HITECH and State Breach Laws: A Guide to Preemption for Small Practices (42 U.S.C. § 1320d–7)

When a breach of protected health information (PHI) occurs, healthcare providers must navigate a complex web of federal and state laws. The Health Information Technology for Economic and Clinical Health (HITECH) Act which strengthened HIPAA sets clear national standards for breach notification. But each state may also have its own breach laws with different timelines, definitions, and reporting requirements.

The legal concept of preemption determines whether federal or state law takes priority. Under 42 U.S.C. § 1320d–7, HIPAA and HITECH generally preempt state laws that conflict with federal standards, except when state laws are more stringent in protecting patient privacy. For small practices, understanding this balance is essential to avoid legal missteps and ensure timely compliance. 

This guide explains how preemption works, how state breach laws interact with HITECH, and what practical steps you can take to manage dual compliance obligations.

Understanding Preemption Under HIPAA and HITECH

42 U.S.C. § 1320d–7 provides that federal HIPAA rules supersede any contrary provision of state law, unless the state law:

• Provides greater privacy protections for individuals

• Is necessary for state public health reporting or oversight

• Addresses controlled substances in a way that requires specific disclosures

This means that if a state’s breach notification rule is more stringent, for example, requiring notice in 30 days instead of 60 your practice must comply with the state requirement.

HITECH builds on HIPAA’s preemption framework by incorporating breach notification obligations into the federal rule set, while still allowing states to impose stricter timelines or broader definitions of personal information.

Under the HIPAA/HITECH breach notification rule:

• Timeline: Covered entities must notify affected individuals without unreasonable delay, and no later than 60 calendar days after discovery of the breach.

• Scope: Applies to breaches of unsecured PHI.

• Content: Notices must include a description of the breach, the types of information involved, and steps individuals should take.

State breach laws, however, often differ in key respects:

• Shorter timelines: Some states require notice in 30 or even 15 days.

• Broader definitions: States may define “personal information” to include elements beyond PHI, such as financial account numbers.

• Additional recipients: Some states require notice to the state attorney general or consumer protection agency.
  

Real-Life Case Study: A State Law Penalty Despite Federal Compliance

In 2020, a small dental practice in the Southeast experienced a ransomware attack that encrypted its appointment scheduling system. The practice completed a HIPAA-compliant risk assessment, determined the breach involved unsecured PHI, and sent notifications to patients within 55 days, well within the federal 60-day limit.

However, the practice overlooked its state’s stricter requirement to notify the attorney general and affected individuals within 30 days. As a result, the state imposed a $25,000 civil penalty for late notification under state law, even though the practice was fully compliant under HITECH.

Lesson Learned: Compliance with federal law does not guarantee compliance with state law. Practices must check both sets of rules for every breach.

HHS defines “more stringent” as a law that provides greater privacy protection or greater access to individuals’ own health information. When a state requirement is more stringent, it is not preempted by HIPAA/HITECH and must be followed.

Examples of more stringent state provisions include:

• Faster notification timelines

• Mandatory notification to state agencies

• Expanded definitions of what constitutes a breach

• Broader scope of individuals who must be notified
  

How to Determine Which Law Applies

When a breach occurs, follow these steps:

1. Identify all applicable jurisdictions: Determine where affected individuals reside, not just where your practice is located.

2. Check state laws: Review the breach notification laws for each relevant state.

3. Compare to federal requirements: Note differences in timelines, scope, and reporting obligations.

4. Apply the stricter standard: If state law is more stringent, follow it in addition to meeting federal requirements.

5. Document your decision-making: Keep a record of your legal analysis in case of an investigation.

For small practices, preparing for both federal and state requirements means having:

• A breach notification policy that references both HIPAA/HITECH and relevant state laws

• Access to a state law reference chart that is updated annually

• Relationships with legal counsel or compliance consultants who can advise on specific breach scenarios

• A workflow checklist that accounts for multiple notification timelines
  

• Identify all states where affected patients reside after a breach.

• Review each applicable state’s breach notification laws annually.

• Compare state breach timelines and requirements against federal HITECH standards.

• Apply the stricter timeline and notification content between federal and state laws.

• Confirm whether state laws require additional notifications (e.g., attorney geneal).

• Update breach notification policies to include federal and state law obligations.

• Maintain an up-to-date, state-by-state reference guide on breach laws.

• Document discovery date clearly and base notification deadlines on this date.

• Train staff annually on breach notification requirements, including multi-state compliance.

• Prepare workflows for managing different notification deadlines and recipients.

• Consult legal counsel or compliance experts for complex breaches involving multiple states.

• Retain detailed records of breach investigations and all notifications sent.

• Review and update policies yearly to reflect changes in state or federal laws.
  

Pitfall 1: Assuming Federal Compliance Is Enough

Many practices make the mistake of following only the HITECH 60-day rule, ignoring stricter state timelines.

How to Avoid It: Always check the breach laws for the states where your patients reside. Maintain a state-by-state quick reference guide.

Pitfall 2: Overlooking State Reporting Recipients

Some states require notice to the attorney general or consumer affairs office in addition to patients. Missing these requirements can lead to penalties.

How to Avoid It: Include all required recipients in your breach response checklist, and assign responsibility for each notification.

Pitfall 3: Ignoring Non-PHI Definitions

State laws may protect categories of personal information beyond PHI, such as driver’s license numbers or payment card data.

How to Avoid It: When a breach involves mixed data, assess all potentially applicable definitions under state law.

Pitfall 4: Misjudging the “Discovery” Date

Both federal and state timelines usually start on the date the breach is discovered. Misinterpreting this date can lead to late notifications.

How to Avoid It: Document the exact discovery date and base all deadlines on that date, not the conclusion of your investigation.

Pitfall 5: Not Considering Multi-State Breaches

If a breach involves patients from several states, you may have to comply with multiple sets of deadlines and content requirements.

How to Avoid It: Default to the shortest applicable timeline and the most comprehensive notification content to ensure full compliance.

Pitfall 6: Lack of Policy Updates

State laws change frequently, and outdated policies can cause compliance failures.

How to Avoid It: Schedule annual policy reviews and update your breach procedures when laws change.

Pitfall 7: Failing to Train Staff on State Law Requirements

Front-line employees may not understand the urgency created by certain state laws.

How to Avoid It: Include state-specific breach notification rules in your annual HIPAA training.

1. HHS HIPAA Preemption Guidance

2. 42 U.S.C. § 1320d–7 – General Effect of State Law

3. National Conference of State Legislatures – Security Breach Notification Laws

For small practices, navigating the intersection of HITECH breach notification rules and state-specific data breach laws can be complex and risky. While federal law establishes a baseline for notification requirements, many states impose stricter timelines, broader definitions of personal information, or additional recipients for breach notifications. These heightened state requirements are not preempted by HITECH, meaning both must be followed.

The safest and most defensible strategy is to consistently apply the most stringent applicable standard in every breach situation. This approach minimizes the chance of missing a deadline or omitting a required notification. It is equally important to ensure that every action taken, whether sending letters, notifying regulators, or documenting investigative steps, is recorded in detail for audit and legal purposes.

Next Steps for Your Practice:

• Create and maintain a state-by-state breach law reference guide.
• Review your breach notification policy to incorporate both federal and state rules.
• Train your workforce on multi-jurisdiction compliance.
• Build relationships with legal and compliance experts.
• Keep meticulous records of all notification decisions and actions.

Boosting compliance resilience requires more than policies alone. A HIPAA compliance automation solution can streamline processes, simplify record-keeping, and deliver continuous risk assessments, helping you stay audit-ready and avoid compliance pitfalls.