282 Ga. 9
Ga.
2007

Lead Opinion

CARLEY, Justice.

Ernestine Wright filed a medical malpractice action against Dr. Thomas Allen and others (Appellants). In ostensible compliance with OCGA § 9-11-9.2, Ms. Wright executed an authorization to release her medical records, which she filed contemporaneously with her complaint. Appellants moved to dismiss on the ground that the authorization did not satisfy the requirements of OCGA § 9-11-9.2 in several particulars. Appellants’ objections included the failure of the document to authorize their attorneys to communicate with her treating physicians outside the presence of and without prior notification to her lawyer, even though the statute does not expressly provide that the plaintiffs requisite authorization must grant such ex parte discovery rights to the defendant. The trial court denied the motion to dismiss, holding that OCGA § 9-11-9.2 was preempted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The trial court certified its order for immediate review, and the Court of Appeals granted an interlocutory appeal. That Court affirmed the trial court’s ruling in a brief opinion which noted that the preemption issue had recently been decided adversely to Appellants’ contention in Northlake Medical Center v. Queen, 280 Ga. App. 510 (634 SE2d 486) (2006) and that “the reasoning set forth in Division 2 of that opinion [is] controlling here.” Allen v. Wright, 280 Ga. App. 554, 555 (1) (634 SE2d 518) (2006). See also Crisp Regional Hosp. v. Sanders, 281 Ga. App. 393 (636 SE2d 123) (2006).

Appellants applied for certiorari to review the decision of the Court of Appeals. Because the preemption question was an issue of first impression and certiorari had not been sought in the Northlake Medical Center case, we granted Appellants’ petition.

1. Subsection (a) of OCGA § 9-11-9.2 provides, in relevant part, that

[i]n any action for damages alleging medical malpractice..., contemporaneously with the filing of the complaint, the plaintiff shall be required to file a medical authorization form. Failure to provide this authorization shall subject the complaint to dismissal.

Subsection (b) of the statute specifies that

[t]he authorization shall provide that the attorney representing the defendant is authorized to obtain and disclose protected health information contained in medical records to facilitate the investigation, evaluation, and defense of the claims and allegations set forth in the complaint which pertain to the plaintiff or, where applicable, the plaintiffs decedent whose treatment is at issue in the complaint. This authorization includes the defendant’s attorney’s right to discuss the care and treatment of the plaintiff or, where applicable, the plaintiffs decedent with all of the plaintiffs or decedent’s treating physicians.

Subsection (c) states that

[t]he authorization shall provide for the release of all protected health information except information that is considered privileged and shall authorize the release of such information by any physician or health care facility by which health care records of the plaintiff or the plaintiff s decedent would be maintained.
The intent of HIPAA is “to ensure the integrity and confidentiality of patients’ information and to protect against unauthorized uses or disclosures of the information.” [Cit.] The rules promulgating the standards set forth in HIPAA, which govern the disclosure of “protected health information” by health care providers, are collectively known as “the Privacy Rule.” [Cit.] HIPAA expressly preempts any provision of State law that is contrary to the provisions of HIPAA. [Cits.]

Northlake Medical Center v. Queen, supra at 511-512 (2). The provisions of OCGA § 9-11-9.2 (a) impose a requirement on the plaintiff who brings a medical malpractice action in this state to file a medical authorization form contemporaneously with the complaint. The General Assembly could have expressly provided that the requisite authorization comply with the provisions of HIPAA, but it did not. Thus, the issue becomes whether OCGA § 9-11-9.2, as enacted, is unenforceable because it is preempted by HIPAA. “Where a [S]tate statute conflicts with, or frustrates, federal law, the former must give way. [Cits.]” CSXTransp. v. Easterwood, 507 U. S. 658, 663 (I) (113 SC 1732, 123 LE2d 387) (1993).

As was recognized by the Court of Appeals, in order to comply with HIPAA, a patient’s authorization to disclose protected health information must contain certain elements, one of which is notice of the right to revoke the authorization. Northlake Medical Center v. Queen, supra at 512-513 (2). By its terms, OCGA § 9-11-9.2 does not require that the authorization form contain such a notification provision. Appellants urge that this is immaterial, since the plaintiff is always entitled to dismiss the complaint and thereby revoke the authorization which OCGA § 9-11-9.2 requires accompany it. However, the fallacy in this assertion is that revocation of the authorization is simply the indirect result of dismissal of the lawsuit. HIPAA requires that a patient be expressly informed of the right to revoke the authorization directly. There is a significant difference between the requirement that express notice be given to a medical patient of the right to revoke an authorization of access to protected medical information, and simply recognizing that the exercise of his or her legal right of dismissal of the lawsuit can have an effect similar to a direct revocation of the authorization itself. HIPAA requires that patients be informed of their right to revoke an authorization form. The federal statute does not recognize that the right to dismiss a lawsuit in which the submission of an authorization is a prerequisite is the functional equivalent of informing the patient of his or her right to revoke the authorization itself.

Therefore, we conclude that OCGA § 9-11-9.2 does not sufficiently comply with the HIPAA requirement of notice of the right to revoke.

This Court may construe statutes to avoid absurd results .... [Cit.] However, under our system of separation of powers this Court does not have the authority to rewrite statutes. “(T)he doctrine of separation of powers is an immutable constitutional principle which must be strictly enforced. Under that doctrine, statutory construction belongs to the courts, legislation to the legislature. We can not add a line to the law.” [Cit.]

State v. Fielden, 280 Ga. 444, 448 (629 SE2d 252) (2006).

HIPAA and the related provisions established in the Code of Federal Regulations expressly supercede any contrary provisions of [S]tate law except as provided in 42 U.S.C. § 1320d-7 (a) (2). Under the relevant exception, HIPAA and its standards do not preempt state law if the state law relates to the privacy of individually identifiable health information and is “more stringent” than HIPAA’s requirements. [Cits.]

Law v. Zuckerman, 307 FSupp.2d 705, 708-709 (A) (D. Md. 2004). “ ‘[M]ore stringent’... mean[s] laws that afford patients more control over their medical records.” (Emphasis in original.) Law v. Zuckerman, supra at 709 (A). Because OCGA § 9-11-9.2 fails to impose any express requirement of notification of the right to revoke, it is possible to comply with its provisions while failing to satisfy the more stringent requirements of HIPAA. Therefore, the state statute has been preempted by the federal law. “The Supremacy Clause of the United States Constitution dictates that federal law preempts inconsistent state law. [Cit.]” Poloney v. Tambrands, 260 Ga. 850 (1) (412 SE2d 526) (1991).

2. In addition to the statute’s failure to provide for notice of the right of revocation, the Court of Appeals in Northlake Medical Center v. Queen, supra at 513 (2), found “that the authorization set forth in OCGA § 9-11-9.2 is contrary to HIPAAbecause it does not satisfy the requirements for a valid HIPAA authorization [in several other respects]. [Cit.]” We agree with the holding in that opinion that the failure to require a specific and meaningful identification of the information to be disclosed and the failure to provide for an expiration date or a sufficient expiration event are additional bases which support the conclusion “that OCGA § 9-11-9.2 is contrary to HIPAA and none of the exceptions ... applies, [so] it is preempted by HIPAA. [Cit.]” Northlake Medical Center v. Queen, supra at 514 (2).

3. The dissent cites Buice u. Dixon, 223 Ga. 645 (157 SE2d 481) (1967) in support of the position that OCGA § 9-11-9.2, as presently written, can be construed in harmony with HIPAA. However, OCGA § 9-11-9.2 does not simply provide that the plaintiff in a medical malpractice action must file a medical authorization form, and then leave for necessary implication the incorporation into that form of all HIPAA requirements. Compare Buice v. Dixon, supra (requirement for notice and hearing implied where statute otherwise failed to contain express provision therefor). Instead, in both subsections (b) and (c), the statute sets forth the specified statements and information that the authorization “shall provide,” and there is no dispute that several of the HIPAA requirements are not included in that list of enumerated elements. Thus, the question is whether the courts are authorized to construe OCGA § 9-11-9.2 as mandating that the medical authorization form include those missing HIPAA requirements in addition to those which were specified by the General Assembly.

On pp. 16-17, the dissent states:

[T]he mere absence of a requirement in OCGA § 9-11-9.2 that the authorization contain a statement of the right to revoke, for example, does not render the statute inconsistent with HIPAA, as an authorization could be drafted that includes both the elements required under the state law and also a statement explaining the plaintiffs right to revoke. Likewise, the failure of the state law to require a “specific and meaningful description” of the information to be released does not preclude the inclusion of such description as required by HIPAA, and the failure to require an explicit expiration date or event does not preclude the inclusion of such.

However, this observation fails to take into account that “Georgia law provides that the express mention of one thing in an Act or statute implies the exclusion of all other things. [Cit.]” Abdulkadir v. State, 279 Ga. 122, 123 (2) (610 SE2d 50) (2005).

Pursuant to the principle of statutory construction, “Exprés - sum facit cessare taciturn” (if some things are expressly mentioned, the inference is stronger that those omitted were intended to be excluded) and its companion, the venerable principle, “Expressio unius est exclusio alterius” (“The express mention of one thing implies the exclusion of another”), the list of actions in [a statute] is presumed to exclude actions not specifically listed ([cit.]), and the omission of [additional actions] from [the statute] is regarded by the courts as deliberate. [Cits.]

Alexander Properties Group v. Doe, 280 Ga. 306, 309 (1) (626 SE2d 497) (2006).

The dissent is correct that the established rules of statutory construction require the courts to interpret a statute as valid whenever possible. Banks v. Ga. Power Co., 267 Ga. 602, 603 (481 SE2d 200) (1997); State of Ga. v. Davis, 246 Ga. 761 (1) (272 SE2d 721) (1980). However, where, as here, the General Assembly expressly designated what the plaintiffs medical authorization form “shall provide,” the principle of “expressio unius est exclusio alterius” makes it impossible for the courts to rewrite OCGA § 9-11-9.2 so as to incorporate the missing HIPAA requirements. State v. Fielden, supra; Alexander Properties Group v. Doe, supra. Compare Buice v. Dixon, supra. Otherwise, under the guise of statutory construction, the judiciary would be free to incorporate into state statutes the provisions of any federal statute that it did not deem to be inconsistent. As OCGA § 9-11-9.2 is presently worded, it is possible to satisfy its provisions while failing to comply with the more stringent requirements of HIPAA. State law may provide for more stringent requirements on the disclosure of protected health information than HIPAA does, hut cannot authorize disclosure based upon less stringent requirements than those mandated by the federal law. Law v. Zuckerman, supra. If the state statute is to be amended or rewritten so as not to be preempted by the federal enactment, that is the responsibility of the General Assembly and not the courts.

Judgment affirmed.

All the Justices concur, except Hunstein, P. J., who concurs in part and dissents in part.



Concurrence Opinion

HUNSTEIN, Presiding Justice,

concurring in part and dissenting in part.

While I agree with the majority that subsection (c) of OCGA § 9-11-9.2, which purports to require plaintiffs to authorize release of all their medical information in cases alleging medical malpractice, is preempted by the HIPAA Privacy Rule,1 I do not agree that the remaining provisions of OCGA § 9-11-9.2 are so preempted. Accordingly, I respectfully dissent from that portion of the maj ority’s opinion that holds subsections (a) and (b) of § 9-11-9.2 to be preempted by HIPAA.

Under HIPAA’s preemption provisions, state law may be preempted by the Privacy Rule only if the relevant HIPAA standard is, in the first instance, “contrary to” the state law in question. 45 CFR § 160.203. AHIPAA standard will be deemed “contrary to” a state law if it would be “impossible to comply with both the [s]tate and federal requirements” or “ft]he provision of [s]tate law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of [HIPAA].” 45 CFR § 160.202. Thus, the starting point for analysis herein should be whether it is possible to comply with OCGA § 9-11-9.2 while at the same time complying with the letter and the spirit of HIPAA.

OCGA § 9-11-9.2 (a) prescribes generally that a plaintiff in a medical malpractice action must file a medical authorization form contemporaneous with the complaint. Subsection (b) of the statute prescribes some required content for the authorization: it must authorize the release of the plaintiffs medical records to defense counsel “to facilitate the investigation, evaluation, and defense of the claims and allegations set forth in the complaint”; and it must authorize defense counsel to “discuss the care and treatment of the plaintiff... with all of [his] treating physicians.” OCGA§ 9-11-9.2 (b). Subsection (c) provides further content for the authorization, requiring that it “provide for the release of all protected health information except information that is considered privileged ... by any physician or health care facility by which health care records of the plaintiff... would be maintained.” OCGA§ 9-11-9.2 (c).

Under the reasoning of the majority, which affirms the Court of Appeals’ reliance below on its prior holding in Northlake Medical Center v. Queen, 280 Ga. App. 510 (634 SE2d 486) (2006), OCGA § 9-11-9.2 is preempted because the authorization required thereunder does not comport with the HIPAA requirements for valid authorizations. The Privacy Rule prescribes with specificity the elements required of a valid authorization: (1) a “specific and meaningful” description of the information to be released; (2) identification of the person(s) authorized to release the information; (3) identification of the person(s) authorized to receive the information; (4) statement of the purpose of the release; (5) expiration date or “expiration event that relates to the individual [who is the subject of the medical records] or the purpose of the [release]”; and (6) individual’s signature and date. 45 CFR § 164.508 (c) (1). In addition, the Privacy Rule requires authorizations to include statements “adequate to place the individual on notice of” certain rights such as the individual’s right to revoke the authorization. 45 CFR § 164.508 (c) (2). Notably, the Privacy Rule also states that “[a] valid authorization may contain elements or information in addition to the elements required by this section, provided that such additional elements or information are not inconsistent with the elements required by this section.” 45 CFR § 164.508 (b) (1) (ii).

The Court of Appeals held, and the majority herein affirms, that preemption is required because OCGA§ 9-11-9.2 does not specifically incorporate either literally or by reference the elements required under 45 CFR § 164.508 (c). However, the majority and the Court of Appeals fail to recognize that this omission does not make the state law necessarily inconsistent with HIPAA, as it might be possible to draft an authorization that would comply with both OCGA § 9-11-9.2 and 45 CFR § 164.508 (c). Like the Court of Appeals, the majority appears to equate the absence of certain required elements to a statutory prohibition on their inclusion. However, the mere absence of a requirement in OCGA § 9-11-9.2 that the authorization contain a statement of the right to revoke, for example, does not render the statute inconsistent with HIPAA, as an authorization could be drafted that includes both the elements required under the state law and also a statement explaining the plaintiffs right to revoke.2 Likewise, the failure of the state law to require a “specific and meaningful description” of the information to be released does not preclude the inclusion of such description as required by HIPAA,3 and the failure to require an explicit expiration date or event does not preclude the inclusion of such.4

Contrary to the Court of Appeals’ position in Northlake Medical Center and the majority’s opinion herein, construing OCGA § 9-11-9.2 in harmony with HIPAAby recognizing the possibility of creating an authorization that complies with both does not constitute rewriting the statute. See Buice v. Dixon, 223 Ga. 645 (157 SE2d 481) (1967) (construing statute, which authorized taxpayer’s petition to superior court for relief against county officers for failing to fulfill statutory duties, as implicitly incorporating superior court rules and procedures regarding notice to and service on defendants). Nor does this approach, as the majority contends, “construe OCGA § 9-11-9.2 as mandating that the medical authorization form include those missing HIPAA requirements in addition to those which were specified by the General Assembly.” Majority Op. at 13. Rather, doing so merely recognizes the possibility that a plaintiff may comply with both the state and federal requirements and thereby, in adopting a construction that avoids preemption, makes use of “well established rules of statutory construction requiring a court to construe a statute as valid when possible.” Banks v. Ga. Power Co., 267 Ga. 602, 603 (481 SE2d 200) (1997). See also State v. Davis, 246 Ga. 761, 761-62 (1) (272 SE2d 721) (1980) (“[a] 11 statutes are presumed to be enacted by the legislature with full knowledge of the existing condition of the law and with reference to it; they are to be construed in connection and in harmony with the existing law; and their meaning and effect will be determined in connection, not only with the common law and the Constitution, but also with reference to other statutes and the decisions of the courts”) (punctuation omitted).

The majority invokes the principle of “expressio unius est exclusio alterius” to argue that, because OCGA § 9-11-9.2 (b) and (c) expressly prescribe some required content for the authorization, we must assume that all other potential content is prohibited. Though I have no dispute with the general principle that express mention of a thing in a statute implies exclusion of those things omitted, I also believe this inference may be rebutted where such a construction would render the statute at issue invalid. In other words, in a case where the principle of “expressio unius est exclusio alterius” runs counter to the principle that statutes should be construed to maintain their validity, the former may have to yield to the latter.5

This is particularly true where, as here, there is evidence to support the presumption that the legislature enacted the statute at issue with knowledge of existing law and with the intent that it would coexist in harmony with, rather than be preempted by, such law. Specifically, as correctly recognized in the dissent in Northlake Medical Center,

when OCGA § 9-11-9.2 was enacted[,] existing Georgia law provided that, by filing a medical malpractice complaint, the plaintiff waived the right to privacy in the plaintiff s medical records — without the necessity of waiver by a written medical authorization — to the extent the complaint placed the plaintiffs medical care and treatment... at issue in the civil action.

Northlake Medical Center, 280 Ga. App. at 518 (Andrews, P. J., dissenting). Indeed, at the time OCGA § 9-11-9.2 was enacted, the placing of one’s medical condition at issue in litigation acted as an automatic waiver of a patient’s right to privacy in his medical records related to that condition, OCGA § 24-9-40 (a), 6 and Georgia case law had long reaffirmed this principle. See Orr v. Sievert, 162 Ga. App. 677 (292 SE2d 548) (1982).

It follows that, when the General Assembly enacted OCGA § 9-11-9.2, there was no necessity under existing Georgia law to require that the plaintiff file a written medical authorization with the complaint to establish a waiver of the plaintiffs privacy rights in relevant medical records. There was such a necessity, however, under existing federal law in HIPAA.

Northlake Medical Center, 280 Ga. App. at 518-519 (Andrews, P. J., dissenting). The implication, thus, is that OCGA § 9-11-9.2 was enacted not only with knowledge of, but indeed as a result of, HIPAA, which further supports the notion that the statute should be construed in harmony therewith to the extent possible.7

Notwithstanding the fact that I believe it possible to comply with both OCGA § 9-11-9.2 and the technical requirements in 45 CFR § 164.508 (c) by utilizing an authorization containing all elements required under both enactments, I do not believe it possible to comply with subsection (c) of OCGA § 9-11-9.2 without violating the overall purpose of the Privacy Rule, namely, protecting medical privacy and affording individuals greater control over their own medical information. See 67 Fed. Reg. 53182 (Aug. 14, 2002); 65 Fed. Reg. at 82463-82464. The statute’s requirement that a plaintiff authorize the release of all (non-privileged) medical information, regardless of its relevance to the case, runs afoul of HIPAA’s objectives. Further, the existence of civil discovery rules designed to enforce scope and relevancy limitations does not ameliorate the effects of subsection (c), because the burden would rest with the plaintiff to object to the release of information, the disclosure of which he has already been compelled to authorize. Given that the Privacy Rule was specifically designed to shift control of medical information back to the individual, I believe that subsection (c) “stands as an obstacle to the accomplishment and execution of the full purposes of,” and is thus “contrary to,” the Privacy Rule. See 45 CFR § 160.202.

Havingbeen found “contrary to” HIPAA, OCGA§ 9-11-9.2 (c) will be preempted unless it is “more stringent” than HIPAA’s requirements. 45 CFR § 160.203 (b).8 “More stringent” means, in essence, “providing] greater privacy protection for the individual.” See 45 CFR § 160.202. Given that subsection (c) would clearly provide less protection for individuals’ medical privacy, it is not “more stringent” than HIPAA and thus is preempted.

It should be noted that preserving the validity of OCGA § 9-11-9.2 subsections (a) and (b) while finding subsection (c) to be preempted specifically comports with the intent of the General Assembly, expressed explicitly in enacting the tort reform act of which OCGA § 9-11-9.2 is a part, that

[i]n the event any section, subsection, sentence, clause or phrase of this Act shall be declared or adjudged invalid or unconstitutional, such adjudication shall in no manner affect the other sections, subsections, sentences, clauses, or phrases of this Act, which shall remain of full force and effect as if the [provision] adjudged invalid or unconstitutional were not originally a part hereof.

Ga. L. 2005, p. 1, § 14. See also OCGA§ 1-1-3 (statutes presumed to be severable, such that invalid provisions may be struck without invalidating entire statute). This Court has held that severance of an invalid portion of a statute and preservation of the remaining valid portions is authorized as long as “the remaining portion of the [statute] accomplishes the purpose the legislature intended. [Cits.]” Nixon v. State, 256 Ga. 261, 264 (3) (347 SE2d 592) (1986). Here, it appears the overall purpose of OCGA § 9-11-9.2 was to require an authorization as a threshold condition to the filing of a medical malpractice action, and the striking of subsection (c) does not impair this purpose.9

Decided May 14, 2007. Chambless, Higdon, Richardson, Katz & Griggs, David N. Nelson, Norman C. Pearson III, Martin, Snow, Grant & Napier, John C. Daniel III, for appellants. Savage, Turner, Pinson & Karsman, William H. Pinson, Jr., Zachary H. Thomas, Smith Moore, Lawrence J. Myers, for áppellee. Brinson, Askew, Berry, Seigler & Richardson, Norman S. Fletcher, Love, Willingham, Peters, Gilleland & Monyak, Allen S. Willingham, Robert P. Monyak, Robertson, Bodoh & Nasrallah, Matthew G. Nasrallah, Adams & Adams, Charles R. Adams III, amici curiae.

Accordingly, I would affirm the decision of the Court of Appeals only insofar as it holds subsection (c) of OCGA § 9-11-9.2 to be preempted by HIPAA; reverse as to its holding of preemption as to OCGA § 9-11-9.2 subsections (a) and (b); and remand to the superior court for reconsideration of appellee’s motion to dismiss in light of the foregoing.

Notes

45 CFR Parts 160 & 164. Throughout this opinion the terms “HIPAA Privacy Rule,” “Privacy Rule,” and “HIPAA” are used interchangeably.

Such a statement would have to include an explanation that revocation of the authorization would subject the complaint to dismissal. See OCGA§ 9-11-9.2 (a). Such a consequence would not run afoul of HIPAA, as the drafters of the Privacy Rule made clear in the preamble thereto that there was no intent to “disrupt current practice whereby an individual who is a party to a proceeding and has put his or her medical condition at issue will not prevail without consenting to the production of his or her protected health information.” 65 Fed. Reg. 82462, 82530 (Dec. 28, 2000).

Though the Court of Appeals also held that HIPAA’s “specific and meaningful description” requirement was violated by virtue of the breadth of the information OCGA § 9-11-9.2 requires to be authorized for release, it is clear from the preamble to the Privacy Rule that this requirement is intended to compel specificity of description, rather than limitation on scope, of information sought. See 65 Fed. Reg. at 82517 (“There are no limitations on the information that can be authorized for disclosure. If an individual wishes to authorize [the disclosure of] his or her entire medical record, the authorization can so specify’). However, the breadth of information to be authorized for release under OCGA § 9-11-9.2 is of concern for other reasons, as discussed below.

For example, the authorization could be drafted to expire at the conclusion of the litigation pursuant to which the authorization was filed.

As none of the cases the majority cites in support of its position involved the construction of a statute vis-á-vis another potentially preemptive law, they do not necessarily compel the result the majority advances. See Alexander Properties Group v. Doe, 280 Ga. 306 (1) (626 SE2d 497) (2006) (construing child pornography statute as not prohibiting production of offending materials in judicial proceedings); Abdulkadir v. State, 279 Ga. 122 (2) (610 SE2d 50) (2005) (construing rape shield statute as not applicable in prosecutions for child molestation).

To date, the Legislature has not amended OCGA § 24-9-40 (a).

The legislative history of OCGA § 9-11-9.2 further indicates that those who enacted the statute were cognizant of HIPAA. See Hannah Yi Crockett, Rebecca McArthur & Matthew Walker, Peach Sheet, Torts and Civil Practice, 22 Ga. St. U. L. Rev. 221, 244 (2005).

The Privacy Rule prescribes three other exceptions to preemption, none of which are applicable here. See 45 CFR § 160.203.

In its amicus brief, the Georgia Trial Lawyers Association (“GTLA”) argues that OCGA § 9-11-9.2 is preempted in its entirety to the extent subsection (b) is construed to require the authorization to include a provision permitting ex parte communications between the plaintiffs treating physicians and defense counsel. In holding the statute preempted under the authority of Northlake Medical Center, the Court of Appeals did not reach the merits of this argument, and, therefore, neither do I.