We summarize and respond below to comments received in the
Transactions rulemaking on the issue of preemption, as well as those
received on this topic in the Privacy rulemaking. Because no process
was proposed in the Transactions rulemaking for granting exceptions
under section 1178(a)(2)(A), a process for making exception
determinations was not adopted in the Transactions Rule. Instead, since
a process for making exception determinations was proposed in the
Privacy rulemaking, we decided that the comments received in the
Transactions rulemaking should be considered and addressed in
conjunction with the comments received on the process proposed in the
Privacy rulemaking. See 65 FR 50318 for a fuller discussion.
Accordingly, we discuss the preemption comments received in the
Transactions rulemaking where relevant below.
Comment: The majority of comments on preemption addressed the
subject in general terms. Numerous comments, particularly from plans
and providers, argued that the proposed preemption provisions were
burdensome, ineffective, or insufficient, and that complete federal
preemption of the “patchwork” of state privacy laws is needed. They
also argued that the proposed preemption provisions are likely to
invite litigation. Various practical arguments in support of this
position were made. Some of these comments recognized that the
Secretary's authority under section 1178 of the Act is limited and
acknowledged that the Secretary's proposals were within her statutory
authority. One commenter suggested that the exception determination
process would result in a very costly and laborious and sometimes
inconsistent analysis of the occasions in which state law would
survive federal preemption, and thus suggested the final privacy
regulations preempt state law with only limited exceptions, such as
reporting child abuse. Many other comments, however, recommended
changing the proposed preemption provisions to preempt state privacy
laws on as blanket a basis as possible.
One comment argued that the assumption that more stringent privacy
laws are better is not necessarily true, citing a 1999 GAO report
finding evidence that the stringent state confidentiality laws of
Minnesota halted the collection of comparative information on health
care quality.
Several comments in this vein were also received in the
Transactions rulemaking. The majority of these comments took the
position that exceptions to the federal standards should either be
prohibited or discouraged. It was argued that granting exceptions to
the standards, particularly the transactions standards, would be
inconsistent with the statute's objective of promoting administrative
simplification through the use of uniform transactions.
Many other commenters, however, endorsed the “federal floor”
approach of the proposed rules. (These comments were made in the
context of the proposed privacy regulations.) These comments argued
that this approach was preferable because it would not impair the
effectiveness of state privacy laws that are more protective of
privacy, while raising the protection afforded medical information in
states that do not enact laws that are as protective as the rules
below. Some comments argued, however, that the rules should give even
more deference to state law, questioning in particular the definitions
and the proposed addition to the “other purposes” criterion for
exception determinations in this regard.
Response: With respect to the exception process provided for by
section 1178(a)(2)(A), the contention that the HIPAA standards should
uniformly control is an argument that should be addressed to the
Congress, not this agency. Section 1178 of the Act expressly gives the
Secretary authority to grant exceptions to the general rule that the
HIPAA standards preempt contrary state law in the circumstances she
determines come within the provisions at section 1178(a)(2)(A). We
agree that the underlying statutory goal of standardizing financial and
administrative health care transactions dictates that exceptions should
be granted only on narrow grounds. Nonetheless, Congress clearly
intended to accommodate some state laws in these areas, and the
Department is not free to disregard this Congressional choice. As is
more fully explained below, we have interpreted the statutory criteria
for exceptions under section 1178(a)(2)(A) to balance the need for
relative uniformity with respect to the HIPAA standards with state
needs to set certain policies in the statutorily defined areas.
The situation is different with respect to state laws relating to
the privacy of protected health information. Many of the comments
arguing for uniform standards were particularly concerned with
discrepancies between the federal privacy standards and various state
privacy requirements. Unlike the situation with respect to the
transactions standards, where states have generally not entered the
field, all states regulate the privacy of some medical information to a
greater or lesser extent. Thus, we understand the private sector's
concern at having to reconcile differing state and federal privacy
requirements.
This is, however, likewise an area where the policy choice has been
made by Congress. Under section 1178(a)(2)(B) of the Act and section
264(c)(2) of HIPAA, provisions of state privacy laws that are contrary
to and more stringent than the corresponding federal standard,
requirement, or implementation specification are not preempted. The
effect of these provisions is to let the law that is most protective of
privacy control (the “federal floor” approach referred to by many
commenters), and this policy choice is one with which we agree. Thus,
the statute makes it impossible for the Secretary to accommodate the
requests to establish uniformly controlling federal privacy standards,
even if doing so were viewed as desirable.
Comment: Numerous comments stated support for the proposal at
proposed Subpart B to issue advisory opinions with respect to the
preemption of state laws relating to the privacy of individually
identifiable health information. A number of these comments appeared to
assume that the Secretary's advisory opinions would be dispositive of
the issue of whether or not a state law was preempted. Many of these
commenters suggested what they saw as improvements to the proposed
process, but supported the proposal to have the Department undertake
this function.
Response: Despite the general support for the advisory opinion
proposal, we decided not to provide specifically for the issuance of
such opinions. The following considerations led to this decision.
First, the assumption by commenters that an advisory opinion would
establish what law applied in a given situation and thereby simplify
the task of ascertaining what legal requirements apply to a covered
entity or entities is incorrect. Any such opinion would be advisory
only. Although an advisory opinion issued by the Department would
indicate to covered entities how the Department would resolve the legal
conflict in question and would apply the law in determining compliance,
it would not bind the courts. While we assume that most courts would
give such opinions deference, the outcome could not be guaranteed.
Second, the thousands of questions raised in the public comment
about the interpretation, implications, and consequences of all of the
proposed regulatory provisions have led us to conclude that significant
advice and technical assistance about all of the regulatory
requirements will have to be provided on an ongoing basis. We recognize
that the preemption concerns that would have been addressed by the
proposed advisory opinions were likely to be substantial. However,
there is no reason to assume that they will be the most substantial or
urgent of the questions that will most likely need to be addressed. It
is our intent to provide as much technical advice and assistance to the
regulated community as we can with the resources available. Our concern
is that setting up an advisory opinion process for just one of the many
types of issues that will have to be addressed will lead to a non-
optimal allocation of those resources. Upon careful consideration,
therefore, we have decided that we will be better able to prioritize
our workload and be better able to be responsive to the most urgent and
substantial questions raised to the Department, if we do not provide
for a formal advisory opinion process on preemption as proposed.
Comment: A few commenters argued that the Privacy Rule should
preempt state laws that would impose more stringent privacy
requirements for the conduct of clinical trials. One commenter asserted
that the existing federal regulations and guidelines for patient
informed consent, together with the proposed rule, would adequately
protect patient privacy.
Response: The Department does not have the statutory authority
under HIPAA to preempt state laws that would impose more stringent
privacy requirements on covered entities. HIPAA provides that the rule
promulgated by the Secretary may not preempt state laws that are in
conflict with the regulatory requirements and that provide greater privacy
protections.
Applicability
Comment: Several commenters indicated that the guidance provided by the definitions at proposed § 160.202 would be of substantial benefit both to regulated entities and to the public. However, these commenters argued that the applicability of such definitions would be too limited as drafted, since proposed § 160.201 provided that the definitions applied only to “determinations and advisory opinions issued by the Secretary pursuant to 42 U.S.C. 1320d-7.” The commenters stated that it would be far more helpful to make the definitions in proposed § 160.202 more broadly applicable, to provide general guidance on the issue of preemption.
Response: We agree with the comments on this issue, and have revised the applicability provision of subpart B below accordingly. Section 160.201 below sets out that Subpart B implements section 1178. This means, in our view, that the definitions of the statutory terms at § 160.202 are legislative rules that apply when those statutory terms are employed, whether by HHS, covered entities, or the courts.
