Industries & Practices

Health Care Industry


    HIPAA Regulations: Preemption of State Law: Definitions: More Stringent - § 160.202

    As Contained in the HHS HIPAA Rules


    HHS Regulations as Amended January 2013
    Preemption of State Law: Definitions - More Stringent - § 160.202


    More stringent means, in the context of a comparison of a provision of State law and a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter, a State law that meets one or more of the following criteria:

    (1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:

    (i) Required by the Secretary in connection with determining whether a covered entity or business associate is in compliance with this subchapter; or

    (ii) To the individual who is the subject of the individually identifiable health information.

    (2) With respect to the rights of an individual, who is the subject of the individually identifiable health information, regarding access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable.

    (3) With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, provides the greater amount of information.

    (4) With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable.

    (5) With respect to recordkeeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailed information or for a longer duration.

    (6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.


    HHS Description and Commentary From the January 2013 Amendments
    Preemption of State Law: Definitions - More Stringent


    Proposed Rule

    The term “more stringent” is part of the statutory preemption language under HIPAA. HIPAA preempts State law that is contrary to a HIPAA privacy standard unless, among other exceptions, the State law is more stringent than the contrary HIPAA privacy standard. We proposed to amend the definition to add a reference to business associates.

    Final Rule

    The Department did not receive substantive public comment on this proposal.

    The final rule adopts the proposed modification.


    HHS Response to Comments Received from Original Rulemaking
    Preemption of State Law: Definitions - More Stringent


    Comment: Many commenters supported the policy in the proposed definition of “individual” at proposed § 164.502, which would have permitted unemancipated minors to exercise, on their own behalf, rights granted to individuals in cases where they consented to the underlying health care. Commenters stated, however, that the proposed preemption provision would leave in place state laws authorizing or prohibiting disclosure to parents of the protected health information of their minor children and would negate the proposed policy for the treatment of minors under the rule. The comments stated that such state laws should be treated like other state laws, and preempted to the extent that they are less protective of the privacy of minors.

    Other commenters supported the proposed preemption provision--not to preempt a state law to the extent it authorizes or prohibits disclosure of protected health information regarding a minor to a parent.

    Response: Laws regarding access to health care for minors and confidentiality of their medical records vary widely; this regulation recognizes and respects the current diversity of state law in this area. Where states have considered the balance involved in protecting the confidentiality of minors’ health information and have explicitly acted, for example, to authorize disclosure, defer the decision to disclose to the discretion of the health care provider, or prohibit disclosure of minor’s protected health information to a parent, the rule defers to these decisions to the extent that they regulate such disclosures.

    Comment: The proposed definition of “more stringent”was criticized as affording too much latitude to for granting exceptions for state laws that are not protective of privacy. It was suggested that the test should be “most protective of the individual’s privacy.”

    Response: We considered adopting this test. However, for the reasons set out at 64 FR 59997, we concluded that this test would not provide sufficient guidance. The comments did not address the concerns we raised in this regard in the preamble to the proposed rules, and we continue to believe that they are valid.

    Comment: A drug company expressed concern with what it saw as the expansive definition of this term, arguing that state governments may have less experience with the special needs of researchers than federal agencies and may unknowingly adopt laws that have a deleterious effect on research. A provider group expressed concern that allowing stronger state laws to prevail could result in diminished ability to get enough patients to complete high quality clinical trials.

    Response: These concerns are fundamentally addressed to the “federal floor” approach of the statute, not to the definition proposed: even if the definition of “more stringent” were narrowed, these concerns would still exist. As discussed above, since the “federal floor” approach is statutory, it is not within the Secretary’s authority to change the dynamics that are of concern.

    Comment: One comment stated that the proposed rule seemed to indicate that the “more stringent” and “contrary to” definitions implied that these standards would apply to ERISA plans as well as to non-ERISA plans.

    Response: The concern underlying this comment is that ERISA plans, which are not now subject to certain state laws because of the “field” preemption provision of ERISA but which are subject to the rules below, will become subject to state privacy laws that are “more stringent” than the federal requirements, due to the operation of section 1178(a)(2)(B), together with section 264(c)(2). We disagree that this is the case. While the courts will have the final say on these questions, it is our view that these sections simply leave in place more stringent state laws that would otherwise apply; to the extent that such state laws do not apply to ERISA plans because they are preempted by ERISA, we do not think that section 264(c)(2) overcomes the preemption effected by section 514(a) of ERISA. For more discussion of this point, see 64 FR 60001.

    Comment: The Lieutenant Governor’s Office of the State of Hawaii requested a blanket exemption for Hawaii from the federal rules, on the ground that its recently enacted comprehensive health privacy law is, as a whole, more stringent than the proposed federal standards. It was suggested that, for example, special weight should be given to the severity of Hawaii’s penalties. It was suggested that a new definition (“comprehensive”) be added, and that “more stringent” be defined in that context as whether the state act or code as a whole provides greater protection.

    An advocacy group in Vermont argued that the Vermont legislature was poised to enact stronger and more comprehensive privacy laws and stated that the group would resent a federal prohibition on that.

    Response: The premise of these comments appears to be that the provision-by-provision approach of Subpart B, which is expressed in the definition of the term “contrary”, is wrong. As we explained in the preamble to the proposed rules (at 64 FR 59995), however, the statute dictates a provision-by- provision comparison of state and federal requirements, not the overall comparison suggested by these comments. We also note that the approach suggested would be practically and analytically problematic, in that it would be extremely difficult, if not impossible, to determine what is a legitimate stopping point for the provisions to be weighed on either the state side or the federal side of the scale in determining which set of laws was the “more stringent.” We accordingly do not accept the approach suggested by these comments.

    With respect to the comment of the Vermont group, nothing in the rules below prohibits or places any limits on states enacting stronger or more comprehensive privacy laws. To the extent that states enact privacy laws that are stronger or more comprehensive than contrary federal requirements, they will presumably not be preempted under section 1178(a)(2)(B). To the extent that such state laws are not contrary to the federal requirements, they will act as an overlay on the federal requirements and will have effect.

    Comment: One comment raised the issue of whether a private right of action is a greater penalty, since the proposed federal rule has no comparable remedy.

    Response: We have reconsidered the proposed “penalty” provision of the proposed definition of “more stringent” and have eliminated it. The HIPAA statute provides for only two types of penalties: fines and imprisonment. Both types of penalties could be imposed in addition to the same type of penalty imposed by a state law, and should not interfere with the imposition of other types of penalties that may be available under state law. Thus, we think it is unlikely that there would be a conflict between state and federal law in this respect, so that the proposed criterion is unnecessary and confusing. In addition, the fact that a state law allows an individual to file a lawsuit to protect privacy does not conflict with the HIPAA penalty provisions.