How does the federal baseline affect healthcare communication

According to an interpretation and debate study published in the National Constitution Center, “The core message of the Supremacy Clause is simple: the Constitution and federal laws (of the types listed in the first part of the Clause) take priority over any conflicting rules of state law. This principle is so familiar that we often take it for granted. Still, the Supremacy Clause has several notable features.”

In terms of healthcare data privacy, the federal baseline is established primarily through HIPAA, which sets a minimum standard for privacy protections and permissible uses and disclosures of protected health information (PHI) across the United States. This baseline ensures that, regardless of where a healthcare provider or patient is located, there is a consistent, foundational level of privacy and security for health information. 

In practice, this means healthcare communications, like sharing PHI for treatment, payment, or healthcare operations, must always meet or exceed the requirements set by HIPAA. However, the federal baseline does not prevent states from enacting more stringent laws. When state laws provide greater privacy protections or more robust rights to individuals than HIPAA, those state laws supersede the federal requirements. 

The dual-layered system can create challenges for healthcare providers who operate in multiple states, as they must understand the federal baseline and any applicable, more protective state laws. The federal baseline ultimately serves as a floor, not a ceiling, for privacy protections, ensuring a minimum level of security while allowing states to tailor additional protections to their populations’ needs.

How does HIPAA function as a privacy floor?

A Public Health Reports study, ‘Regulation of Information Technology in Behavioral Health’ notes, “HIPAA sets a privacy floor and preempts less stringent state laws. Any state laws that provide greater protection than HIPAA remain in force.” This means that HIPAA establishes the baseline level of privacy and security that all covered entities must meet when handling PHI. 

HIPAA explicitly allows states to enact and enforce laws that provide greater privacy protections or grant more extensive rights to individuals than those required by HIPAA. In situations where state law offers more robust privacy safeguards, the state law takes precedence, effectively raising the privacy standard above the federal floor. For example, some states require patient authorization for disclosures of certain types of sensitive health information, such as HIV status or mental health records, even when HIPAA would allow such disclosures without explicit consent. 

This floor approach ensures that no individual receives less protection than what is mandated by HIPAA, while allowing for enhanced privacy in states that choose to go beyond federal requirements.

Permitted communication under HIPAA

A Chapter from StatsPearls titled ‘Health Insurance Portability and Accountability Act (HIPAA) Compliance’ notes, “A covered entity may reveal PHI to facilitate treatment, payment, or healthcare operations without requiring the patient's written authorization.”Treatment encompasses the provision, coordination, or management of healthcare and related services by one or more healthcare providers. Payment involves activities undertaken to obtain reimbursement for the provision of healthcare, such as billing and collection activities. Healthcare operations include a wide range of administrative, financial, legal, and quality improvement activities necessary to run a healthcare organization and ensure proper care. HIPAA also allows disclosures without authorization in certain public interest and benefit activities, such as reporting communicable diseases to public health authorities, disclosures required by law (e.g., reporting child abuse), and disclosures to avert a serious threat to health or safety.” 

HIPAA permits communications with individuals involved in a patient’s care, provided certain conditions are met. Covered entities must make reasonable efforts to limit the information disclosed to the minimum necessary to accomplish the intended purpose, except for disclosures for treatment.

Understanding communication restrictions 

The StatPearls chapter further states, “Disclosures of PHI for marketing purposes, the sale of PHI, or most uses of psychotherapy notes require explicit, written patient consent.” HIPAA also restricts the sharing of PHI with employers, law enforcement, or other third parties unless specific conditions are met or patient authorization is obtained. 

Certain types of sensitive information--such as substance use disorder records, HIV/AIDS status, and genetic information, may be subject to additional federal or state restrictions, further limiting the circumstances under which such information can be disclosed without patient consent. HIPAA’s minimum necessary standard also requires covered entities to limit the amount of information disclosed to the least amount needed to achieve the purpose of the disclosure, except when sharing information for treatment purposes.

The impact of the Missouri Planned Parenthood case 

Following the Supreme Court’s Dobbs decision, which returned the authority to regulate abortion to the states, Missouri enacted strict abortion bans and related restrictions. However, after Missouri voters approved a constitutional amendment protecting reproductive freedom (Amendment 3), Planned Parenthood sued to restore abortion access and challenge state laws now in conflict with the state constitution. The legal battle has highlighted the tension between state efforts to access or restrict reproductive health records and federal rules designed to safeguard patient privacy.

In response to Dobbs and subsequent state actions, the HHS issued a Final Rule in April 2024, strengthening HIPAA’s privacy protections for reproductive health information. This rule prohibits HIPAA-covered entities from disclosing PHI for the purpose of investigating or prosecuting individuals, providers, or others for seeking, obtaining, or facilitating reproductive health care, particularly when the care was lawful in the state where it was provided. The rule also requires entities to obtain specific attestations before releasing reproductive health PHI for legal or law enforcement purposes, placing additional procedural safeguards on such disclosures.

Missouri, joined by other states, opposed the Final Rule, arguing that it interferes with their traditional authority to investigate potential violations of state law and obtain evidence, including medical records, for enforcement actions. Missouri officials contend that these federal restrictions trespass on and interfere with core state powers, effectively raising the federal privacy floor in a way that limits state investigative reach. Recent court decisions in Missouri have reflected this conflict. While state courts have sometimes allowed state officials access to certain Planned Parenthood records not protected by HIPAA, they have also recognized that HIPAA sets a binding federal baseline that cannot be undercut by state law.

The impact of the Missouri Planned Parenthood case, therefore, is to expose and intensify the friction between federal privacy protections, now heightened for reproductive health data, and state efforts to enforce their own laws. The case demonstrates that when federal rules elevate the privacy floor for specific health information, states may find their investigative and enforcement powers curtailed, especially in politically charged areas like reproductive rights.

The common misunderstandings about the federal baseline

• Misconception: HIPAA preempts all state privacy laws, meaning that only HIPAA’s requirements apply. Reality: HIPAA sets a minimum standard, a floor, and states are free to enact laws that provide greater privacy protections or more extensive rights to individuals. 
• Misconception: Compliance with HIPAA automatically ensures full legal compliance. Reality: Entities must also comply with any applicable, more stringent state laws. Some believe that HIPAA applies to all health-related information, but it only covers PHI held by covered entities and their business associates, leaving certain types of health data outside its scope. 
• Misconception: HIPAA’s breach notification requirements are universally applicable. Reality: State laws may impose stricter or additional notification obligations.

Lastly, there is some confusion about what constitutes a permitted versus a restricted disclosure under HIPAA, leading to either over-disclosure or unnecessary withholding of information.

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

Does the federal baseline inhibit the exchange of health information across states?

No, the HIPAA Privacy Rule’s federal baseline facilitates consistent privacy protections for electronic health information exchange across state lines. However, covered entities must also comply with any state-specific laws that provide additional protections.

If HIPAA sets the baseline, do covered entities only need to follow HIPAA?

No. Covered entities must comply with HIPAA as the minimum standard, but if a state law is more protective, they must follow the state law as well. This means providers and health plans must be aware of both federal and applicable state requirements.

What rights does the federal baseline give to individuals?

HIPAA’s federal baseline grants individuals rights such as accessing their health information, requesting corrections, and controlling certain uses and disclosures of their data. These rights are guaranteed nationwide, but states may expand upon them.

How does the federal baseline affect employers and group health plans?

HIPAA prohibits discrimination in group health plan eligibility, benefits, or premiums based on health factors, and ensures portability and nondiscrimination in health coverage.