HIPAA is designed to work in tandem with more privacy protective policies, so in those states the entity is required to get the patient's basic consent preference (e.g., the entity must document if the patient wishes to opt-in or opt-out of electronic exchange)..