Discuss about the relationship between HIPAA and state privacy rules using the preemption doctrine. California privacy and security laws require breach-reporting rules, timelines, and enforcement bodies that are different from HIPAA. As a result, breach-reporting requires different analyses under California statutes.
Do you think California privacy and breach-reporting requirements are more or less strict than HIPAA? Does this necessarily mean that covered entities are more or less HIPAA compliant? How might this impose more stringent requirements on CA-covered entities? Do you see any challenges with this?
