if hipaa rules are stricter than state law which standard shuld you foolow and why? what if the state law was stricter?

I think you have to follow whichever is stricter, to avoid getting into trouble.

It is legal for states to inact legislation stricter than federal rule of law. That being said, especially when dealing with issues that undoubtedly involve rights to privacy such as hipaa, I would follow the federal rule at a minimum. If you are involved in a state with tougher standards and you fall under those standards (you are in that state or are conducting business in that state), I would certainly follow those mandates. A rule to live by: You don't want to go to jail.