The privacy rule in HIPAA, the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936, does not preempt the common-law defense of waiver. Gary Hopkins, a correctional officer with the Department of Correction, was treated at the New England Family Medical and Walk In Center, LLC, by Dr. Kalipatti Balachandran for flu symptoms. Hopkins supplied a copy of his "superbill," an itemized form of medical services, to his employer with handwriting purportedly verifying his absence from work due to illness. Hopkins' shift manager called Family Medical to confirm a date and faxed over the superbill. An office assistant indicated they did not issue notes like that. Dr. Balachandran explained and confirmed by letter, that the superbill was altered after leaving his office and no out of work note issued for Hopkins. Hopkins' employment was terminated. He filed this action against Balachandran and Family Medical, claiming negligence for the improper disclosure of health information. The trial court granted the defendants' summary judgment motion and denied the plaintiff's motion. The plaintiff appealed. The dispositive issue was whether the plaintiff waived his right to claim confidentiality in a medical document improperly disclosed by the defendants to his employer in violation of HIPAA's privacy regulations, when he disclosed previously a different version of the document to his employer. The Appellate Court concluded that the plaintiff waived his right to claim confidentiality in the record and affirmed the judgment. HIPAA's privacy rule did not preempt the common-law defense of waiver, as contended. Under U.S. Department of Health and Human Services regulations regarding preemption, the privacy rule was not "contrary" to state law. For the first definition of "contrary," in 45 C.F.R. §160.202, a court would only begin the preemption analysis if a covered entity was required to act pursuant to both the state and federal laws. The defense of waiver here concerned the plaintiff's actions, not the defendants' actions. The second definition of "contrary" was unmet as the waiver doctrine was not an obstacle to HIPAA's purposes and objectives. The plaintiff filed a complaint with health and human services, HIPAA's sole remedy for a privacy violation. Further, waiver was properly found. The plaintiff voluntarily disclosed the document to his employer without restrictions and could not invoke a privilege for a confidentiality he compromised for his own benefit.