[ Thursday, September 19, 2002 ]
California Dreamin' about HIPAA: The California legislature passed a bill, which Gov. Gray Davis signed last week, that allows the state's Office of HIPAA Implementation to determine which provisions of California law have been preempted by HIPAA.
There's been a lot of chatter recently about preemption, especially here in Texas (our legislature only meets every odd-numbered year, from January through May, so the pre-legislative activities are starting up). Many state legislatures, such as Texas', have jumped on the privacy bandwagon, and many politicians want to be able to paint themselves as pro-medical record privacy (hey, who wouldn't be?). That has resulted in many states adopting their own version of HIPAA. Texas did that, but the problem is that they adopted a statute very similar to the final privacy rules, PRIOR TO the August final revisions. So, under Texas law, a provider still needs a consent, even though under HIPAA the consent is optional.
Additionally, many states had privacy laws before HIPAA. As you should know, HIPAA preempts state laws that are less stringent than HIPAA, but leaves in place state laws that are more stringent (the problem: state laws that are different rather than stronger or weaker, or laws where it is hard to determine if the state law is stronger or weaker). There are two potential points of confusion from this partial preemption: from the state side and from the HIPAA side. For confusion from the federal side, states are given the authority to ask HHS whether a particular state law is preempted by HIPAA; in other words, states can rely on HHS to say whether a state law has been preempted. What California has done is more proactive. The state Office of HIPAA Implementation will determine on its own if a state law has been preempted. Those laws will then be unenforced by the state, until the legislature can officially repeal them.
Actually, a pretty sensible approach. California has a full-time legislature, though, and doing something similar in Texas will be harder (changes to HIPAA between legislative sessions will leave the state and federal rules divergent). It would have been better if the state legislatures could have just acknowledged that the Feds were carrying the water here, but it was too popular -- and populist -- a position for a politician to leave alone.
Perhaps other states can emulate this approach. It sure would be nice to be able to really tell what the rules are.
Speaking of which: Those fun folks at the Georgetown Privacy Project have added more states to their summaries of state privacy laws. They are now up to 36 states and DC. (They provide some old or partial information on the 14 states they haven't yet done.) You can find their summaries
here.
Jeff [8:51 AM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template
