I have been assigned the task of investigating what state privacy laws are out there that may be more liberal than HIPAA privacy requirements.
I am aware that the state of CA has passed a bill on privacy. What other states have done so? Can anyone recommend a good referral source for this info?
We are self insured and have employees in all 50 states.
Much thanks

I would try the American Hospital Association web site (www.aha.org). I have heard that they have a state by state list; however, we are not a hospital, so i have not seen it.
I would also try www.wedi.snip.org and www.hipaadvisory.org.

Contact me if offline if you would like anymore information.

aha has soemthing about state laws on theri website but you must be a member to access
The other 2 sites were not available?

It is wedi.snip.org and www.hipaadvisory.com. Sorry about that. I am not sure you are going to be able to find a single location for this info. You might also try hipaasummit.com and look through the past presentations for the information. I know they have addressed this issue with some states in the past, i just don't know if they are all included.

alexa48 -- What sort of covered entity are we talking about? If we’re talking about an employer that sponsors a self-insured group health plan (and is not otherwise a covered entity such as a hospital system), you may be lucky. While the HIPAA privacy regs do not preempt more stringent state laws, the HIPAA privacy regs do not change or in any way diminish ERISA preemption of state law. This is actually discussed in the preamble of the HIPAA privacy regs.

Linda,
We are for the most part self-insured.
We have some HMO's as well in about a dozen states.
So from what you are saying, we only have to worry about the states where we have the HMO's? If so, great news! I'll doublecheck the preamble.
Thanks

My guess is that any state privacy laws that are more stringent than the HIPAA rules apply to the HMOs, but not to the employer paying for the HMOs. Again, I think it’s a question of ERISA preemption when we’re talking about the handling of health information generated in connection with a group health plan. A state can reach an HMO (or insurer) but cannot reach the employer on group health plan matters. Like state mandated benefits. So, if I'm right, the HMOs need to compare HIPAA to state law and comply with the more stringent. This could affect what (if any) info the employer can get out of the HMO. But, while the employer does need to comply with HIPAA (if it gets more than summary health info out of the HMO), the employer doesn't have to be concerned about compliance with more stringent state law.

Georgetown did a comprehensive summary of state privacy laws. I don't know if it's regularly updated, but it's a good starting point:

http://www.healthprivacy.org/info-url_noca...o-url_nocat.htm