Understanding HIPAA and Its Interaction with State and Federal Confidentiality Laws

HIPAA, the body of regulations designed to protect the confidentiality of patient health care information, has been highly effective in creating widespread awareness within health care facilities. Most staff members understand that HIPAA prohibits them from discussing patients outside of work and from disclosing protected patient information to third parties unless there is a valid HIPAA exception or the patient has provided authorization for disclosure.

The strong “branding” of HIPAA is beneficial, as it reinforces regulatory awareness and helps safeguard patient confidentiality. However, from a legal perspective, this heightened awareness sometimes leads to the assumption that any potential disclosure of patient information is automatically a “HIPAA issue.” While this generalization represents a positive sensitivity to confidentiality, it can also obscure the fact that other, sometimes more protective, laws may apply to certain situations. 

Despite its prominence, HIPAA is not the only law safeguarding patient information, nor does it always offer the highest level of protection. While HIPAA sets a national baseline for privacy, many professionals mistakenly assume it is the sole standard. Compliance with patient privacy regulations requires a broader understanding of how HIPAA interacts with other confidentiality regulations, ensuring that all applicable standards are met in each circumstance. Other state and/or federal law can, in some instances, provide more protection of patient privacy than HIPAA.

Beyond HIPAA: Other Protective Laws

There are several laws that can provide greater confidentiality protection than HIPAA. These include specific state law requirements, enhanced protections for mental health treatment records, and special laws governing substance and alcohol treatment records. By broadly labeling all confidentiality matters as “HIPAA issues,” there is a risk that the nuanced requirements of these other laws may be overlooked. In extreme cases, this oversight can result in facility policies that, if followed, could violate the law by failing to properly identify which regulations apply in a particular scenario.

In addition to HIPAA, a complex patchwork of state and federal laws also governs the confidentiality of health information. Many states have statutes that set higher standards of privacy or apply to categories of records not explicitly addressed by HIPAA, such as mental health, HIV/AIDS, or genetic information. Similarly, certain federal laws, like 42 CFR Part 2, which applies to substance use disorder records, impose even stricter requirements for consent and disclosure. As a result, health care providers, administrators, and compliance officers must be aware of overlapping legal obligations and consistently apply the most protective standard to ensure full legal compliance and safeguard patient trust.

Illustration: Application of State Law in Wisconsin

To illustrate this principle, consider the state of Wisconsin, which maintains its own “HIPAA” statute codified at Wisconsin Statutes 146.32. Wisconsin law often imposes more stringent or protective requirements on patient confidentiality than those set forth under HIPAA. In addition to general confidentiality provisions, Wisconsin enforces specific regulations concerning mental health treatment records as outlined in Statute 51.30 and administrative directives at DHS 92. These protections are notably stricter than both HIPAA requirements and state standards applicable to general patient records. Historically, restrictions governing mental health records were so rigorous that providers could not share a patient’s records with another treating provider without obtaining explicit written consent from the patient.

Recognizing the practical challenges associated with these heightened restrictions, Wisconsin enacted the “HIPAA Harmonization Act” in 2013. This legislation mitigated some of the most burdensome limitations and introduced a requirement for providers to “triage” each disclosure request. Through this triage process, providers must determine whether the more permissive HIPAA rules or the more restrictive state statutes take precedence, especially regarding mental health treatment records.

The Triage Process Under Wisconsin Law

Pursuant to the HIPAA Harmonization Act, HIPAA governs disclosures related to “payment, treatment, or health care operations.” Subsequently, Wisconsin expanded these provisions to narrowly defined emergencies, thereby permitting disclosures to other treating providers if consistent with HIPAA. While HIPAA would generally mandate disclosure to a treating provider, for disclosures beyond treatment, payment, health care operations, or specified emergency situations, the more restrictive state law prevails. Although certain exceptions exist under Wisconsin law, they are considerably narrower compared to those allowed under HIPAA.

HIPAA Preemption and the Harmonization Act

HIPAA’s preemption rules generally require that the more restrictive law, whether federal or state, be applied. If HIPAA is more restrictive, it prevails; if state law is more restrictive, the state law applies. However, under the Wisconsin Harmonization Act, this preemption analysis does not apply in situations where HIPAA governs (i.e., disclosures for payment, treatment, or health care operations), since the Act’s very purpose is to specify when HIPAA standards override state law. In cases where the Harmonization Act dictates that the more restrictive state law applies, that law is followed unless HIPAA is even more restrictive. Thus, providers must always be attentive to which set of rules is most protective in each scenario.

Preemption refers to the circumstance in which HIPAA’s regulations override state law, except where the state law is more stringent regarding privacy protections. Under the Harmonization Act, Wisconsin providers must always identify the law that offers the greatest protection to patient information and apply that standard. This approach underscores the necessity for health care professionals to conduct careful legal analysis and remain vigilant to changes in both federal and state confidentiality requirements.

SAMHSA Part 2: The Most Restrictive Regulations

Among the various federal regulations, 42 CFR Part 2, administered by the Substance Abuse and Mental Health Services Administration (SAMHSA), stands out as one of the most restrictive frameworks for protecting the confidentiality of substance use disorder (SUD) treatment records. Part 2 imposes limitations that go beyond HIPAA and most state laws, requiring explicit written consent from the patient before most disclosures can be made, even for purposes like treatment, payment, or health care operations. This heightened level of protection is intended to encourage individuals to seek treatment without fear that their sensitive SUD information will be widely disclosed.

For health care providers, compliance with Part 2 means that, when SUD records are involved, the strictest standard must be applied, often necessitating a separate consent process and additional safeguards. In practice, this may require maintaining SUD records separately from other health information and routinely verifying the legal basis for any disclosure. Providers must also stay alert to evolving federal and state regulations, as changes to SAMHSA Part 2 or state law may further impact confidentiality protocols.

Avoiding the “HIPAA Bias” in Compliance

The detailed requirements and exceptions of these regulations are complex, but the essential point is this: referring to all patient confidentiality matters as “HIPAA issues” can be misleading and potentially dangerous from a compliance perspective. Overreliance on generic “HIPAA” policies, or hiring consultants without sensitivity to state and federal nuances, can institutionalize what is referred to as the “HIPAA bias.” This can leave organizations vulnerable to compliance failures if they do not carefully consider all relevant laws.

Conclusion: Applying the Correct Law

Wisconsin provides a clear example of how both state and federal laws must be considered when determining the appropriate approach to patient information disclosures. Many other states also provide heightened confidentiality protections for certain types of information, such as mental health records. It is critical to accurately identify and apply all relevant laws in policy and practice to ensure full compliance and avoid the pitfalls of the “HIPAA bias.”

For more information, please contact your PhysiciansHealthLawyers.com health care attorney.