dissenting.
Under the Health Insurance Portability and Accountability Act of 1986 (HIPAA) and its regulations, a covered entity may release the protected health information of a deceased individual to a requesting individual if three requirements are met: (1) under state law, the individual requesting the information is “an executor, administrator, or other person [who] has authority to act on behalf of a deceased individual or of the individual’s estate”; (2) the executor, administrator, or other person is acting in this capacity on behalf of a deceased individual or his estate; and (3) the protected health information which is being requested is “relevant to such personal representation.” 45 CFR § 164.502 (g) (4). In this case, irrespective of any raw authority Mary Miller might have to request the protected health information of her deceased husband under Georgia law, she was not acting on her husband’s behalf when she made the request which is the subject of this litigation. To the contrary, she was acting on her own behalf in pursuit of a wrongful death claim, and her request for records was in no way relevant to any authority to act on behalf of her deceased husband. Accordingly, Miller’s request did not satisfy the requirements of 45 CFR § 164.502 (g) (4), and I must respectfully dissent.
HIPAA was passed to guarantee the privacy of a patient’s medical information. Moreland v. Austin, 284 Ga. 730, 731 (670 SE2d 68) (2008). To achieve this goal, HIPAA places strict limitations on both the persons who may request protected health information and the reasons for which requests may be made. These limitations are reflected in the three prerequisites necessary for a valid request for the protected health information of a decedent. First, under state law, the individual requesting a decedent’s protected health information must be “an executor, administrator, or other person [who] has authority to act on behalf of a deceased individual or of the individual’s estate.” 45 CFR § 164.502 (g) (4). In other words, the person requesting the protected health information must be authorized by state law to act as a personal representative in a fiduciary capacity on behalf of the decedent or his estate. A fiduciary is a “person who is required to act for the benefit of another person on all matters within the scope of their relationship; one who owes to another the duties of good faith, trust, confidence, and candor.” Black’s Law Dictionary (8th ed. 2004).
Mere authorization to act is not sufficient, however. In addition to having authorization, an individual seeking the protected health *128information of a decedent must satisfy the second prerequisite of 45 CFR § 164.502 (g) (4) by making a request in the appropriate fiduciary capacity. In other words, the request for records must be made pursuant to an appropriate purpose which will benefit the decedent or his estate. This requirement is further emphasized by the final prerequisite that the request for protected health information must be relevant to the requesting individual’s personal representation of the decedent or his estate. This means that the requested health information must have some appropriate connection to a duty of the requesting individual to act for the benefit of the decedent or his estate. Therefore, even if a requesting party has the authority to act as a personal representative, he or she may not request health information for personal, non-fiduciary reasons. All of these prerequisites were enacted to ensure the privacy of records even after death.
Applying these prerequisites to the facts of this case, Miller has some authority under state law to request the health records of the decedent. OCGA § 31-33-2 (a) (2) (B) allows a surviving spouse to request the health records of a decedent if no executor, administrator, or temporary administrator has been appointed. Accordingly, HIPAA’s first prerequisite may be arguably satisfied. This bare authority, standing alone, does not satisfy the remaining two requirements of HIPAA, however. For her request for protected health information to be valid, Miller must have made her request in her capacity as a personal representative, and the requested documents must be relevant to the furtherance of her responsibilities as a personal representative.
It is undisputed that the basis for Miller’s request was her desire to file a wrongful death action. Such an action is for the benefit of a decedent’s survivors, not the decedent or his estate. See Lovett v. Garvin, 232 Ga. 747 (208 SE2d 838) (1974) (“the gist of the action is not the injury suffered by the deceased, but the injury suffered by the beneficiaries, resulting from the death of the deceased”). See also Williams v. Ga. Dept. of Human Resources, 272 Ga. 624, 626, n. 14 (532 SE2d 401) (2000). Therefore, when Miller requested her deceased husband’s protected health information, she did not do so in a representative capacity for the benefit of her deceased husband. Quite to the contrary, she requested the information as an individual wishing to pursue a wrongful death action for her own benefit. Moreover, her request for protected health information under these circumstances has no relevance to the furtherance of any personal representation of the decedent or his estate, an explicit and necessary requirement under federal law. As a result, the prerequisites of HIPAA have not been satisfied, and the Court of Appeals erred in *129finding that Miller’s request for protected health information was proper.
To find otherwise, the majority opinion focuses only on the first prerequisite under HIPAA and fails to properly consider the other two. This deficiency is evident in the majority’s holding, which states: “We hold that OCGA § 31-33-2 (a) (2) (B) authorizes a surviving spouse to act on behalf of the decedent in obtaining medical records and, therefore, that the surviving spouse is entitled to access the decedent’s protected health information in accordance with 45 CFR § 164.502 (g) (4).” As explained above, however, the mere authority to act on behalf of the decedent, standing alone, is insufficient to pierce the privacy guarantees of HIPAA. Authority to act must be combined with an appropriate fiduciary purpose, and the protected health information must be relevant to the completion of this fiduciary purpose. By failing to give full consideration to these additional requirements, the majority eliminates the more exacting privacy protections of a federal law with the less stringent requirements of a state law which does not require that the release of health care records of a deceased person be relevant to the personal representation of the deceased. The fundamental problem with the majority’s analysis is that it interprets HIPAA as if it were concerned only with the identity of the person who requests protected health information without any consideration for the purpose or nature of the request. By status alone, a surviving spouse is allowed to access the protected health information of the decedent, irrespective of whether she intends to use that information for her own benefit. In fact, under the majority’s analysis, it would be possible for a surviving spouse, who has been disinherited under a decedent’s will, to immediately request health care records before an administrator or executor is appointed in order to raise a caveat. This would hardly qualify under any scenario as an act by a personal representative on behalf of the decedent. It is, in fact, the opposite extreme of a self-interested party acting against the interest of the decedent or his estate. In short, the majority misconstrues 45 CFR § 164.502 (g) (4) by effectively deleting the words “on behalf of” from its text and ignoring the most basic meaning of the term “personal representative.”
While 45 CFR § 164.502 (g) (4) restricts the field of persons qualified to request documents and the purposes for which such requests may be made, OCGA § 31-33-2 limits only the field of persons, not purposes. For this reason, the majority is also incorrect in its preemption analysis. 45 CFR § 164.502 (g) (4) is more stringent than OCGA § 31-33-2. Because HIPAA allows the release of protected health information for a much more limited purpose than OCGA § 31-33-2 (a) (2), to the extent that there is any conflict, *130HIPAA preempts our state law. See Allen v. Wright, 282 Ga. 9 (1) (644 SE2d 814) (2007).
Decided November 2, 2009. Arnall, Golden & Gregory, Glenn P. Hendrix, Jason E. Bring, Robert T. Strang III, William J. Rissler, Charles L. Gregory, for appellants. Watkins, Lourie, Roll & Chance, Lance D. Lourie, Stephen Chance, for appellee.Therefore, for all of the reasons set forth above, I believe that Miller’s request for the protected health information of her deceased husband did not satisfy the requirements of HIPAA, and the Court of Appeals erred by finding otherwise.