider diagnoses a patient with tuberculosis (TB), they are legally required to report it to the state health department. Even though HIPAA typically requires patient consent before disclosing PHI, state laws override these protections in cases of public health concern.
Another example is HIV and sexually transmitted infection (STI) reporting. Many states require healthcare providers to report HIV diagnoses to state health agencies. These reports are used for contact tracing, where public health officials confidentially notify individuals who may have been exposed to the virus.
Specifically, New York state section 63.6 on confidentiality and disclosure requires healthcare providers to report HIV cases to the state health department “when knowledge of HIV-related information is necessary to provide appropriate care or treatment to a contact or exposed individual.”
Public health surveillance also involves health data collection and analysis to identify trends and prevent outbreaks. In these cases, state laws can require disclosures that would otherwise be restricted under HIPAA.
For example, many states require hospitals to report cases of antibiotic-resistant infections, like methicillin-resistant Staphylococcus aureus (MRSA). These infections are a serious public health risk, and state-mandated reporting helps officials track outbreaks and implement infection control measures.
Additionally, some states mandate reporting opioid overdoses to monitor and combat the opioid epidemic. In states like New York and Pennsylvania, emergency departments are required to report overdose cases to public health agencies, even though this involves sharing PHI without patient consent. Again, these laws override HIPAA because they serve a compelling public health interest.
Every state in the U.S. has laws that require healthcare professionals, teachers, and social workers to report suspected child abuse or neglect.
HIPAA recognizes the importance of these laws, allowing them to preempt federal privacy protections. As the original text states, state laws are not preempted when they “provide for the reporting of… child abuse.”
So, if a physician suspects child abuse, they are legally required to report it to child protective services, even if the parent or guardian objects.
For example, in Texas, “[Healthcare] professionals must make a report no later than the 48th hour after first suspecting a child has been abused or neglected or is a victim of an offense under Section 21.11, Penal Code.”
Failure to do so can result in criminal charges. Moreover, this requirement takes precedence over HIPAA, ensuring that child welfare agencies receive the information they need to protect vulnerable children.
While HIPAA affords strong privacy protections, it also recognizes that there will be times when public health concerns outweigh the individuals’ privacy interests.
State laws that require disease reporting, public health surveillance and child abuse reporting give health authorities the data they need to protect communities.
Ultimately, while patient privacy is a fundamental right, public health and safety sometimes require sharing health information without consent. So, providers must understand these exceptions to comply with state and federal regulations.
Related: The role of HIPAA compliant email in managing disease outbreaks
The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).
HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.
HIPAA applies to covered entities, including healthcare providers, health plans, and clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
Yes, covered entities, like healthcare organizations, must obtain patient consent before sending patients’ PHI, unless state laws or specific circumstances allow for disclosure without consent.
See also: A HIPAA consent form template that's easy to share