Northlake Medical Center, LLC v. Queen

634 S.E.2d 486, 280 Ga. App. 510, 2006 Fulton County D. Rep. 2399, 2006 Ga. App. LEXIS 882

• Court: Court of Appeals of Georgia
• Decided: July 13, 2006
• Docket: A06A0540
• Status: Published

Opinions

Ruffin, Chief Judge.

Linda Queen brought a medical malpractice action against North-lake Medical Center, LLC and others. Northlake moved to dismiss the complaint for Queen’s failure to comply with the medical record release requirement of OCGA § 9-11-9.2. The trial court denied the motion, concluding that OCGA § 9-11-9.2 was preempted by the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (“HIPAA”), and thus Queen was not required to file a medical record release authorization in compliance with the Georgia statute. We granted Northlake’s application for interlocutory appeal, as the issue of whether HIPAA preempts OCGA § 9-11-9.2 is one of first impression.

On appeal, Northlake argues that (1) the authorization form filed with Queen’s complaint did not comply with OCGA § 9-11-9.2; and (2) HIPAA does not preempt compliance with that statute. We conduct a de novo review of the trial court’s ruling on a legal question.¹

1. First, we address whether the authorization Queen filed with her complaint satisfies Georgia’s statutory requirements. OCGA § 9-11-9.2 (a) provides that a medical record release authorization form must be filed with the complaint in a medical malpractice action. The statute describes the content of the authorization as follows:

(b) The authorization shall provide that the attorney representing the defendant is authorized to obtain and disclose protected health information contained in medical records to facilitate the investigation, evaluation and defense of the claims and allegations set forth in the complaint which pertain to the plaintiff or, where applicable, the plaintiffs decedent whose treatment is at issue in the complaint. This authorization includes the defendant’s attorney’s right to discuss the care and treatment of the plaintiff or, where applicable, the plaintiffs decedent with all of the plaintiffs or decedent’s treating physicians.

(c) The authorization shall provide for the release of all protected health information except information that is considered privileged and shall authorize the release of such information by any physician or health facility by which health care records of the plaintiff or the plaintiffs decedent would be maintained.²

A medical malpractice complaint unaccompanied by such an authorization is subject to dismissal.³

The authorization which Queen filed with her complaint reprints the above text of the statute in its entirety but does not state that Queen is agreeing to the statutory requirements. In fact, the authorization adopts the opposite position, that the recipient health care provider may provide medical records only to Queen’s attorneys, not to Northlake’s attorneys. The authorization expressly states that Queen “maintains that [HIPAA] preempts State law, including the provisions of OCGA § 9-11-9.2” and advises the recipient that “you are requested not to furnish any of such information, in any form to anyone, without express written authorization from me or my attorneys.”

The authorization filed with Queen’s complaint does not provide that Northlake’s attorneys are authorized to “obtain and disclose protected health information contained in medical records” or to discuss her care and treatment with her treating physicians in order to “facilitate the investigation, evaluation and defense of the claims and allegations set forth in the complaint.” Thus, the authorization clearly does not satisfy OCGA § 9-11-9.2, and Queen’s complaint would be subject to dismissal unless the Georgia statute is preempted. Therefore, we must determine whether HIPAA preempts OCGA § 9-11-9.2.

2. The intent of HIPAA is “to ensure the integrity and confidentiality of patients’ information and to protect against unauthorized uses or disclosures of the information.”⁴ The rules promulgating the standards set forth in HIPAA, which govern the disclosure of “protected health information”⁵ by health care providers, are collectively known as “the Privacy Rule.”⁶ HIPAA expressly preempts any provision of state law that is contrary to the provisions of HIPAA.⁷

Under HIPAA, a health care provider must obtain the consent of a patient before using or disclosing protected health information.⁸ Prior written authorization is generally required for the disclosure of protected health information to a third party.⁹ A valid authorization must contain the following elements:

(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.

(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.

(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.

(iv) A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.

(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. . . .

(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.¹⁰

The authorization must also put the patient on notice of his right to revoke the authorization.¹¹

Northlake argues that HIPAA does not preempt OCGA§ 9-11-9.2 because the state law does not contravene HIPAA and it is possible to comply with both HIPAA and OCGA § 9-11-9.2. Queen, on the other hand, contends that the statute is preempted because it does not require that the elements necessary for a valid authorization under HIPAA be present in an authorization under OCGA § 9-11-9.2.

We conduct a two-step analysis to determine whether a state law is preempted by HIPAA.¹² First, we must decide whether the state law is contrary to HIPAA; that is, whether compliance with both the state and federal rules would be impossible or if the state law is an “obstacle to the accomplishment and execution of the full purposes and objectives” of the federal rules.¹³ If the state law is contrary to HIPAA, then we ascertain whether one of the exceptions to preemption applies.¹⁴

Here, we conclude that the authorization set forth in OCGA § 9-11-9.2 is contrary to HIPAA because it does not satisfy the requirements for a valid HIPAA authorization.¹⁵ First, the Georgia statute does not require “[a] description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.”¹⁶ It is worded in such a way to permit the discovery of all of the plaintiff s medical records, regardless of whether they are relevant to the medical malpractice case. This is not the specific, meaningful identification of the information to be disclosed as contemplated by HIPAA. Next, OCGA § 9-11-9.2 does not provide for “[a]n expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.”¹⁷ And, finally, it does not contain notice of a right to revoke the authorization.¹⁸

Northlake urges us to read OCGA§ 9-11-9.2 to require a HIPAAcompliant authorization because, as a newer statute, it should be read in conjunction with existing law. This would, however, require us not merely to interpret the Code section in light of HIPAA, but to affirmatively add several provisions found nowhere in the statute. It is not the court’s function to rewrite statutes.¹⁹ Because we conclude that OCGA § 9-11-9.2 is contrary to HIPAA and none of the exceptions contained in 45 CFR § 160.203 applies,²⁰ it is preempted by HIPAA.²¹

HIPAA does set forth methods for disclosure of protected health information in judicial proceedings.²² Where no HIPAA-compliant written authorization exists, disclosure is permitted either in response to a court order or in response to a “subpoena, discovery request, or other lawful process.”²³ If disclosure is sought pursuant to a subpoena, discovery request, or other lawful process not accompanied by a court order, then the entity from whom the information is sought must “receive [ ] satisfactory assurance . . . from the party seeking the information that reasonable efforts have been made by such party” to provide notice to the patient or that there is a qualified protective order in place.²⁴

The Medical Association of Georgia, as amicus curiae in this case, asserts that no HIPAA-compliant authorization is necessary because OCGA § 9-11-9.2 constitutes “lawful process” as contemplated by 45 CFR § 164.512 (e) (1) (ii). The Final Rule promulgating this regulation states:

[t]he provisions in this paragraph are not intended to disrupt current practice whereby an individual who is a party to a proceeding and has put his or her medical condition at issue will not prevail without consenting to the production of his or her protected health information. In such cases, we presume that parties will have ample notice and an opportunity to object in the context of the proceeding in which the individual is a party.²⁵

Clearly, HIPAA contemplates a process in which disclosures are limited to relevant information, and a patient may object to particular disclosures that exceed the scope of the relevant inquiry.²⁶ OCGA § 9-11-9.2 provides no such process. As discussed herein, it does not limit in any way the protected health information which may be disclosed. And it offers no mechanism by which a plaintiff might object to the disclosure of even completely irrelevant information. Thus, we cannot find that this statute constitutes “lawful process” within the context of HIPAA.

Judgment affirmed.

Johnson, P. J., Barnes, Miller and Phipps, JJ., concur. Bernes, J., concurs specially. Andrews, P. J., dissents.

1 See Dept. of Transp. v. Robinson, 260 Ga. App. 666, 670 (3) (580 SE2d 535) (2003).

2 OCGA § 9-11-9.2.

3 Id. at (a).

4 (Punctuation omitted.) In re VioxxProducts Liability Litigation, 230 FRD 473, 477 (E.D. La. 2005) (citing 42 USC § 1320d-2 (d) (2) (A), (B) (ii)).

5 Protected health information includes

any information, whether oral or recorded in any form or medium, that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

45 CFR § 160.103.

6 Smith v. American Home Products &c., 855 A2d 608, 611 (I) (A) (N.J. Super. 2003).

7 See 42 USC § 1320d-7 (a) (1); 45 CFR § 160.203.

8 See 45 CFR § 164.506 (b)-(c).

9 See 45 CFR § 164.508.

10 Id. at (c) (1) (i)-(vi).

11 See id. at (e) (2) (i).

12 See In re Diet Drug Litigation, 895 A2d 493, 501 (N.J. Super. 2005).

13 45 CFR § 160.202.

14 See 45 CFR § 160.203; Law v. Zuckerman, 307 FSupp.2d 705, 709 (A) (D. Md. 2004).

15 See 45 CFR § 164.508 (c) (1), (2).

16 Id. at (c) (1) (i).

17 Id. at (c) (1) (v).

18 See id. at (c) (2) (i).

19 See State v. Fielden, 280 Ga. 444 (629 SE2d 252) (2006); Dept. of Human Resources v. Coley, 247 Ga. App. 392, 398 (3) (544 SE2d 165) (2000).

20 A state law otherwise contrary to HIPAA is not preempted

if it is necessary to prevent fraud and abuse; to regulate insurance or health plans; is designed to report health care delivery or costs; is designed to serve a compelling need related to public health[,] safety[,j and welfare; or is designed to regulate controlled substances. In addition, a state law is not preemptedif it provides for: the reporting of disease, injury, child abuse, birth, or death; the conduct of public health surveillance, investigation, or intervention; or requires a health plan to report, or provide access to information for[,] management or financial audits, program monitoring and evaluation or the licensure or certification of people or facilities.

(Punctuation omitted.) Smith, supra at 621, n. 10 (citing 45 CFR § 160.203 (a), (c)-(d)).

21 See Law, supra.

22 See 45 CFR § 164.512 (e) (1), (2); see generally discussion in Tamela J. White & Charlotte A. Hoffman, The Privacy Standards Under the Health Insurance Portability and Accountability Act: A Practical Guide to Promote Order and Avoid Potential Chaos, 106 W. Va. L. Rev. 709, 740-742 (2004).

23 See 45 CFR § 164.512 (e) (1) Q, (ii).

24 Id. at (ii) (A), (B).

25 65 Fed. Reg. 82462, 82530.

26 See Bayne v. Provost, 359 FSupp.2d 234, 241-243 (N.D. N.Y. 2005); Croskey v. BMW of North America, 2005 U. S. Dist. LEXIS 43442 at *32-33 (E.D. Mich. 2005); Crenshaw v. MONY Life Ins. Co., 318 FSupp.2d 1015, 1029 (E) (1) (S.D. Cal. 2004).