Northlake Medical Center, LLC v. Queen, A06A0540.

• Decision Date: 13 July 2006
• Docket Number: No. A06A0540.,A06A0540.
• Citation: 634 S.E.2d 486
• Parties: NORTHLAKE MEDICAL CENTER, LLC v. QUEEN.
• Court: Georgia Court of Appeals

634 S.E.2d 486

NORTHLAKE MEDICAL CENTER, LLC v. QUEEN.

No. A06A0540.

Court of Appeals of Georgia.

July 13, 2006.

COPYRIGHT MATERIAL OMITTED

Troutman Sanders, Daniel S. Reinhardt, Michael E. Johnson, Weinberg, Wheeler, Hudgins, Gunn & Dial, Alan M. Maxwell, John M. Hawkins, Atlanta, for appellant.

Carter & Tate, Mark A. Tate, Savannah, Nall & Miller, Atlanta, Robert L. Goldstucker, Benjamin S. Persons IV, Atlanta, Richard Kopelman, Decatur, for appellee.

Love, Willingham, Peters, Gilleland & Monyak, Allen S. Wilmingham, Robert P. Monyak, Atlanta, Robertson, Bodoh & Nasrallah, Matthew G. Nasrallah, Marietta, amici curie.

RUFFIN, Chief Judge.

Linda Queen brought a medical malpractice action against Northlake Medical Center, LLC and others. Northlake moved to dismiss the complaint for Queen's failure to comply with the medical record release requirement of OCGA § 9-11-9.2. The trial court denied the motion, concluding that OCGA § 9-11-9.2 was preempted by the Health Insurance Portability and Accountability Act of 1996, Pub.L.No. 104-191 ("HIPAA"), and thus Queen was not required to file a medical record release authorization in compliance with the Georgia statute. We granted Northlake's application for interlocutory appeal, as the issue of whether HIPAA preempts OCGA § 9-11-9.2 is one of first impression.

On appeal, Northlake argues that (1) the authorization form filed with Queen's complaint did not comply with OCGA § 9-11-9.2; and (2) HIPAA does not preempt compliance with that statute. We conduct a de novo review of the trial court's ruling on a legal question.¹

1. First, we address whether the authorization Queen filed with her complaint satisfies Georgia's statutory requirements. OCGA § 9-11-9.2(a) provides that a medical record release authorization form must be filed with the complaint in a medical malpractice action. The statute describes the content of the authorization as follows:

(b) [t]he authorization shall provide that the attorney representing the defendant is authorized to obtain and disclose protected health information contained in medical records to facilitate the investigation, evaluation and defense of the claims and allegations set forth in the complaint which pertain to the plaintiff or, where applicable, the plaintiff's decedent whose treatment is at issue in the complaint. This authorization includes the defendant's attorney's right to discuss the care and treatment of the plaintiff or, where applicable, the plaintiff's decedent with all of the plaintiff's or decedent's treating physicians.

(c) The authorization shall provide for the release of all protected health information except information that is considered privileged and authorize the release of such information by any physician or health facility by which health care records of the plaintiff or the plaintiff's decedent would be maintained.²

A medical malpractice complaint unaccompanied by such an authorization is subject to dismissal.³

The authorization which Queen filed with her complaint reprints the above text of the statute in its entirety but does not state that Queen is agreeing to the statutory requirements. In fact, the authorization adopts the opposite position, that the recipient health care provider may provide medical records only to Queen's attorneys, not to Northlake's attorneys. The authorization expressly states that Queen "maintains that [HIPAA] preempts State law, including the provisions of OCGA § 9-11-9.2" and advises the recipient that "you are requested not to furnish any of such information, in any form to anyone without express written authorization from me or my attorneys."

The authorization filed with Queen's complaint does not provide that Northlake's attorneys are authorized to "obtain and disclose protected health information contained in medical records" or to discuss her care and treatment with her treating physicians in order to "facilitate the investigation, evaluation and defense of the claims and allegations set forth in the complaint." Thus, the authorization clearly does not satisfy OCGA § 9-11-9.2, and Queen's complaint would be subject to dismissal unless the Georgia statute is preempted. Therefore, we must determine whether HIPAA preempts OCGA § 9-11-9.2.

2. The intent of HIPAA is "to ensure the integrity and confidentiality of patients' information and to protect against unauthorized uses or disclosures of the information."⁴ The rules promulgating the standards set forth in HIPAA, which govern the disclosure of "protected health information"⁵ by health care providers, are collectively known as "the Privacy Rule."⁶ HIPAA expressly preempts any provision of state law that is contrary to the provisions of HIPAA.⁷

Under HIPAA, a health care provider must obtain the consent of a patient before using or disclosing protected health information.⁸ Prior written authorization is generally required for the disclosure of protected health information to a third party.⁹ A valid authorization must contain the following elements:

(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.

(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.

(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.

(iv) A description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.

(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. . . .

(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.¹⁰

The authorization must also put the patient on notice of his right to revoke the authorization.¹¹

Northlake argues that HIPAA does not preempt OCGA § 9-11-9.2 because the state law does not contravene HIPAA and it is possible to comply with both HIPAA and OCGA § 9-11-9.2. Queen, on the other hand, contends that the statute is preempted because it does not require that the elements necessary for a valid authorization under HIPAA be present in an authorization under OCGA § 9-11-9.2.

We conduct a two-step analysis to determine whether a state law is preempted by HIPAA.¹² First, we must decide whether the state law is contrary to HIPAA; that is, whether compliance with both the state and federal rules would be impossible or if the state law is an "obstacle to the accomplishment and execution of the full purposes and objectives" of the federal rules.¹³ If the state law is contrary to HIPAA, then we ascertain whether one of the exceptions to preemption applies.¹⁴

Here, we conclude that the authorization set forth in OCGA § 9-11-9.2 is contrary to HIPAA because it does not satisfy the requirements for a valid HIPAA authorization.¹⁵ First, the Georgia statute does not require "[a] description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion."¹⁶ It is worded in such a way to permit the discovery of all of the plaintiff's medical records, regardless of whether they are relevant to the medical malpractice case. This is not the specific, meaningful identification of the information to be disclosed as contemplated by HIPAA. Next, OCGA § 9-11-9.2 does not provide for "[a]n expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure."¹⁷ And, finally, it does not contain notice of a right to revoke the authorization.¹⁸

Northlake urges us to read OCGA § 9-11-9.2 to require a HIPAA-compliant authorization because, as a newer statute, it should be read in conjunction with existing law. This would, however, require us not merely to interpret the Code section in light of HIPAA, but to affirmatively add several provisions found nowhere in the statute. It is not the court's function to rewrite statutes.¹⁹ Because we conclude that OCGA § 9-11-9.2 is contrary to HIPAA and none of the exceptions contained in 45 C.F.R. § 160.203 applies,²⁰ it is preempted by HIPAA.²¹

HIPAA does set forth methods for disclosure of protected health information in judicial proceedings.²² Where no HIPAA-compliant written authorization exists, disclosure is permitted either in response to a court order or in response to a "subpoena, discovery request, or other lawful process."²³ If disclosure is sought pursuant to a subpoena, discovery request, or other lawful process not accompanied by a court order, then the entity from whom the information is sought must "receive[] satisfactory assurance . . . from the party seeking the information that reasonable efforts have been made by such party" to provide notice to the patient or that there is a qualified protective order in place.²⁴

The Medical Association of Georgia, as amicus curiae in this case, asserts that no HIPAA-compliant authorization is necessary because OCGA § 9-11-9.2 constitutes "lawful process" as contemplated by 45 C.F.R. § 164.512(e)(1)(ii). The Final Rule promulgating this regulation states:

[t]he provisions in this paragraph are not intended to disrupt current practice whereby an individual who is a party to a proceeding and has put his or her medical condition at issue will not prevail without consenting to the production of his or her protected health information. In such cases, we presume that parties will have ample notice and an opportunity to object in the context of the proceeding in which the individual is a party.²⁵

Clearly, HIPAA contemplates a process in which disclosures are...