When Can a State Law Override HIPAA? Understanding Exception Determinations (45 CFR § 160.204)
Executive Summary
HIPAA establishes nationwide privacy standards for protected health information (PHI), but it isn’t always the final word. Under 45 CFR § 160.204, states can request an “exception determination” from the U.S. Department of Health and Human Services (HHS), allowing specific state laws to override HIPAA. For small healthcare practices, understanding when state law preempts federal rules and when it doesn’t is essential to navigating compliance in overlapping legal landscapes. This guide explains how exception determinations work, when they apply, and what your practice must do to stay compliant across jurisdictions.
Introduction
Healthcare providers are often told that HIPAA is the federal floor for privacy state laws can be more protective, but not less. While generally true, there’s a legal process that allows states to formally override HIPAA in narrow circumstances.
That process, known as an exception determination, is governed by § 160.204 of the HIPAA Administrative Simplification Rules. When granted, it means a specific state law not HIPAA controls how certain PHI is handled.
For small practices operating in states with unique privacy statutes (such as mental health, HIV, or reproductive health records), misunderstanding these exceptions can lead to violations or under-disclosure. This article clarifies what exception determinations are, how they are granted, and what you need to know to stay on the right side of both state and federal law.
What Is an Exception Determination Under § 160.204?
An exception determination is a formal process by which a state requests HHS to approve a state law that would otherwise conflict with HIPAA. If granted, the state law takes precedence, meaning covered entities in that state must follow the more specific or different rule, rather than the default HIPAA standard.
To qualify, the state must demonstrate that its law:
- Is necessary to prevent fraud or abuse
- Is necessary to ensure appropriate state regulation of insurance or health plans
- Is necessary for state reporting on health care delivery or costs
- Serves a compelling public health, safety, or welfare interest
- Has as its principal purpose the regulation of controlled substances
States must submit their request in writing to the Secretary of HHS, including supporting documentation and analysis.
How the Exception Determination Process Works
Step 1: State Submits Request
The state’s attorney general or relevant official submits a formal request to HHS. This includes:
- The specific state law provision in question
- An explanation of how it conflicts with HIPAA
- Justification under one of the § 160.204 criteria
- Evidence that the state law serves a compelling need
Step 2: HHS Reviews the Request
HHS evaluates whether the state law meets one of the exception criteria and whether granting the request would still protect individuals' privacy rights under HIPAA.
Step 3: Decision Published
If approved, HHS issues an official exception determination, which is publicly posted and becomes binding in that state. The determination outlines which provisions of HIPAA are overridden and what rules covered entities must follow instead.
Step 4: Covered Entities Must Comply
Once an exception determination is granted, covered entities in that state must follow the approved state law, even if it conflicts with federal HIPAA rules.
A Case Study: Massachusetts Substance Use Privacy Law Prevails
In 2012, Massachusetts enacted a law restricting the disclosure of substance use treatment records, requiring patient consent even for treatment or payment purposes. The law conflicted with HIPAA, which allows certain disclosures without consent for these activities.
The state sought an exception determination from HHS under § 160.204, arguing that the law was essential for protecting public trust and encouraging individuals to seek treatment without fear of stigma.
HHS approved the request, concluding that the state’s law met the “compelling public health interest” criterion. As a result, all covered entities in Massachusetts became legally bound to follow the stricter state rule, not the more permissive HIPAA standard.
A small addiction treatment clinic in Boston, unaware of the exception determination, later disclosed treatment records to an insurer without patient consent. A complaint was filed, and the clinic was cited for violating state law, not HIPAA. The incident resulted in a $15,000 state fine and required corrective action.
This real-world example underscores why small practices must be aware not only of HIPAA, but of HHS-approved state exceptions as well.
How to Know If a State Law Overrides HIPAA
Not all state laws require an exception determination. Under HIPAA’s preemption rules:
- If the state law is more stringent than HIPAA in protecting PHI, it automatically prevails without an exception determination.
- If the state law conflicts with HIPAA and is not more stringent, it is generally preempted unless HHS has issued an exception determination under § 160.204.
Key Questions to Ask:
- Does your state law conflict with a HIPAA standard?
- Has your state law been determined by HHS to override HIPAA under § 160.204?
- Is the state law more protective of individual privacy? (If yes, it may apply regardless.)
Where to Find Exception Determinations
Approved exception determinations are available on the HHS.gov website. As of this writing, exceptions have been granted in areas such as:
- Mental health record disclosures
- HIV and AIDS-related information
- Prescription drug monitoring
- Substance use treatment
- Health plan reporting requirements
Providers should consult:
- State health departments or privacy officers
- HIPAA legal counsel
- HHS/OCR guidance on state law preemption
Common Pitfalls for Small Practices
- Assuming HIPAA always overrides state law
- Relying on outdated HIPAA training materials
- Failing to check for exception determinations in your state
- Disclosing PHI under HIPAA authority when state law is stricter
- Not updating policies and procedures after a new determination is issued
Expert Tips for Small Practice Compliance
- Add a step to your privacy review process that checks for state-level exceptions.
- Subscribe to OCR updates and your state’s health department newsletters.
- When in doubt, follow the stricter standard whether HIPAA or state law.
- Maintain a list of all state-specific PHI laws applicable to your practice.
- Consult with counsel before responding to PHI requests that may be governed by a state exception.
Simplified Checklist: What to Do When State Law and HIPAA Conflict
| Task | Responsible Party | Timeline | Reference |
|---|---|---|---|
| Identify the conflicting HIPAA and state provisions | Privacy Officer | Upon discovery | 45 CFR § 160.203 |
| Check HHS for an exception determination | Compliance Lead | Same day | HHS.gov |
| Assess whether state law is more stringent | Privacy Officer + Legal | Within 2 business days | HIPAA Preemption Rule |
| Update internal policy if exception exists | Policy Administrator | Within 1 week | 45 CFR § 160.204 |
| Train staff on applicable state rule | Compliance Officer | Before implementation | HIPAA Training Logs |
| Document compliance steps taken | Compliance Lead | Ongoing | 45 CFR § 164.530(j) |
Regulatory References and Official Guidance
Concluding Recommendations and Next Steps
Understanding when a state law overrides HIPAA is more than just a legal technicality, it’s a vital part of your practice’s compliance strategy. Under § 160.204, states can formally seek and receive permission from HHS to enforce certain rules in place of HIPAA.
For small practices, staying compliant means:
- Monitoring federal and state laws regularly
- Knowing your state’s exception status
- Updating your policies and staff training accordingly
- Asking legal counsel when in doubt
The safest rule of thumb? When federal and state laws collide, always follow the law that most protects patient privacy unless an approved exception tells you otherwise.