In some instances, trading partners have stated that they must implement specific aspects of HIPAA transactions differently than is stated in the guide, or include/require information that is not documented in the guide (or for locations like the K3 segment and Portal approved uses). In those cases, the trading partner is stating the the state regulation superceeds the Federal HIPAA requirement.
Can you provide guidance on the validity of this statement, and what actions can be taken if this is invalid?
This is a policy issue that must be handled by the Department of Health and Human Services. The original Federal rule dated August 17th, 2000 (45 CFR Parts 160 and 162 - Health Insurance Reform: Standards for Electronic Transactions; Announcement of Designated Standard Maintenance Organizations; Final Rule and Notice) provided the following guidance in section 1 - Background:
"Under section 1178 of the Act, the
provisions of part C of title XI of the
Act, as well as any standards or
implementation specifications adopted
under them, generally supersede
contrary provisions of State law.
However, the Secretary may make
exceptions to this general rule if she
determines that the provision of State
law is necessary to prevent fraud and
abuse, ensure appropriate State
regulation of insurance and health
plans, or for State reporting on health
care delivery or costs, among other
things. In addition, contrary State laws
relating to the privacy of individually
identifiable health information are not
preempted if more stringent than the
related federal requirements. Finally,
contrary State laws relating to certain
activities with respect to public health
and regulation of health plans are not
preempted by the standards adopted
under Part C or section 264 of Public
Law 104–191."
Each situation may vary as to compliance based upon the details.
Beyond this, suspected violations that can't be resolved between trading partners or with the related state agency should be submitted as complaints to the Centers for Medicare & Medicaid Services’ Office of E-Health Standards and Services (OESS). To file a complaint, go to the CMS website.