In general, a State law is “more stringent” than the HIPAA Privacy Rule if it relates to the privacy of individually identifiable health information and provides greater privacy protections for individuals’ identifiable health information, or greater rights to individuals with respect to that information, than the Privacy Rule does. See the definition of “more stringent” at 45 CFR 160.202 for the specific criteria. For example, a State law that provides individuals with a right to inspect and obtain a copy of their medical records in a more timely manner than the Privacy Rule is “more stringent” than the Privacy Rule.

In the unusual case where a more stringent provision of State law is contrary to a provision of the Privacy Rule, the Privacy Rule provides an exception to preemption for the more stringent provision of State law, and the State law prevails. Where the more stringent State law and Privacy Rule are not contrary, covered entities must comply with both laws.

See 45 CFR Part 160, Subpart B, for specific requirements related to preemption of State law. View an unofficial version of the Privacy Rule and the preemption requirements. – PDF.