My State law authorizes health care providers to report suspected child abuse to the State Department of Health and Social Services. Does the HIPAA Privacy Rule preempt this State law?

Answer:

No. The Privacy Rule permits covered health care providers and other covered entities to disclose reports of child abuse or neglect to public health authorities or other appropriate government authorities. See 45 C.F.R. 164.512(b)(1)(ii). Thus, there is no conflict between the State law and the Privacy Rule, and no preemption. Covered entities may report such information and be in compliance with both the State law and the Privacy Rule.

Further, even in the unusual case where a State law that provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention is contrary to a provision of the Privacy Rule – that is, it is impossible for a covered entity to comply with both the Privacy Rule and the State law, or the State law is an obstacle to accomplishing the full purposes and objectives of HIPAA’s Administrative Simplification provisions – the Administrative Simplification Rules specifically provide an exception to preemption of State law. Thus, if a provision of State law provided for public health surveillance and was contrary to the Privacy Rule, the State law would prevail. Because the Administrative Simplification Rules except such contrary State laws from preemption, it is neither necessary nor appropriate to request a preemption exception determination from the Department of Health and Human Services.

See 45 C.F.R. 160.202 for the definition of "contrary" and 45 C.F.R. 160.203 for the general rule and exceptions to preemption.  View an unofficial version of the Privacy Rule and the preemption requirements.