State privacy laws can supersede HIPAA when they provide greater protection for individuals’ privacy rights than what is mandated by HIPAA. While HIPAA sets a federal standard for the privacy and security of health information, it allows states to enact their own privacy laws as long as they do not conflict with or weaken the protections provided by HIPAA.
State privacy laws may offer additional safeguards, stricter regulations, or extend privacy protections to entities not covered by HIPAA. In such cases, covered entities and business associates must comply with both HIPAA and the more stringent state privacy laws. This means that they must adhere to the requirements of both laws, following the provisions that offer the highest level of protection for individuals’ health information.
It’s important to note that when state laws are more permissive or less restrictive than HIPAA, the provisions of HIPAA still apply. Covered entities must comply with the minimum standards outlined by HIPAA, even if state laws do not require the same level of protection.
The determination of when state privacy laws supersede HIPAA depends on the specific provisions and requirements of each law and the extent to which they offer greater privacy protection. In cases where state laws provide stronger privacy rights or more stringent requirements, covered entities and business associates must carefully navigate and ensure compliance with both sets of regulations to protect individuals’ privacy and avoid any legal repercussions. Consulting legal professionals or privacy experts can be beneficial in understanding the interplay between state privacy laws and HIPAA requirements in specific jurisdictions.
| State Privacy Law | Description |
| California Consumer Privacy Act (CCPA) | Provides California residents with certain rights regarding the collection, use, and sale of their personal information by businesses, including the right to know what information is being collected, the right to opt-out of the sale of their data, and the right to request deletion of their information. |
| New York SHIELD Act | Requires businesses to implement reasonable data security safeguards to protect private information of New York residents, and establishes breach notification requirements in the event of a security breach. |
| Illinois Biometric Information Privacy Act (BIPA) | Regulates the collection, use, and storage of biometric information, such as fingerprints or facial scans, and requires informed consent from individuals before collecting their biometric data. It also imposes security and data retention requirements on entities that collect and handle biometric information. |
| Massachusetts Data Security Law (201 CMR 17.00) | Sets standards for the protection of personal information of Massachusetts residents, including requirements for comprehensive information security programs, encryption of sensitive data, and notification of individuals and relevant authorities in the event of a data breach. |
| Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) | Requires operators of websites and online services to provide notice to Nevada residents regarding the collection and disclosure of their personal information. It also grants individuals the right to opt-out of the sale of their data. |
| Colorado Privacy Act | Provides consumers with certain rights regarding the processing of their personal data, including the right to access and correct their information, the right to opt-out of certain data processing activities, and requirements for businesses to implement data protection measures and conduct data protection assessments. |
| Washington Privacy Act | Establishes data privacy rights for Washington residents, including the right to access, correct, delete, and restrict the processing of their personal data. It also places obligations on businesses to disclose their data processing practices and obtain individuals’ consent for certain data processing activities. |
| Vermont Data Broker Law | Regulates data broker companies that collect and sell personal information, requiring them to register with the state and provide transparency about their data collection and sharing practices. It also grants individuals the right to opt-out of the sale or use of their personal information by data brokers. |
| Oregon Consumer Information Protection Act (OCIPA) | Requires businesses to implement reasonable security practices to protect consumers’ personal information and establishes requirements for breach notification in case of a data breach. |
| Delaware Online Privacy and Protection Act (DOPPA) | Requires operators of commercial websites or online services that collect personally identifiable information from Delaware residents, including browsing history and online behavior, to post privacy policies and disclose how collected data is used, shared, and protected. |
| Maryland Personal Information Protection Act (PIPA) | Establishes requirements for the protection of personal information and data breach notification obligations for businesses operating in Maryland. It mandates reasonable security measures and notification to affected individuals and the Maryland Attorney General in the event of a data breach that compromises personal information. |
| Virginia Consumer Data Protection Act (CDPA) | Provides consumers with certain rights and imposes obligations on businesses that process personal data of Virginia residents. It includes provisions for transparency, consumer control over personal data, and requirements for businesses to implement data protection measures and conduct data protection assessments. |
| Texas Privacy Protection Act | Requires businesses to provide notice to individuals regarding the collection, processing, and sale of their personal information. It grants individuals the right to access and correct their information, opt-out of certain data processing activities |
Figure: Examples of State Privacy Laws
Summary
State privacy laws can supersede HIPAA when they offer greater privacy protections or impose stricter requirements than what is mandated by HIPAA. State privacy laws can cover areas not addressed by HIPAA or provide additional rights and safeguards for individuals’ personal information. When state laws are more stringent, covered entities and business associates must comply with both HIPAA and the more protective state privacy laws. This means that they need to adhere to the provisions of both laws, following the requirements that provide the highest level of privacy protection for individuals. It’s crucial for organizations to be aware of and understand the interplay between state privacy laws and HIPAA to ensure full compliance and safeguard individuals’ privacy rights. Consulting legal professionals or privacy experts can assist in navigating the complexities of state and federal privacy regulations.
