concurring in part and dissenting in part.
While I agree with the majority that subsection (c) of OCGA § 9-11-9.2, which purports to require plaintiffs to authorize release of all their medical information in cases alleging medical malpractice, *15is preempted by the HIPAA Privacy Rule,1 I do not agree that the remaining provisions of OCGA § 9-11-9.2 are so preempted. Accordingly, I respectfully dissent from that portion of the maj ority’s opinion that holds subsections (a) and (b) of § 9-11-9.2 to be preempted by HIPAA.
Under HIPAA’s preemption provisions, state law may be preempted by the Privacy Rule only if the relevant HIPAA standard is, in the first instance, “contrary to” the state law in question. 45 CFR § 160.203. AHIPAA standard will be deemed “contrary to” a state law if it would be “impossible to comply with both the [s]tate and federal requirements” or “ft]he provision of [s]tate law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of [HIPAA].” 45 CFR § 160.202. Thus, the starting point for analysis herein should be whether it is possible to comply with OCGA § 9-11-9.2 while at the same time complying with the letter and the spirit of HIPAA.
OCGA § 9-11-9.2 (a) prescribes generally that a plaintiff in a medical malpractice action must file a medical authorization form contemporaneous with the complaint. Subsection (b) of the statute prescribes some required content for the authorization: it must authorize the release of the plaintiffs medical records to defense counsel “to facilitate the investigation, evaluation, and defense of the claims and allegations set forth in the complaint”; and it must authorize defense counsel to “discuss the care and treatment of the plaintiff... with all of [his] treating physicians.” OCGA§ 9-11-9.2 (b). Subsection (c) provides further content for the authorization, requiring that it “provide for the release of all protected health information except information that is considered privileged ... by any physician or health care facility by which health care records of the plaintiff... would be maintained.” OCGA§ 9-11-9.2 (c).
Under the reasoning of the majority, which affirms the Court of Appeals’ reliance below on its prior holding in Northlake Medical Center v. Queen, 280 Ga. App. 510 (634 SE2d 486) (2006), OCGA § 9-11-9.2 is preempted because the authorization required thereunder does not comport with the HIPAA requirements for valid authorizations. The Privacy Rule prescribes with specificity the elements required of a valid authorization: (1) a “specific and meaningful” description of the information to be released; (2) identification of the person(s) authorized to release the information; (3) identification of the person(s) authorized to receive the information; (4) statement of the purpose of the release; (5) expiration date or “expiration event *16that relates to the individual [who is the subject of the medical records] or the purpose of the [release]”; and (6) individual’s signature and date. 45 CFR § 164.508 (c) (1). In addition, the Privacy Rule requires authorizations to include statements “adequate to place the individual on notice of” certain rights such as the individual’s right to revoke the authorization. 45 CFR § 164.508 (c) (2). Notably, the Privacy Rule also states that “[a] valid authorization may contain elements or information in addition to the elements required by this section, provided that such additional elements or information are not inconsistent with the elements required by this section.” 45 CFR § 164.508 (b) (1) (ii).
The Court of Appeals held, and the majority herein affirms, that preemption is required because OCGA§ 9-11-9.2 does not specifically incorporate either literally or by reference the elements required under 45 CFR § 164.508 (c). However, the majority and the Court of Appeals fail to recognize that this omission does not make the state law necessarily inconsistent with HIPAA, as it might be possible to draft an authorization that would comply with both OCGA § 9-11-9.2 and 45 CFR § 164.508 (c). Like the Court of Appeals, the majority appears to equate the absence of certain required elements to a statutory prohibition on their inclusion. However, the mere absence of a requirement in OCGA § 9-11-9.2 that the authorization contain a statement of the right to revoke, for example, does not render the statute inconsistent with HIPAA, as an authorization could be drafted that includes both the elements required under the state law and also a statement explaining the plaintiffs right to revoke.2 Likewise, the failure of the state law to require a “specific and meaningful description” of the information to be released does not preclude the inclusion of such description as required by HIPAA,3 and the failure to require *17an explicit expiration date or event does not preclude the inclusion of such.4
Contrary to the Court of Appeals’ position in Northlake Medical Center and the majority’s opinion herein, construing OCGA § 9-11-9.2 in harmony with HIPAAby recognizing the possibility of creating an authorization that complies with both does not constitute rewriting the statute. See Buice v. Dixon, 223 Ga. 645 (157 SE2d 481) (1967) (construing statute, which authorized taxpayer’s petition to superior court for relief against county officers for failing to fulfill statutory duties, as implicitly incorporating superior court rules and procedures regarding notice to and service on defendants). Nor does this approach, as the majority contends, “construe OCGA § 9-11-9.2 as mandating that the medical authorization form include those missing HIPAA requirements in addition to those which were specified by the General Assembly.” Majority Op. at 13. Rather, doing so merely recognizes the possibility that a plaintiff may comply with both the state and federal requirements and thereby, in adopting a construction that avoids preemption, makes use of “well established rules of statutory construction requiring a court to construe a statute as valid when possible.” Banks v. Ga. Power Co., 267 Ga. 602, 603 (481 SE2d 200) (1997). See also State v. Davis, 246 Ga. 761, 761-62 (1) (272 SE2d 721) (1980) (“[a] 11 statutes are presumed to be enacted by the legislature with full knowledge of the existing condition of the law and with reference to it; they are to be construed in connection and in harmony with the existing law; and their meaning and effect will be determined in connection, not only with the common law and the Constitution, but also with reference to other statutes and the decisions of the courts”) (punctuation omitted).
The majority invokes the principle of “expressio unius est exclusio alterius” to argue that, because OCGA § 9-11-9.2 (b) and (c) expressly prescribe some required content for the authorization, we must assume that all other potential content is prohibited. Though I have no dispute with the general principle that express mention of a thing in a statute implies exclusion of those things omitted, I also believe this inference may be rebutted where such a construction would render the statute at issue invalid. In other words, in a case where the principle of “expressio unius est exclusio alterius” runs counter to the principle that statutes should be construed to maintain their validity, the former may have to yield to the latter.5
*18This is particularly true where, as here, there is evidence to support the presumption that the legislature enacted the statute at issue with knowledge of existing law and with the intent that it would coexist in harmony with, rather than be preempted by, such law. Specifically, as correctly recognized in the dissent in Northlake Medical Center,
when OCGA § 9-11-9.2 was enacted[,] existing Georgia law provided that, by filing a medical malpractice complaint, the plaintiff waived the right to privacy in the plaintiff s medical records — without the necessity of waiver by a written medical authorization — to the extent the complaint placed the plaintiffs medical care and treatment... at issue in the civil action.
Northlake Medical Center, 280 Ga. App. at 518 (Andrews, P. J., dissenting). Indeed, at the time OCGA § 9-11-9.2 was enacted, the placing of one’s medical condition at issue in litigation acted as an automatic waiver of a patient’s right to privacy in his medical records related to that condition, OCGA § 24-9-40 (a), 6 and Georgia case law had long reaffirmed this principle. See Orr v. Sievert, 162 Ga. App. 677 (292 SE2d 548) (1982).
It follows that, when the General Assembly enacted OCGA § 9-11-9.2, there was no necessity under existing Georgia law to require that the plaintiff file a written medical authorization with the complaint to establish a waiver of the plaintiffs privacy rights in relevant medical records. There was such a necessity, however, under existing federal law in HIPAA.
Northlake Medical Center, 280 Ga. App. at 518-519 (Andrews, P. J., dissenting). The implication, thus, is that OCGA § 9-11-9.2 was enacted not only with knowledge of, but indeed as a result of, HIPAA, which further supports the notion that the statute should be construed in harmony therewith to the extent possible.7
Notwithstanding the fact that I believe it possible to comply with both OCGA § 9-11-9.2 and the technical requirements in 45 CFR *19§ 164.508 (c) by utilizing an authorization containing all elements required under both enactments, I do not believe it possible to comply with subsection (c) of OCGA § 9-11-9.2 without violating the overall purpose of the Privacy Rule, namely, protecting medical privacy and affording individuals greater control over their own medical information. See 67 Fed. Reg. 53182 (Aug. 14, 2002); 65 Fed. Reg. at 82463-82464. The statute’s requirement that a plaintiff authorize the release of all (non-privileged) medical information, regardless of its relevance to the case, runs afoul of HIPAA’s objectives. Further, the existence of civil discovery rules designed to enforce scope and relevancy limitations does not ameliorate the effects of subsection (c), because the burden would rest with the plaintiff to object to the release of information, the disclosure of which he has already been compelled to authorize. Given that the Privacy Rule was specifically designed to shift control of medical information back to the individual, I believe that subsection (c) “stands as an obstacle to the accomplishment and execution of the full purposes of,” and is thus “contrary to,” the Privacy Rule. See 45 CFR § 160.202.
Havingbeen found “contrary to” HIPAA, OCGA§ 9-11-9.2 (c) will be preempted unless it is “more stringent” than HIPAA’s requirements. 45 CFR § 160.203 (b).8 “More stringent” means, in essence, “providing] greater privacy protection for the individual.” See 45 CFR § 160.202. Given that subsection (c) would clearly provide less protection for individuals’ medical privacy, it is not “more stringent” than HIPAA and thus is preempted.
It should be noted that preserving the validity of OCGA § 9-11-9.2 subsections (a) and (b) while finding subsection (c) to be preempted specifically comports with the intent of the General Assembly, expressed explicitly in enacting the tort reform act of which OCGA § 9-11-9.2 is a part, that
[i]n the event any section, subsection, sentence, clause or phrase of this Act shall be declared or adjudged invalid or unconstitutional, such adjudication shall in no manner affect the other sections, subsections, sentences, clauses, or phrases of this Act, which shall remain of full force and effect as if the [provision] adjudged invalid or unconstitutional were not originally a part hereof.
Ga. L. 2005, p. 1, § 14. See also OCGA§ 1-1-3 (statutes presumed to be severable, such that invalid provisions may be struck without *20invalidating entire statute). This Court has held that severance of an invalid portion of a statute and preservation of the remaining valid portions is authorized as long as “the remaining portion of the [statute] accomplishes the purpose the legislature intended. [Cits.]” Nixon v. State, 256 Ga. 261, 264 (3) (347 SE2d 592) (1986). Here, it appears the overall purpose of OCGA § 9-11-9.2 was to require an authorization as a threshold condition to the filing of a medical malpractice action, and the striking of subsection (c) does not impair this purpose.9
Decided May 14, 2007. Chambless, Higdon, Richardson, Katz & Griggs, David N. Nelson, Norman C. Pearson III, Martin, Snow, Grant & Napier, John C. Daniel III, for appellants. Savage, Turner, Pinson & Karsman, William H. Pinson, Jr., Zachary H. Thomas, Smith Moore, Lawrence J. Myers, for áppellee. Brinson, Askew, Berry, Seigler & Richardson, Norman S. Fletcher, Love, Willingham, Peters, Gilleland & Monyak, Allen S. Willingham, Robert P. Monyak, Robertson, Bodoh & Nasrallah, Matthew G. Nasrallah, Adams & Adams, Charles R. Adams III, amici curiae.Accordingly, I would affirm the decision of the Court of Appeals only insofar as it holds subsection (c) of OCGA § 9-11-9.2 to be preempted by HIPAA; reverse as to its holding of preemption as to OCGA § 9-11-9.2 subsections (a) and (b); and remand to the superior court for reconsideration of appellee’s motion to dismiss in light of the foregoing.
45 CFR Parts 160 & 164. Throughout this opinion the terms “HIPAA Privacy Rule,” “Privacy Rule,” and “HIPAA” are used interchangeably.
Such a statement would have to include an explanation that revocation of the authorization would subject the complaint to dismissal. See OCGA§ 9-11-9.2 (a). Such a consequence would not run afoul of HIPAA, as the drafters of the Privacy Rule made clear in the preamble thereto that there was no intent to “disrupt current practice whereby an individual who is a party to a proceeding and has put his or her medical condition at issue will not prevail without consenting to the production of his or her protected health information.” 65 Fed. Reg. 82462, 82530 (Dec. 28, 2000).
Though the Court of Appeals also held that HIPAA’s “specific and meaningful description” requirement was violated by virtue of the breadth of the information OCGA § 9-11-9.2 requires to be authorized for release, it is clear from the preamble to the Privacy Rule that this requirement is intended to compel specificity of description, rather than limitation on scope, of information sought. See 65 Fed. Reg. at 82517 (“There are no limitations on the information that can be authorized for disclosure. If an individual wishes to authorize [the disclosure of] his or her entire medical record, the authorization can so specify’). However, the breadth of information to be authorized for release under OCGA § 9-11-9.2 is of concern for other reasons, as discussed below.
For example, the authorization could be drafted to expire at the conclusion of the litigation pursuant to which the authorization was filed.
As none of the cases the majority cites in support of its position involved the construction of a statute vis-á-vis another potentially preemptive law, they do not necessarily compel the result the majority advances. See Alexander Properties Group v. Doe, 280 Ga. 306 (1) (626 SE2d *18497) (2006) (construing child pornography statute as not prohibiting production of offending materials in judicial proceedings); Abdulkadir v. State, 279 Ga. 122 (2) (610 SE2d 50) (2005) (construing rape shield statute as not applicable in prosecutions for child molestation).
To date, the Legislature has not amended OCGA § 24-9-40 (a).
The legislative history of OCGA § 9-11-9.2 further indicates that those who enacted the statute were cognizant of HIPAA. See Hannah Yi Crockett, Rebecca McArthur & Matthew Walker, Peach Sheet, Torts and Civil Practice, 22 Ga. St. U. L. Rev. 221, 244 (2005).
The Privacy Rule prescribes three other exceptions to preemption, none of which are applicable here. See 45 CFR § 160.203.
In its amicus brief, the Georgia Trial Lawyers Association (“GTLA”) argues that OCGA § 9-11-9.2 is preempted in its entirety to the extent subsection (b) is construed to require the authorization to include a provision permitting ex parte communications between the plaintiffs treating physicians and defense counsel. In holding the statute preempted under the authority of Northlake Medical Center, the Court of Appeals did not reach the merits of this argument, and, therefore, neither do I.