|
|
HIPAA Privacy Rule and Public
Health
Guidance from CDC and the U.S. Department of Health
and Human Services
MMWR,
Volume 52, Early Release
The Privacy Rule and Other
Laws
- Federal laws. Covered entities subject to the Privacy Rule
are also subject to other federal statutes and regulations. The
specific relationship of the Privacy Rule and certain federal laws is
discussed in the preamble to the December 2000 Final Rule [65 Fed.Reg.
82481]. In certain instances, the Privacy Rule imposes requirements in
direct conflict with other federal laws or regulations. In those
instances, an analysis will be necessary to determine whether the
later provision was intended to overrule the prior law or regulation.
- State laws. As a federal regulatory standard, the Privacy
Rule preempts only those contrary state laws relating to the privacy
of individually identifiable health information that have less
stringent requirements or standards than the Privacy Rule (i.e., more
stringent laws remain in effect). In addition, DHHS may, upon specific
request from a state or other entity or person, determine that a
provision of state law that is contrary to the federal requirements
and that meets certain additional criteria, will not be preempted by
the federal requirements. Thus, preemption of a contrary state law
will not occur if the Secretary or designated DHHS official
determines, in response to a request, that the state law 1) is
necessary to prevent fraud and abuse related to the provision of or
payment for health care; 2) is necessary to ensure appropriate state
regulation of insurance and health plans to the extent expressly
authorized by statute or regulation; 3) is necessary for state
reporting on health-care delivery or costs; 4) is necessary to serve a
compelling public health, safety, or welfare need, and, if a Privacy
Rule provision is at issue, if the Secretary determines that the
intrusion into privacy is warranted when balanced against the need to
be served; or 5) has as its principal purpose the regulation of the
manufacture, registration, distribution, dispensing, or other control
of any controlled substances. The Privacy Rule specifically does not
preempt contrary state public health laws that provide for the
reporting of disease or injury, child abuse, birth or death, or for
the conduct of public health surveillance, investigation, or
intervention [45 CFR § 160.202].
|
|
|
|