Stricter State Law § 160.203
General rule. A standard, requirement, or implementation specification adopted
under or pursuant to this subchapter that is contrary to a provision of State law
preempts the provision of State law. This general rule applies, except where one
or more of the following conditions is met:
(a) A determination is made by the Secretary pursuant to § 160.204(a) that the
provision of State law:
(1) Is necessary:
(i) To prevent fraud and abuse;
(ii) To ensure appropriate State regulation of insurance and health plans;
(iii) For State reporting on health care delivery or costs; or
(iv) For other purposes related to improving the Medicare program, the Medicaid
program, or the efficiency and effectiveness of the health care system; or
(2) Addresses controlled substances.
(b) The provision of State law relates to the privacy of health information and is
more stringent than a standard, requirement, or implementation specification
adopted under subpart E of part 164 of this subchapter.
(c) The provision of State law, or the State established procedures, are
established under a State law providing for the reporting of disease or injury,
child abuse, birth, or death, or for the conduct of public health surveillance,
investigation, or intervention.
(d) The provision of State law requires a health plan to report, or to provide
access to, information for the purpose of management audits, financial audits,
program monitoring and evaluation, facility licensure or certification, or
individual licensure or certification.
AMC Explanation of HIPAA Regulation
HIPAA's privacy rule is a floor above which more stringent state law applies. HIPAA's security
rule, on the other hand, supersedes conflicting state law.