INSURANEWS Logo
Top Stories
Life
Health
Medicare
Property & Casualty
Annuity
Industry

Impending Changes to Notice of Privacy Practices and State Compliance

Share:

Impending Changes to Notice of Privacy Practices: A Close Examination of State Laws

As the deadline approaches for updating the Notice of Privacy Practices (NPP) by February 16, 2026, covered entities must carefully assess state laws that might require additional compliance measures. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule establishes federal regulations as baseline privacy standards, but states have the latitude to enact more rigorous requirements through "floor preemption." This framework allows state laws to impose stricter privacy standards than those mandated federally.

It is crucial for covered entities to determine if any state laws impose further obligations beyond HIPAA's standards. Despite federal regulations serving as a compliance safety net, the past decade has seen numerous states implement distinctive privacy protection laws. These laws can impose greater obligations on entities than those stipulated by HIPAA, making it essential to understand these additional requirements as preparations for upcoming changes are made.

The general rule under HIPAA is that federal law will preempt state laws if the state laws make compliance with both impossible or impede the objectives of HIPAA's Administrative Simplification provisions. However, an exception exists for state laws deemed “more stringent.” A state law is considered “more stringent” when it provides greater privacy protections for individuals’ health information.

Regarding the NPP, the “more stringent” standards are particularly relevant. For example, if a state law or another applicable law such as 42 CFR Part 2 concerning substance use disorder records is more stringent, the NPP must incorporate those rules. Several state laws exemplify cases where stronger privacy protections may be required.

Certain state laws generally exempt HIPAA-covered entities and their associates from their provisions. Therefore, it is essential for covered entities to conduct thorough assessments to determine whether specific state laws impose more rigorous standards than HIPAA. This analysis is critical to ensure NPPs align with the most protective standards and to mitigate issues related to federal and state law preemption.

Covered entities are advised to begin this analysis well in advance to align their NPPs with practical operations and incorporate the most protective privacy measures. This proactive approach can help navigate complex compliance landscapes efficiently and avoid potential legal and regulatory challenges.

[Reference: Holland & Hart Health Law Blog]