110 STAT. 2030 PUBLIC LAW 104-191—AUG. 21, 1996 "(1) GENERAL RULE.— Except as provided in paragraph (2), a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1172 through 1174, shall supersede any contrary provision of State law, including a provision of State law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form. "(2) EXCEPTIONS.— ^A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1172 through 1174, shall not supersede a contrary provision of State law, if the provision of State law— "(A) is a provision the Secretary determines— "(i) is necessary— "(I) to prevent fraud and abuse; "(II) to ensure appropriate State regulation of insurance and health plans; "(III) for State reporting on health care delivery or costs; or "(IV) for other purposes; or "(ii) addresses controlled substances; or "(B) subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information. "(b) PUBLIC HEALTH.— Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention. "(c) STATE REGULATORY REPORTING. —Nothing in this part shall limit the ability of a State to require a health plan to report, or to provide access to, information for management audits, financial audits, program monitoring and evaluation, facility licensure or certification, or individual licensure or certification. "PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL INSTITUTIONS 42 USC l320d-8. "SEC. 1179. To the extent that an entity is engaged in activities of a financial institution (as defined in section 1101 of the Right to Financial Privacy Act of 1978), or is engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments, for a financial institution, this part, and any standard adopted under this part, shall not apply to the entity with respect to such activities, including the following: "(1) The use or disclosure of information by the entity for authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting, a payment for, or related to, health plan premiums or health CEire, where such payment is made by smy means, including a credit, debit, or other payment card, an account, check, or electronic funds transfer. "(2) The request for, or the use or disclosure of, information by the entity with respect to a payment described in paragraph (1)— "(A) for transferring receivables; "(B) for auditing; "(C) in connection with— "(i) a customer dispute; or
�
