State laws complicate HIPAA compliance efforts

On of the thorniest issues surrounding the Health Insurance Portability and Accountability Act (HIPAA) is the patchwork of existing state privacy laws that will pre-empt federal requirements when state laws are more stringent. According to Alan Goldberg, one of the problems is that many state laws are changing.

There are a variety of ways to approach the analysis, according to Goldberg. He says many groups are performing analyses, and the challenge is to piece all of this together and come out with some consistent, coherent policy and practice for addressing the pre-emption issues. "The analysis will have to be done, and the question is, Does it have to be done on a day-by-day or moment-by-moment basis?’"

The first challenge is to understand the preemption requirements. The primary difficulty with preemption is that, as of April 14, 2003, providers, health plans, and other covered entities are going to be required to comply with the more stringent of two sets of laws, says Mark Barnes, a partner with Ropes and Gray in Boston and a former associate commissioner for Medicaid with the New York City Department of Health.

On one hand, there are the federal HIPAA privacy regulations, he says. On the other hand, in a variety of states and other jurisdictions such as Puerto Rico, there are laws that will to be more stringent than the HIPAA laws.

"The bottom line is that providers are really given a free pass on neither side," he says. "They are really going to have to comply with the toughest parts of both laws." According to Barnes, this means that in terms of pre-emption analyses and HIPAA compliance program development, state laws must be taken into account as fully as the federal laws.

Goldberg points out that there also are several exceptions for state law that the Department of Health and Human Services Secretary can determine are necessary to prevent fraud and abuse or ensure appropriate state regulation of insurance and health plans, for state reporting on health care delivery or other purposes, or for laws that address controlled substances.

Goldberg says the most problematic are the state laws that relate to the privacy of individually identifiable health information as provided for by related provisions of the act that are contrary to and more stringent than the federal requirements. "This has created a tremendous tension in that there are 54 jurisdictions involved in an analysis of HIPAA," he asserts.

Goldberg says it is important to be sensitive to the interrelationship of the other federal laws and the interrelationship of state laws that might seemingly be in conflict in terms of their force and effect on the state level. "That is going to create some tension as well, particularly when legislative law and common law differ," he explains.

According to Barnes, coverage varies dramatically from state to state. Many states such as Massachusetts, New York, and California already have rigorous state laws governing the confidentiality of medical information.