chapter  9
State Preemption
Pages 12

Covered entities (CEs), business associates (BAs), and subcontractors will not only need to be in compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requirements, but also with the privacy and condentiality state laws that are not preempted by the Privacy Rule. e Privacy Rule does not replace federal, state, or other laws that grant greater privacy protections than are stipulated within the Rule. Additionally, CEs, BAs, and subcontractors are free to retain or adopt more protective privacy policies and practices. e HIPAA Privacy Rule denes “state law” to include statutes, regulations, case laws, and other state actions having binding legal eect. Preemption of state law is addressed in Part 160, Subpart B of the Privacy Rule. It is interesting to note that this section of the regulation was constructed not only to address the privacy issues, but also the preemption issues in the already-issued Transactions Rule, which did not cover this issue.