“Complying with HIPAA Privacy and State Law: Implementation Issues for Multistate Companies,” Privacy Officers Advisor, Vol. 2, No. 1, October 2002.
Health insurers and managed care companies must comply with both HIPAA and state law, if possible. When it is not possible to comply with both, they must comply with the provision that meets the stringency criterion specified in the HIPAA privacy rule. This compliance process is quite complex for health care organizations that sell multiple products, operate in multiple states, and serve multiple markets. The article provides a guide to the compliance process. First, each healthcare organization must identify those clients and products for which it has full HIPAA obligations as a “covered entity, health plan” and when it has partial obligations as a business associate to the group health plan. Next, it must identify the specific state law provisions that must be compared to HIPAA provisions and determine which provisions apply. Finally, it must incorporate relevant state-level requirements into policies, procedures and processes.