                           PUBLISHED

UNITED STATES COURT OF APPEALS
                FOR THE FOURTH CIRCUIT


SOUTH CAROLINA MEDICAL                  
ASSOCIATION; PHYSICIANS CARE
NETWORK; J. CAPERS HIOTT, M.D.;
JOHN R. ROSS, M.D.; GORDON E.
PENNEBAKER, M.D.; CAROL S.
NICHOLS, M.D.; DANNETTE F.
MCALHANEY, M.D.; HERBERT
MOSKOW, M.D.; LOUISIANA STATE
MEDICAL SOCIETY,
               Plaintiffs-Appellants,           No. 02-2001

                 v.
TOMMY G. THOMPSON, sued as
Secretary of the U.S. Department of
Health and Human Services; U.S.
DEPARTMENT OF HEALTH & HUMAN
SERVICES,
               Defendants-Appellees.
                                        
           Appeal from the United States District Court
          for the District of South Carolina, at Columbia.
                  Terry L. Wooten, District Judge.
                         (CA-01-2965-3-25)

                      Argued: January 23, 2003

                      Decided: April 25, 2003

        Before WILKINS, Chief Judge, and TRAXLER and
                  GREGORY, Circuit Judges.



Affirmed by published opinion. Judge Traxler wrote the opinion, in
which Chief Judge Wilkins and Judge Gregory joined.
2               SOUTH CAROLINA MEDICAL v. THOMPSON
                             COUNSEL

ARGUED: Terry Edward Richardson, Jr., RICHARDSON, PAT-
RICK, WESTBROOK & BRICKMAN, L.L.C., Barnwell, South Car-
olina, for Appellants. Alex Michael Azar, II, U.S. DEPARTMENT
OF HEALTH & HUMAN SERVICES, Washington, D.C., for Appel-
lees. ON BRIEF: Daniel S. Haltiwanger, RICHARDSON, PAT-
RICK, WESTBROOK & BRICKMAN, L.L.C., Barnwell, South
Carolina, for Appellants. Robert D. McCallum, Jr., Assistant Attorney
General, J. Strom Thurmond, Jr., United States Attorney, Mark B.
Stern, Charles W. Scarborough, Sambhav N. Sankar, Appellate Staff,
Civil Division, UNITED STATES DEPARTMENT OF JUSTICE,
Washington, D.C., for Appellees.


                             OPINION

TRAXLER, Circuit Judge:

   Appellants, South Carolina Medical Association, Physicians Care
Network, and several individual doctors, filed suit seeking to have
declared unconstitutional several provisions of the Health Insurance
Portability and Accountability Act of 1996 ("HIPAA"), Pub. L. No.
104-191, 110 Stat. 1936 (1996). Because Congress laid out an intelli-
gible principle in HIPAA to guide agency action, we reject appel-
lants’ claim that the statute impermissibly delegates the legislative
function. We also conclude that regulations promulgated pursuant to
HIPAA are not beyond the scope of the congressional grant of author-
ity, and that neither the statute nor the regulations are impermissibly
vague. Accordingly, we affirm.

                                  I.

   Recognizing the importance of protecting the privacy of health
information in the midst of the rapid evolution of health information
systems, Congress passed HIPAA in August 1996. HIPAA’s Admin-
istrative Simplification provisions,1 sections 261 through 264 of the
    1
  Subtitle F of Title II of HIPAA consists of sections 261 through 264.
HIPAA § 262 amends Title XI of the Social Security Act, 42 U.S.C.
                SOUTH CAROLINA MEDICAL v. THOMPSON                      3
statute, were designed to improve the efficiency and effectiveness of
the health care system by facilitating the exchange of information
with respect to financial and administrative transactions carried out by
health plans, health care clearinghouses, and health care providers
who transmit information in connection with such transactions. The
preamble to the Administrative Simplification provisions clarifies this
goal:

     It is the purpose of this subtitle to improve the Medicare
     program . . ., the medicaid program . . ., and the efficiency
     and effectiveness of the health care system, by encouraging
     the development of a health information system through the
     establishment of standards and requirements for the elec-
     tronic transmission of certain health information.

HIPAA § 261, 110 Stat. 2021.

   To this end, Congress instructed the United States Department of
Health and Human Services ("HHS") to adopt uniform standards "to
enable health information to be exchanged electronically." 42
U.S.C.A. § 1320d-2(a)(1). Congress directed HHS to adopt standards
for unique identifiers to distinguish individuals, employers, health
care plans, and health care providers across the nation, see 42
U.S.C.A. § 1320d-2(b)(1), as well as standards for transactions and
data elements relating to health information, see 42 U.S.C.A.
§ 1320d-2(a), (c) & (f), the security of that information, see 42
U.S.C.A. § 1320d-2(d), and verification of electronic signatures, see
42 U.S.C.A. § 1320d-2(e).

   Within the Administrative Simplification section, Congress
included another provision — section 264 — outlining a two-step
process to address the need to afford certain protections to the privacy

§ 1301 et seq., to add a Part C, entitled "Administrative Simplification,"
with sections 1171-1179, codified at 42 U.S.C.A. § 1320d through
§ 1320d-8 (West Supp. 2002). Section 261 is found as a note to 42
U.S.C.A. § 1320d. Section 264 is found as a note to 42 U.S.C.A.
§ 1320d-2. Section 263 amends the Public Health Service Act, at 42
U.S.C.A. § 242k(k) (West Supp. 2002).
4               SOUTH CAROLINA MEDICAL v. THOMPSON
of health information maintained under HIPAA. First, section 264(a)
directed HHS to submit to Congress within twelve months of
HIPAA’s enactment "detailed recommendations on standards with
respect to the privacy of individually identifiable health information."
HIPAA § 264(a), 110 Stat. 2033. Second, if Congress did not enact
further legislation pursuant to these recommendations within thirty-
six months of the enactment of HIPAA, HHS was to promulgate final
regulations containing such standards. Specifically, section 264(c)(1)
provided:

    If legislation governing standards with respect to the privacy
    of individually identifiable health information transmitted in
    connection with the transactions described in section
    1173(a) of the Social Security Act (as added by section 262)
    is not enacted by [August 21, 1999], the Secretary of Health
    and Human Services shall promulgate final regulations con-
    taining such standards not later than [February 21, 2000].
    Such regulations shall address at least the subjects described
    in subsection (b).

HIPAA § 264(c)(1), 110 Stat. 2033. The subjects Congress directed
HHS to cover in promulgating privacy regulations included the fol-
lowing: "(1) The rights that an individual who is a subject of individu-
ally identifiable health information should have. (2) The procedures
that should be established for the exercise of such rights. (3) The uses
and disclosures of such information that should be authorized or
required." HIPAA § 264(b), 110 Stat. 2033. Through individual pro-
visions of HIPAA, Congress outlined whom the regulations were to
cover, see 42 U.S.C.A. § 1320d-1(a); what information was to be cov-
ered, see 42 U.S.C.A. § 1320d(6) (defining "individually identifiable
health information"); what types of transactions were to be covered,
see 42 U.S.C.A. § 1320d-2(a)(2); what penalties would accrue for
violations of HIPAA, see 42 U.S.C.A. §§ 1320d-5, 1320d-6; and what
time lines and standards would govern compliance with the Act, see
42 U.S.C.A. §§ 1320d-3, 1320d-4.

  Finally, section 264(c)(2) provided that the privacy regulations pro-
mulgated by HHS "shall not supercede a contrary provision of State
law, if the provision of State law imposes requirements, standards, or
implementation specifications that are more stringent than the
                SOUTH CAROLINA MEDICAL v. THOMPSON                   5
requirements, standards, or implementation specifications imposed
under the regulation." HIPAA § 264(c)(2), 110 Stat. 2033-34 (empha-
sis added).

   Pursuant to Congress’s mandate, HHS submitted recommendations
for protecting the privacy of individually identifiable health informa-
tion in September 1997. Several detailed and comprehensive medical
privacy bills were thereafter introduced; however, Congress did not
pass any additional legislation. For its part, HHS followed Congress’s
directive and drafted regulations that appeared in a November 1999
Notice of Proposed Rulemaking. The proposed regulations drew more
than 50,000 comments from affected parties. After several further
proposals and amendments were published, HHS promulgated final
regulations in February 2001, collectively the "Privacy Rule."
Although the effective date of the Privacy Rule was set for April 14,
2001, entities covered by the regulations were given until April 14,
2003, to comply, while some smaller entities were granted an addi-
tional year.

   Appellants sought declaratory relief from provisions of HIPAA and
the accompanying Privacy Rule promulgated by HHS. The district
court dismissed the action and this appeal followed. Appellants argue
that 1) HIPAA violates the non-delegation doctrine by authorizing
HHS to promulgate the regulations at issue in the absence of an intel-
ligible principle from Congress; 2) the Privacy Rule exceeds the
scope of authority granted to HHS under HIPAA; and 3) HIPAA’s
non-preemption of "more stringent" state privacy laws is unconstitu-
tionally vague, in violation of the Due Process Clause of the Fifth
Amendment. We address each of these issues in turn.

                                  II.

                                  A.

   The first issue is whether HIPAA violates the non-delegation doc-
trine. "In a delegation challenge, the constitutional question is
whether the statute has delegated legislative power to [an] agency" of
the executive branch. Whitman v. American Trucking Ass’ns, Inc.,
531 U.S. 457, 472 (2001). The doctrine is "rooted in the principle of
separation of powers that underlies our tripartite system of govern-
6               SOUTH CAROLINA MEDICAL v. THOMPSON
ment." Mistretta v. United States, 488 U.S. 361, 371 (1989). The first
lines of the Constitution set forth that "[a]ll legislative Powers herein
granted shall be vested in a Congress of the United States." U.S.
Const. art. I, § 1. Thus, from our nation’s earliest days, "the integrity
and maintenance of the system of government ordained by the Consti-
tution [has] mandate[d] that Congress generally cannot delegate its
legislative power to another Branch." Mistretta, 488 U.S. at 371-72
(citation omitted).

   In tension with this constitutional directive is the practical require-
ment that Congress turn to the other branches of government for
assistance in carrying out its general legislative policies: "[O]ur juris-
prudence has been driven by a practical understanding that in our
increasingly complex society, replete with ever changing and more
technical problems, Congress simply cannot do its job absent an abil-
ity to delegate power under broad general directives." Id. at 372; see
also American Power & Light Co. v. S.E.C., 329 U.S. 90, 105 (1946)
(acknowledging that the "legislative process would frequently bog
down if Congress were constitutionally required to appraise before-
hand the myriad situations to which it wishes a particular policy to be
applied and to formulate specific rules for each situation").

   The Supreme Court has outlined an approach to determining the
difference between prohibited delegation and necessary cooperation
between coordinate branches: "In determining what [Congress] may
do in seeking assistance from another branch, the extent and character
of that assistance must be fixed according to common sense and the
inherent necessities of the governmental co-ordination." J.W. Hamp-
ton, Jr. & Co. v. United States, 276 U.S. 394, 406 (1928). This
approach dictates that where Congress "lay[s] down by legislative act
an intelligible principle to which the person or body authorized to
[exercise the assigned duty] is directed to conform, such legislative
action is not a forbidden delegation of legislative power." Id. at 409
(emphasis added). The Court has held that a delegation of legislative
power will be found "constitutionally sufficient if Congress clearly
delineates the general policy, the public agency which is to apply it,
and the boundaries of this delegated authority." Mistretta, 488 U.S. at
372-73 (internal quotation marks omitted). These three factors make
up the test for determining whether an intelligible principle lies
behind the conferral of authority from Congress to an agency.
                SOUTH CAROLINA MEDICAL v. THOMPSON                      7
   The government does not bear an onerous burden in demonstrating
the existence of an intelligible principle. Since A.L.A. Schechter Poul-
try Corp. v. United States, 295 U.S. 495 (1935), and Panama Refining
Co. v. Ryan, 293 U.S. 388 (1935), the Supreme Court has not struck
down a statute for an impermissible delegation. See American Truck-
ing Ass’ns, 531 U.S. at 474 ("In the history of the Court we have
found the requisite ‘intelligible principle’ lacking in only two statutes,
one of which [Panama Refining] provided literally no guidance for
the exercise of discretion, and the other of which [A.L.A. Schechter]
conferred authority to regulate the entire economy on the basis of no
more precise a standard than stimulating the economy by assuring
‘fair competition.’"). Rather, Congress has been able to delegate
authority under "broad standards." Mistretta, 488 U.S. at 373; see,
e.g., Lichter v. United States, 334 U.S. 742, 785-86 (1948) (upholding
delegation of authority to determine excessive profits); American
Power, 329 U.S. at 105-06 (upholding delegation to SEC to prevent
unfair or inequitable distribution of voting power among security
holders); Yakus v. United States, 321 U.S. 414, 426-27 (1944)
(upholding delegation to price administrator to fix commodity prices
that would be fair and equitable); National Broadcasting Co. v.
United States, 319 U.S. 190, 225-26 (1943) (upholding delegation to
FCC to regulate broadcast licensing as public interest, convenience,
or necessity require). The only limiting factor in each case has been
the presence of an intelligible principle behind the congressional dele-
gation.

   In light of this guidance, we conclude that HIPAA also contains the
requisite intelligible principle necessary to survive a non-delegation
challenge. Specifically, there are at least three sources within HIPAA
that provide intelligible principles outlining and limiting the Congres-
sional conferral of authority on HHS. First, the language of the statute
mandates that HHS implement regulations addressing three particular
subjects: "(1) [t]he rights that an individual who is a subject of indi-
vidually identifiable health information should have"; "(2) [t]he pro-
cedures that should be established for the exercise of such rights"; and
"(3) [t]he uses and disclosures of such information that should be
authorized or required." HIPAA § 264, 110 Stat. 2033. The question
is whether these amount to a statement of "general policy" by Con-
gress. We believe that they do, particularly when read in connection
with the second source — namely section 261, the preamble to the
8               SOUTH CAROLINA MEDICAL v. THOMPSON
statute — which sets forth the general purpose of HIPAA as "improv-
[ing] the Medicare program . . ., the medicaid program . . ., and the
efficiency and effectiveness of the health care system, by encouraging
the development of a health information system through the establish-
ment of standards and requirements for the electronic transmission of
certain health information." HIPAA § 261, 110 Stat. 2021. Section
262 further refines this goal by requiring that the Privacy Rule "be
consistent with the objective of reducing the administrative costs of
providing and paying for health care." HIPAA § 262, 110 Stat. 2023
(codified at 42 U.S.C.A. § 1320d-1(b)). The third source of an intelli-
gible principle is Congress’s limitation of the Privacy Rule to commu-
nications of listed information by particular covered entities. As noted
above, individual provisions of HIPAA outline whom the Privacy
Rule was to cover, see 42 U.S.C.A. § 1320d-1(a); what information
was to be covered, see § 1320d(6) (defining "individually identifiable
health information"); what types of transactions were to be covered,
see § 1320d-2(a)(2); what penalties would accrue for violations of
HIPAA, see §§ 1320d-5, 1320d-6; and what time lines and standards
would govern compliance with HIPAA, see §§ 1320d-3, 1320d-4. We
agree with the district court that, taken together, the provisions of
HIPAA provide a general policy, describe the agency in charge of
applying that policy, and set boundaries for the reach of that agency’s
authority — all in keeping with the intelligible principle test. See
American Power, 329 U.S. at 105 (holding a statute is "constitution-
ally sufficient" if it meets these three requirements). Thus, we con-
clude that HIPAA is "well within the outer limits of our
nondelegation precedents." American Trucking Ass’ns, 531 U.S. at
474.

   Although appellants argue that the present case is indistinguishable
from Panama Refining, one of only two cases in which the Supreme
Court has invalidated a statute on the basis of an unconstitutional del-
egation, we disagree. In Panama Refining, the Court found that the
challenged portion of the statute at issue, section 9(c) of the National
Industrial Recovery Act ("NIRA"), did not provide the President with
any mandate, but rather authorized him to pass a prohibitory law. See
Panama Refining, 293 U.S. at 405-412. That is, the Court found that
Congress had offered no guidance in NIRA as to whether the Presi-
dent should or should not prohibit the transportation of excess petro-
leum and petroleum products, so-called "hot oil," in interstate
                SOUTH CAROLINA MEDICAL v. THOMPSON                      9
commerce. Rather, the Court noted that "[s]o far as this section is
concerned, it gives to the President an unlimited authority to deter-
mine the policy and to lay down the prohibition, or not to lay it down,
as he may see fit." Id. at 415. Finding no limit on executive discretion
in this substantive provision of NIRA, the Court also looked to the
preamble of the statute and, once again, found no guidance as to
whether "hot oil" was good or bad. See id. at 416-18. Thus, NIRA
"provided literally no guidance for the exercise of discretion." Ameri-
can Trucking Ass’ns, 531 U.S. at 474. By contrast, in the case before
us we have a clear mandate from Congress directing HHS to act in
accordance with the intelligible principles set forth in HIPAA. Fur-
ther, there are clear limits upon the scope of that authority and the
type of entities whose actions are to be regulated.

   Finally, we find unavailing appellants’ position that Congress
unconstitutionally relinquished its lawmaking function by mandating
that final regulations governing standards with respect to the privacy
of individually identifiable health information be promulgated within
thirty-six months of HIPAA’s enactment if no further legislation on
the subject were enacted. We do not agree that this approach amounts
to an abdication. Rather, the procedures outlined by Congress estab-
lish a more explicit oversight mechanism than usually accompanies
a rulemaking mandate imposed upon an agency. In conveying rule-
making authority, Congress always reserves the right — indeed, never
relinquishes the right — to engage in further lawmaking. As
described above, Congress did not abdicate its legislative responsibil-
ity in passing HIPAA, but outlined a broad set of principles to guide
HHS action. See Yakus, 321 U.S. at 426 ("Only if we could say that
there is an absence of standards for the guidance of the Administra-
tor’s action . . . would [we] be justified in overriding its choice of
means for effecting its declared purpose."). Animated by these princi-
ples, HHS was directed first to offer recommendations within a year
of HIPAA’s enactment. That Congress did not enact additional mea-
sures in light of these recommendations indicates the legislature’s sat-
isfaction with HHS’s proposed approach to protecting the privacy of
individually identifiable health information. This decision did not, and
does not, limit Congress’s ability to revisit the issue, change the direc-
tion or scope of the statute or rules, or wholly undo the regulatory
scheme HHS has established pursuant to HIPAA.
10              SOUTH CAROLINA MEDICAL v. THOMPSON
  For these reasons, we conclude that HIPAA does not violate the
non-delegation doctrine.

                                  B.

   Appellants’ second argument is that section 264(c) of HIPAA lim-
its HHS to regulating only electronic records transmitted in connec-
tion with section 1173(a) of the Social Security Act, see 42 U.S.C.A.
§ 1320d-2(a), yet HHS impermissibly expanded HIPAA’s scope to
cover not only electronic transactions, but "every form of information
for all Americans held by covered entities." Appellants’ Brief at 7.
The government responds that neither section 264(c), nor other por-
tions of the Administrative Simplification section to which it refers,
limits HHS’s authority to regulating purely electronic information.
The government also contends that during the rulemaking process
HHS decided that protecting only electronic information would not
adequately safeguard patient privacy and that it would be burdensome
and ultimately unworkable to distinguish the same information in var-
ious stages and formats that could be kept in electronic or non-
electronic form.

  The disputed section includes a broad grant of authority from Con-
gress to HHS as to the regulation of medical information. Section
264(c)(1) states in pertinent part as follows:

     If legislation governing standards with respect to the privacy
     of individually identifiable health information transmitted in
     connection with the transactions described in section
     1173(a) of the Social Security Act (as added by Section 262)
     is not enacted by [August 21, 1999], the Secretary of Health
     and Human Services shall promulgate final regulations con-
     taining such standards not later than [February 21, 2000].

HIPAA § 264(c)(1), 110 Stat. 2033. In describing what kind of infor-
mation is to be protected, Congress expressly defined "health infor-
mation" to include any information, "whether oral or recorded in any
form or medium." 42 U.S.C.A. § 1320d(4) (emphasis added). The def-
inition of "individually identifiable health information" — a subset of
"health information" — contains no language limiting its reach to
                   SOUTH CAROLINA MEDICAL v. THOMPSON                      11
                     2
electronic media. Thus, the plain language of HIPAA indicates that
HHS could reasonably determine that the regulation of individually
identifiable health information should include non-electronic forms of
that information.

   Although appellants argue that the reference in HIPAA § 264(c)(1)
to information "transmitted in connection with section 1173(a)" limits
the scope of the regulations solely to electronic transactions, another
reasonable reading is that section 1173(a) directs HHS to develop
"standards for transactions, and data elements for such transactions,
to enable health information to be exchanged electronically." 42
U.S.C.A. § 1320d-2(a)(1) (emphasis added). Thus, the focus is on
enabling electronic portability, not simply on regulating purely elec-
tronic activity. This reading is bolstered by the fact that transactions
listed in connection with section 1173(a) are not described in terms
that limit their scope to electronic media, but rather include transac-
tions with respect to "[e]nrollment and disenrollment in a health
plan," "[h]ealth care payment and remittance advice," and "[h]ealth
plan premium payments" — terms that do not invite the limitation to
a purely electronic scheme. 42 U.S.C.A. § 1320d-2(a)(2)(C), (E) and
(F).

   The validity of a regulation promulgated by an agency pursuant to
a congressional mandate is to be sustained so long as it is "reasonably
related to the purposes of the enabling legislation under which it was
promulgated." Thorpe v. Housing Auth. of the City of Durham, 393
U.S. 268, 280-81 (1969); see Chevron U.S.A., Inc. v. Natural Res.
  2
   The phrase "individually identifiable health information" refers to
information that:
      (B) relates to the past, present, or future physical or mental
      health or condition of an individual, the provision of health care
      to an individual, or the past, present, or future payment for the
      provision of health care to an individual, and-
          (i)   identifies the individual; or
          (ii) with respect to which there is a reasonable basis to
          believe that the information can be used to identify the indi-
          vidual.
42 U.S.C.A. § 1320d(6)(B).
12               SOUTH CAROLINA MEDICAL v. THOMPSON
Def. Council, Inc., 467 U.S. 837, 844 (1984). Regulating non-
electronic as well as electronic forms of health information effectu-
ates HIPAA’s intent to promote the efficient and effective portability
of health information and the protection of confidentiality. If coverage
were limited to electronic data, there would be perverse incentives for
entities covered by the rule to avoid the computerization and portabil-
ity of any medical records. Such a development would utterly frus-
trate the purposes of HIPAA. HHS’s interpretation of the scope of the
grant of authority given by Congress is not inconsistent with the lan-
guage of the statute and is reasonably related to the larger purposes
of HIPAA. The agency reasonably determined that regulating health
information in such a way as to foster effective and efficient elec-
tronic transmission requires that the rule encompass paper records.

                                    C.

   Appellant’s final argument is that HIPAA’s non-preemption provi-
sion, which provides for the preemption of state laws unless they are
"more stringent" than HIPAA, is impermissibly vague because it nec-
essarily calls for subjective judgments on the part of health care pro-
viders, who face jail or fines for incorrect determinations. Contending
that it fails to provide fair notice or minimal guidelines to covered
entities and individuals, appellants argue that the statute violates the
Due Process Clause of the Fifth Amendment.3
  3
    The government contends that the vagueness challenge is unripe
because "the non-preemption provision has not been applied to plaintiffs
in any concrete way that would permit a fair assessment of its clarity in
the proper context." Brief of Appellees at 31. See Lyng v. Northwest
Indian Cemetery Protective Ass’n, 485 U.S. 439, 445 (1988) (holding
that courts should "avoid reaching constitutional questions in advance of
the necessity of deciding them"); Commonwealth of Virginia v. Browner,
80 F.3d 869, 881 n.6 (4th Cir. 1996) (holding that a constitutional chal-
lenge to sanctions in the Clean Air Act was not ripe for review because
the threat of sanctions had not been felt by plaintiffs "in a concrete way"
(internal quotation marks omitted)). We disagree. "Ripeness depends on
the fitness of the issues for judicial decision and the hardship to the par-
ties of withholding court consideration." Bituminous Coal Operators’
Ass’n v. Secy. of Interior, 547 F.2d 240, 244 (4th Cir. 1977) (internal
quotation marks omitted). We believe both requirements are met here.
                SOUTH CAROLINA MEDICAL v. THOMPSON                    13
    The Court has stated that "[i]t is a basic principle of due process
that an enactment is void for vagueness if its prohibitions are not
clearly defined." Grayned v. City of Rockford, 408 U.S. 104, 108
(1972). A challenged statutory provision will survive scrutiny "unless
it is so unclear with regard to what conduct is prohibited that it may
trap the innocent by not providing fair warning, or it is so standardless
that it enables arbitrary and discriminatory enforcement." Greenville
Women’s Clinic v. South Carolina Dep’t of Health & Envtl. Control,
317 F.3d 357, 366 (4th Cir. 2002) (internal quotation marks omitted).

  The disputed preemption provision is found in section 264(c)(2)
and states as follows:

    A regulation promulgated under paragraph (1) shall not
    supercede a contrary provision of State law, if the provision
    of State law imposes requirements, standards, or implemen-
    tation specifications that are more stringent than the require-
    ments, standards, or implementation specifications imposed
    under the regulation.

HIPAA § 264(c)(2), 110 Stat. 2033-34 (emphasis added). In order to
determine what state laws will be preempted under HIPAA, we look
to the regulations promulgated pursuant to the non-preemption provi-
sion. See Village of Hoffman Estates v. Flipside Hoffman Estates,
Inc., 455 U.S. 489, 504 (1982) (holding that "administrative regula-
tion will often suffice to clarify a standard with an otherwise uncer-
tain scope").

   According to the regulations promulgated by HHS, a state law is
"more stringent" than HIPAA if it "provides greater privacy protec-
tion for the individual who is the subject of the individually identifi-
able health information." 45 C.F.R. § 160.202 (2002). To further
clarify this standard, the regulation explains that a state law is "more
stringent" where it meets one or more of the following criteria: the
state law prohibits or restricts a use or a disclosure of information
where HIPAA would allow it; the state law provides an individual
with "greater rights of access or amendment" to his medical informa-
tion than provided under HIPAA; the state law provides an individual
with a "greater amount of information" about "a use, a disclosure,
rights, and remedies"; the state law provides for the retention or
14               SOUTH CAROLINA MEDICAL v. THOMPSON
reporting of more detailed information or for a longer duration; or the
state law "provides greater privacy protection for the individual who
is the subject of the individually identifiable health information." 45
C.F.R. § 160.202. These criteria will doubtless call for covered enti-
ties to make some common sense evaluations and comparisons
between state and federal laws, but this does not mean they are either
vague or constitutionally infirm. Because the regulations are suffi-
ciently definite to give fair warning as to what will be considered a
"more stringent" state privacy law, we affirm the district court’s deci-
sion on this issue as well.4

                                    III.

   For the foregoing reasons, the judgment of the district court grant-
ing the motion to dismiss is hereby affirmed.

                                                              AFFIRMED
  4
   We summarily dispense with appellants’ argument that the Privacy
Rule will chill patients’ rights of free speech, as we find this claim to be
without merit.
