With the healthcare landscape constantly shifting, the intersection of federal and state privacy laws has become a minefield for employers and healthcare providers. We’re joined by Ling-Yi Tsai, an HRTech expert with decades of experience helping organizations navigate complex regulatory environments. Ling-Yi specializes in the practical application of technology and policy to solve compliance challenges, making her the perfect guide through this intricate topic.
This conversation will explore the often-overlooked nuances of HIPAA preemption, delving into how “more stringent” state laws are reshaping patient privacy. We’ll discuss the real-world operational hurdles that arise from these varying standards, from patient record access deadlines to new consent requirements. Furthermore, we will examine the critical steps organizations must take to protect sensitive health information, particularly concerning reproductive and gender-affirming care, and prepare for the fast-approaching 2026 compliance deadline.
Given the upcoming 2026 deadline for updating Notices of Privacy Practices, could you explain “floor preemption” under HIPAA? What are the immediate first steps a covered entity should take to analyze how more demanding state laws will impact their updated forms and day-to-day operations?
Think of “floor preemption” as HIPAA setting the minimum standard—the ground floor—for privacy protection. It establishes a baseline that everyone must meet, but it explicitly allows states to build upon that foundation with stronger, more protective laws. This is quite different from “ceiling preemption,” where a federal law would set the absolute maximum standard and forbid states from adding any extra rules. Because HIPAA is a floor, we’re seeing this explosion of state-level legislation that creates a much more complex compliance puzzle. The first, most critical step for any covered entity is to conduct a thorough legal inventory. You can’t just assume HIPAA compliance is enough. You need to identify every state you operate in and meticulously review its constitution, statutes, and regulations related to health information privacy to see where they diverge from and go beyond HIPAA. This analysis is the bedrock for updating your NPP and, more importantly, your actual practices.
When a state law is considered “more stringent” than HIPAA, it might demand more specific consent standards or expand an individual’s rights. Can you share a practical example of how these different requirements create operational challenges for a multi-state healthcare provider and how they typically resolve them?
Absolutely. Imagine a large hospital system with facilities in Nevada, Montana, and a state that just follows the standard HIPAA timeline. Under HIPAA, they have 30 days to respond to a patient’s request for their records. But in Montana and Nevada, that deadline shrinks to just 10 days. Suddenly, the centralized health information management department can’t use a single, standardized workflow. The request intake process must immediately flag the patient’s location. The request from the patient in Nevada has to be escalated and put on a fast track, while the others follow a different timeline. Operationally, this is a nightmare. To resolve this, providers often adopt the most restrictive standard across the board. In this case, they might re-engineer their entire workflow to meet the 10-day turnaround for everyone. It’s more resource-intensive upfront, but it minimizes the risk of non-compliance and simplifies staff training, preventing a costly mistake.
Some states have passed laws protecting health information related to reproductive or gender-affirming care from out-of-state investigations. What specific policies and staff training protocols should a covered entity implement to ensure compliance with both these state shield laws and their HIPAA obligations?
This is an area where proactive policy development is crucial. A covered entity in a state like Colorado needs a very specific protocol for handling any legal requests for patient records, especially those from out-of-state. The first policy is a mandatory legal review. No information should be released in response to an out-of-state subpoena or warrant without clearance from the legal department. This team must be trained to scrutinize the request to determine if it’s seeking to impose liability for care that is legally protected in Colorado. Staff training then becomes paramount. Your front-desk staff, your records department, everyone needs to be trained to recognize these sensitive requests and immediately escalate them. They need to understand that their standard HIPAA disclosure procedure has a major exception here and that improperly releasing this information could violate state law and put both the patient and the organization at significant risk.
States like Montana and Nevada have significantly shorter deadlines for providing patient access to health records than HIPAA. Could you detail the workflow changes a clinic might need to make to meet a 10-day turnaround and what metrics they should track to ensure consistent compliance?
Meeting a 10-day deadline requires a complete re-engineering of the typical records request process. The moment a written request is received, a clock starts ticking. The workflow change begins with intake; staff must be trained to log the request and its deadline into a tracking system immediately. The request needs to be digitally routed to the health information management team within hours, not days. Any manual steps, like pulling physical charts, must be prioritized. To ensure consistency, you have to track key metrics relentlessly. I’d advise tracking the average time from request receipt to fulfillment, the percentage of requests completed within 10 days, and the number of requests that required an extension, if the state law even allows for one. These metrics give you a real-time dashboard of your compliance health and highlight bottlenecks in your process before they become violations.
Considering the recent New Mexico law requiring patient consent for nearly all disclosures from electronic records, how does this fundamentally change data-sharing practices? Please walk through the consent verification process a provider in that state must now follow before sharing PHI for a routine purpose.
The New Mexico law is a game-changer because it effectively nullifies many of HIPAA’s permissions for routine disclosures for treatment, payment, and healthcare operations. Before this law, a primary care physician in New Mexico could send a patient’s record to a specialist for a consultation without needing a separate, specific consent form—it was considered part of treatment. Now, that same action requires explicit patient consent. The process has become far more granular. Before sending that electronic record, the provider’s office must first check the patient’s file for a signed consent form that specifically authorizes disclosure to that type of recipient for that specific purpose. If it’s not there, they must stop and obtain it. This means integrating a consent management module into their electronic health record system, training staff to verify consent before every single disclosure, and creating a robust system to track and manage these consents, as they may be revoked at any time.
What is your forecast for state-level health privacy legislation?
I believe we are just at the beginning of a major wave of state-level health privacy legislation. The federal pace on privacy is slow, and states are stepping in to fill the void, driven by consumer demand and specific social issues. We’ll see two major trends. First, more states will enact “shield laws” similar to Colorado’s to protect sensitive health data related to things like reproductive and gender-affirming care. Second, I expect more states to follow New Mexico’s lead in tightening consent requirements, moving away from HIPAA’s broad permissions and toward a model where patients have much more granular control over their data. For healthcare organizations, this means the compliance landscape will only become more fragmented and complex. The strategy of simply being “HIPAA-compliant” is no longer viable; the future is about mastering a patchwork of state-specific rules.