Georgia Supreme Court takes another chip off SB 3
The Supreme Court of Georgia yesterday struck down the provision of SB 3, the omnibus tort reform bill passed in 2005, which required a plaintiff to provide a medical records authorization authorizing ex parte discussions with all treating physicians, upon filing of any medical malpractice suit. The Supreme Court held that this requirement was preempted by the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). See the full text of the decision below.
Allen v. Wright
S06G2018
May 14, 2007
CARLEY, Justice.
Ernestine Wright filed a medical malpractice action against Dr. Thomas Allen and others (Appellants). In ostensible compliance with OCGA § 9-11-9.2, Ms. Wright executed an authorization to release her medical records, which she filed contemporaneously with her complaint. Appellants moved to dismiss on the ground that the authorization did not satisfy the requirements of OCGA § 9-11-9.2 in several particulars. Appellants’ objections included the failure of the document to authorize their attorneys to communicate with her treating physicians outside the presence of and without prior notification to her lawyer, even though the statute does not expressly provide that the plaintiff’s requisite authorization must grant such ex parte discovery rights to the defendant. The trial court denied the motion to dismiss, holding that OCGA §9-11-9.2 was preempted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The trial court certified its order for immediate review, and the Court of Appeals granted an interlocutory appeal. That Court affirmed the trial court’s ruling in a brief opinion which noted that the preemption issue had recently been decided adversely to Appellants’ contention in Northlake Medical Center v. Queen , 280 Ga. App. 510 (634 SE2d 486) (2006) and that "the reasoning set forth in Division 2 of that opinion [is] controlling here." Allen v. Wright , 280 Ga. App. 554, 555 (1) (634 SE2d 518) (2006). See also Crisp Regional Hosp. v. Sanders , 281 Ga. App. 393 (636 SE2d 123) (2006). Appellants applied for certiorari to review the decision of the Court of Appeals. Because the preemption question was an issue of first impression and certiorari had not been sought in the Northlake Medical Center case, we granted Appellants’ petition. 1. Subsection (a) of OCGA § 9-11-9.2 provides, in relevant part, that
As was recognized by the Court of Appeals, in order to comply with HIPAA, a patient’s authorization to disclose protected health information must contain certain elements, one of which is notice of the right to revoke the authorization. Northlake Medical Center v. Queen , supra at 512-513 (2). By its terms, OCGA § 9-11-9.2 does not require that the authorization form contain such a notification provision. Appellants urge that this is immaterial, since the plaintiff is always entitled to dismiss the complaint and thereby revoke the authorization which OCGA § 9-11-9.2 requires accompany it. However, the fallacy in this assertion is that revocation of the authorization is simply the indirect result of dismissal of the lawsuit. HIPAA requires that a patient be expressly informed of the right to revoke the authorization directly. There is a significant difference between the requirement that express notice be given to a medical patient of the right to revoke an authorization of access to protected medical information, and simply recognizing that the exercise of his or her legal right of dismissal of the lawsuit can have an effect similar to a direct revocation of the authorization itself. HIPAA requires that patients be informed of their right to revoke an authorization form. The federal statute does not recognize that the right to dismiss a lawsuit in which the submission of an authorization is a prerequisite is the functional equivalent of informing the patient of his or her right to revoke the authorization itself. Therefore, we conclude that OCGA § 9-11-9.2 does not sufficiently comply with the HIPAA requirement of notice of the right to revoke.
2. In addition to the statute’s failure to provide for notice of the right of revocation, the Court of Appeals in Northlake Medical Center v. Queen , supra at 513 (2), found "that the authorization set forth in OCGA § 9-11-9.2 is contrary to HIPAA because it does not satisfy the requirements for a valid HIPAA authorization [in several other respects]. [Cit.]" We agree with the holding in that opinion that the failure to require a specific and meaningful identification of the information to be disclosed and the failure to provide for an expiration date or a sufficient expiration event are additional bases which support the conclusion "that OCGA § 9-11-9.2 is contrary to HIPAA and none of the exceptions . . . applies, [so] it is preempted by HIPPA. [Cit.]" Northlake Medical Center v. Queen , supra at 514 (2). 3. The dissent cites Buice v. Dixon , 223 Ga. 645 (157 SE2d 481) (1967) in support of the position that OCGA § 9-11-9.2, as presently written, can be construed in harmony with HIPAA. However, OCGA § 9-11-9.2 does not simply provide that the plaintiff in a medical malpractice action must file a medical authorization form, and then leave for necessary implication the incorporation into that form of all HIPAA requirements. Compare Buice v. Dixon , supra (requirement for notice and hearing implied where statute otherwise failed to contain express provision therefor). Instead, in both subsections (b) and (c), the statute sets forth the specified statements and information that the authorization "shall provide," and there is no dispute that several of the HIPAA requirements are not included in that list of enumerated elements. Thus, the question is whether the courts are authorized to construe OCGA § 9-11-9.2 as mandating that the medical authorization form include those missing HIPAA requirements in addition to those which were specified by the General Assembly. On pp. 5-6, the dissent states:
The dissent is correct that the established rules of statutory construction require the courts to interpret a statute as valid whenever possible. Banks v. Ga. Power Co. , 267 Ga. 602, 603 (481 SE2d 200) (1997); State of Ga. v. Davis , 246 Ga. 761 (1) (272 SE2d 721) (1980). However, where, as here, the General Assembly expressly designated what the plaintiff’s medical authorization form "shall provide," the principle of "expressio unius est exclusio alterius" makes it impossible for the courts to rewrite OCGA § 9-11-9.2 so as to incorporate the missing HIPAA requirements. State v. Fielden , supra; Alexander Properties Group v. Doe , supra. Compare Buice v. Dixon , supra. Otherwise, under the guise of statutory construction, the judiciary would be free to incorporate into state statutes the provisions of any federal statute that it did not deem to be inconsistent. As OCGA § 9-11-9.2 is presently worded, it is possible to satisfy its provisions while failing to comply with the more stringent requirements of HIPAA. State law may provide for more stringent requirements on the disclosure of protected health information than HIPAA does, but cannot authorize disclosure based upon less stringent requirements than those mandated by the federal law. Law v. Zuckerman , supra. If the state statute is to be amended or rewritten so as not to be preempted by the federal enactment, that is the responsibility of the General Assembly and not the courts. Judgment affirmed . All the Justices concur, except Hunstein, P.J. , who concurs in part and dissents in part .
The Court of Appeals held, and the majority herein affirms, that preemption is required because OCGA § 9-11-9.2 does not specifically incorporate either literally or by reference the elements required under 45 CFR § 164.508 (c). However, the majority and the Court of Appeals fail to recognize that this omission does not make the state law necessarily inconsistent with HIPAA, as it might be possible to draft an authorization that would comply with both OCGA § 9-11-9.2 and 45 CFR § 164.508 (c). Like the Court of Appeals, the majority appears to equate the absence of certain required elements to a statutory prohibition on their inclusion. However, the mere absence of a requirement in OCGA § 9-11-9.2 that the authorization contain a statement of the right to revoke, for example, does not render the statute inconsistent with HIPAA, as an authorization could be drafted that includes both the elements required under the state law and also a statement explaining the plaintiff’s right to revoke.2 Likewise, the failure of the state law to require a "specific and meaningful description" of the information to be released does not preclude the inclusion of such description as required by HIPAA,3 and the failure to require an explicit expiration date or event does not preclude the inclusion of such.4 Contrary to the Court of Appeals’ position in Northlake Medical Center and the majority’s opinion herein, construing OCGA § 9-11-9.2 in harmony with HIPAA by recognizing the possibility of creating an authorization that complies with both does not constitute rewriting the statute. See Buice v. Dixon , 223 Ga. 645 (157 SE2d 481) (1967) (construing statute, which authorized taxpayer’s petition to superior court for relief against county officers for failing to fulfill statutory duties, as implicitly incorporating superior court rules and procedures regarding notice to and service on defendants). Nor does this approach, as the majority contends, "construe OCGA § 9-11-9.2 as mandating that the medical authorization form include those missing HIPAA requirements in addition to those which were specified by the General Assembly." Majority Op. at 8. Rather, doing so merely recognizes the possibility that a plaintiff may comply with both the state and federal requirements and thereby, in adopting a construction that avoids preemption, makes use of "well established rules of statutory construction requiring a court to construe a statute as valid when possible." Banks v. Georgia Power Co. , 267 Ga. 602, 603 (481 SE2d 200) (1997). See also State v. Davis , 246 Ga. 761, 761-62 (1) (272 SE2d) (1980) ("[a]ll statutes are presumed to be enacted by the legislature with full knowledge of the existing condition of the law and with reference to it; they are to be construed in connection and in harmony with the existing law; and their meaning and effect will be determined in connection, not only with the common law and the Constitution, but also with reference to other statutes and the decisions of the courts") (punctuation omitted). The majority invokes the principle of "expressio unius est exclusion alterius" to argue that, because OCGA § 9-11-9.2 (b) and (c) expressly prescribe some required content for the authorization, we must assume that all other potential content is prohibited. Though I have no dispute with the general principal that express mention of a thing in a statute implies exclusion of those things omitted, I also believe this inference may be rebutted where such a construction would render the statute at issue invalid. In other words, in a case where the principle of "expressio unius est exclusion alterius" runs counter to the principle that statutes should be construed to maintain their validity, the former may have to yield to the latter.5 This is particularly true where, as here, there is evidence to support the presumption that the legislature enacted the statute at issue with knowledge of existing law and with the intent that it would coexist in harmony with, rather than be preempted by, such law. Specifically, as correctly recognized in the dissent in Northlake Medical Center ,
Notwithstanding the fact that I believe it possible to comply with both OCGA § 9-11-9.2 and the technical requirements in 45 CFR § 164.508 (c) by utilizing an authorization containing all elements required under both enactments, I do not believe it possible to comply with subsection (c) of OCGA § 9-11-9.2 without violating the overall purpose of the Privacy Rule, namely, protecting medical privacy and affording individuals greater control over their own medical information. See 67 Fed. Reg. 53,182, 53,182 (Aug. 14, 2002); 65 Fed. Reg. at 82,463-64. The statute’s requirement that a plaintiff authorize the release of all (non-privileged) medical information, regardless of its relevance to the case, runs afoul of HIPAA’s objectives. Further, the existence of civil discovery rules designed to enforce scope and relevancy limitations does not ameliorate the effects of subsection (c), because the burden would rest with the plaintiff to object to the release of information, the disclosure of which he has already been compelled to authorize. Given that the Privacy Rule was specifically designed to shift control of medical information back to the individual, I believe that subsection (c) "stands as an obstacle to the accomplishment and execution of the full purposes of," and is thus "contrary to," the Privacy Rule. See 45 CFR § 160.202. Having been found "contrary to" HIPAA, OCGA § 9-11-9.2 (c) will be preempted unless it is "more stringent" than HIPAA’s requirements. 45 CFR § 160.203 (b).8 "More stringent" means, in essence, "provid[ing] greater privacy protection for the individual." See 45 CFR § 160.202. Given that subsection (c) would clearly provide less protection for individuals’ medical privacy, it is not "more stringent" than HIPAA and thus is preempted. It should be noted that preserving the validity of OCGA § 9-11-9.2 subsections (a) and (b) while finding subsection (c) to be preempted specifically comports with the intent of the General Assembly, expressed explicitly in enacting the"tort reform" act of which § 9-11-9.2 is a part, that
Accordingly, I would affirm the decision of the Court of Appeals only insofar as it holds subsection (c) of OCGA § 9-11-9.2 to be preempted by HIPAA; reverse as to its holding of preemption as to OCGA § 9-11-9.2 subsections (a) and (b); and remand to the superior court for reconsideration of appellee’s motion to dismiss in light of the foregoing.
145 CFR Parts 160 & 164. Throughout this opinion the terms "HIPAA Privacy Rule," "Privacy Rule," and "HIPAA" are used interchangeably. 2Such a statement would have to include an explanation that revocation of the authorization would subject the complaint to dismissal. See OCGA § 9-11-9.2 (a). Such a consequence would not run afoul of HIPAA, as the drafters of the Privacy Rule made clear in the preamble thereto that there was no intent to "disrupt current practice whereby an individual who is a party to a proceeding and has put his or her medical condition at issue will not prevail without consenting to the production of his or her protected health information." 65 Fed. Reg. 82462, 82530 (Dec. 28, 2000). 3Though the Court of Appeals also held that HIPAA’s "specific and meaningful description" requirement was violated by virtue of the breadth of the information OCGA § 9-11-9.2 requires to be authorized for release, it is clear from the preamble to the Privacy Rule that this requirement is intended to compel specificity of description, rather than limitation on scope, of information sought. See 65 Fed. Reg. at 82,517 ("There are no limitations on the information that can be authorized for disclosure. If an individual wishes to authorize [the disclosure of] his or her entire medical record, the authorization can so specify"). However, the breadth of information to be authorized for release under OCGA § 9-11-9.2 is of concern for other reasons, as discussed below. 4For example, the authorization could be drafted to expire at the conclusion of the litigation pursuant to which the authorization was filed. 5As none of the cases the majority cites in support of its position involved the construction of a statute vis-a-vis another potentially preemptive law, they do not necessarily compel the result the majority advances. See Alexander Properties Group v. Doe , 280 Ga. 306 (1) (626 SE2d 497) (2006) (construing child pornography statute as not prohibiting production of offending materials in judicial proceedings); Abdulkadir v. State , 279 Ga, 122 (2) (610 SE2d 50) (2005) (construing rape shield statute as not applicable in prosecutions for child molestation). 6To date, the Legislature has not amended OCGA § 24-9-40 (a). 7The legislative history of OCGA § 9-11-9.2 further indicates that those who enacted the statute were cognizant of HIPAA. See Hannah Yi Crockett, Rebecca McArthur & Matthew Walker, Peach Sheet, Torts and Civil Procedure, 22 Ga. St. U. L. Rev. 221, 244 (2005). 8The Privacy Rule prescribes three other exceptions to preemption, none of which are applicable here. See 45 CFR § 160.203. 9In its amicus brief, the Georgia Trial Lawyers Association ("GTLA") argues that OCGA § 9-11-9.2 is preempted in its entirety to the extent subsection (b) is construed to require the authorization to include a provision permitting ex parte communications between the plaintiff’s treating physicians and defense counsel. In holding the statute preempted under the authority of Northlake Medical Center , the Court of Appeals did not reach the merits of this argument, and, therefore, neither do I.
The Shigley Law Firm represents plaintiffs in wrongful death and catastrophic injury cases statewide in Georgia, and in other states subject to the multijurisdictional practice and pro hac vice rules in each state. Ken Shigley was designated as a "SuperLawyer" in Atlanta Magazine and one of the "Legal Elite" in Georgia Trend Magazine. He is a Certified Civil Trial Advocate of the National Board of Trial Advocacy, Chair of the Southeastern Motor Carrier Liability Institute and former chair of the Georgia Insurance Law Institute. He particularly focuses on cases arising from truck wrecks and accidents (tractor trailers truck wrecks, semi truck wrecks,18 wheeler truck wrecks, big rig truck wrecks, log truck wrecks, dump truck wrecks.
Post A Comment / Question
