Centers for Disease Control and Prevention
CDC Home Search Health Topics A-Z

Centers for Disease Control and Prevention
About CDC Announcements Funding Opportunities Publications Contact Us

U.S. Department of Health and Human Services

 
· Contents
· Summary
· Introduction
· Overview of the Privacy Rule
· The Privacy Rule and Public Health
· The Privacy Rule and Public Health Research
· The Privacy Rule and Other Laws
· Online Resources
· Acknowledgments
· References
· Appendix A
· Appendix B
   
· Privacy Rule Home
· Guidance for Public Health
· HIPAA Basic Facts
· FAQs              
· Privacy Rule Reading Room
· Privacy Rule Links
· Public Health Grand Rounds: HIPAA Privacy Rule

HIPAA Privacy Rule and Public Health

Guidance from CDC and the U.S. Department of Health and Human Services

MMWR, Volume 52, Early Release

 

The Privacy Rule and Other Laws

  • Federal laws. Covered entities subject to the Privacy Rule are also subject to other federal statutes and regulations. The specific relationship of the Privacy Rule and certain federal laws is discussed in the preamble to the December 2000 Final Rule [65 Fed.Reg. 82481]. In certain instances, the Privacy Rule imposes requirements in direct conflict with other federal laws or regulations. In those instances, an analysis will be necessary to determine whether the later provision was intended to overrule the prior law or regulation.
  • State laws. As a federal regulatory standard, the Privacy Rule preempts only those contrary state laws relating to the privacy of individually identifiable health information that have less stringent requirements or standards than the Privacy Rule (i.e., more stringent laws remain in effect). In addition, DHHS may, upon specific request from a state or other entity or person, determine that a provision of state law that is contrary to the federal requirements and that meets certain additional criteria, will not be preempted by the federal requirements. Thus, preemption of a contrary state law will not occur if the Secretary or designated DHHS official determines, in response to a request, that the state law 1) is necessary to prevent fraud and abuse related to the provision of or payment for health care; 2) is necessary to ensure appropriate state regulation of insurance and health plans to the extent expressly authorized by statute or regulation; 3) is necessary for state reporting on health-care delivery or costs; 4) is necessary to serve a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or 5) has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances. The Privacy Rule specifically does not preempt contrary state public health laws that provide for the reporting of disease or injury, child abuse, birth or death, or for the conduct of public health surveillance, investigation, or intervention [45 CFR § 160.202].

 

Accessibility | Privacy Policy Notice | FOIA | Information Quality

About CDC | Announcements | Funding Opportunities | Publications | Contact Us

CDC Home | Search | Health Topics A-Z

This page last reviewed April 18, 2003.

United States Department of Health and Human Services
Centers for Disease Control and Prevention