Northlake Medical Center, LLC v. Queen

634 S.E.2d 486 (2006)

NORTHLAKE MEDICAL CENTER, LLC
v.
QUEEN.

No. A06A0540.

Court of Appeals of Georgia.

July 13, 2006.

*488 Troutman Sanders, Daniel S. Reinhardt, Michael E. Johnson, Weinberg, Wheeler, Hudgins, Gunn & Dial, Alan M. Maxwell, John M. Hawkins, Atlanta, for appellant.

Carter & Tate, Mark A. Tate, Savannah, Nall & Miller, Atlanta, Robert L. Goldstucker, Benjamin S. Persons IV, Atlanta, Richard Kopelman, Decatur, for appellee.

Love, Willingham, Peters, Gilleland & Monyak, Allen S. Wilmingham, Robert P. Monyak, Atlanta, Robertson, Bodoh & Nasrallah, Matthew G. Nasrallah, Marietta, amici curie.

RUFFIN, Chief Judge.

Linda Queen brought a medical malpractice action against Northlake Medical Center, LLC and others. Northlake moved to dismiss the complaint for Queen's failure to comply with the medical record release requirement of OCGA § 9-11-9.2. The trial court denied the motion, concluding that OCGA § 9-11-9.2 was preempted by the Health Insurance Portability and Accountability Act of 1996, Pub.L.No. 104-191 ("HIPAA"), and thus Queen was not required to file a medical record release authorization in compliance with the Georgia statute. We granted Northlake's application for interlocutory appeal, as the issue of whether HIPAA preempts OCGA § 9-11-9.2 is one of first impression.

On appeal, Northlake argues that (1) the authorization form filed with Queen's complaint did not comply with OCGA § 9-11-9.2; and (2) HIPAA does not preempt compliance with that statute. We conduct a de novo review of the trial court's ruling on a legal question.[1]

1. First, we address whether the authorization Queen filed with her complaint satisfies Georgia's statutory requirements. OCGA § 9-11-9.2(a) provides that a medical record release authorization form must be filed with the complaint in a medical malpractice action. The statute describes the content of the authorization as follows:

(b) [t]he authorization shall provide that the attorney representing the defendant is authorized to obtain and disclose protected health information contained in medical records to facilitate the investigation, evaluation and defense of the claims and allegations set forth in the complaint which pertain to the plaintiff or, where applicable, the plaintiff's decedent whose treatment is at issue in the complaint. This authorization includes the defendant's attorney's right to discuss the care and treatment of the plaintiff or, where applicable, the plaintiff's decedent with all of the plaintiff's or decedent's treating physicians.
(c) The authorization shall provide for the release of all protected health information except information that is considered privileged and authorize the release of such information by any physician or health facility by which health care records of the plaintiff or the plaintiff's decedent would be maintained.[2]

A medical malpractice complaint unaccompanied by such an authorization is subject to dismissal.[3]

The authorization which Queen filed with her complaint reprints the above text of the statute in its entirety but does not state that Queen is agreeing to the statutory requirements. In fact, the authorization adopts the opposite position, that the recipient health care provider may provide medical records only to Queen's attorneys, not to Northlake's attorneys. The authorization expressly states that Queen "maintains that [HIPAA] preempts State law, including the provisions of OCGA § 9-11-9.2" and advises the recipient that "you are requested not to furnish any of such information, in any form to anyone, *489 without express written authorization from me or my attorneys."

The authorization filed with Queen's complaint does not provide that Northlake's attorneys are authorized to "obtain and disclose protected health information contained in medical records" or to discuss her care and treatment with her treating physicians in order to "facilitate the investigation, evaluation and defense of the claims and allegations set forth in the complaint." Thus, the authorization clearly does not satisfy OCGA § 9-11-9.2, and Queen's complaint would be subject to dismissal unless the Georgia statute is preempted. Therefore, we must determine whether HIPAA preempts OCGA § 9-11-9.2.

2. The intent of HIPAA is "to ensure the integrity and confidentiality of patients' information and to protect against unauthorized uses or disclosures of the information."[4] The rules promulgating the standards set forth in HIPAA, which govern the disclosure of "protected health information"[5] by health care providers, are collectively known as "the Privacy Rule."[6] HIPAA expressly preempts any provision of state law that is contrary to the provisions of HIPAA.[7]

Under HIPAA, a health care provider must obtain the consent of a patient before using or disclosing protected health information.[8] Prior written authorization is generally required for the disclosure of protected health information to a third party.[9] A valid authorization must contain the following elements:

(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
(iv) A description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. . . .
(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.[10]

The authorization must also put the patient on notice of his right to revoke the authorization.[11]

Northlake argues that HIPAA does not preempt OCGA § 9-11-9.2 because the state law does not contravene HIPAA and it is possible to comply with both HIPAA and OCGA § 9-11-9.2. Queen, on the other hand, contends that the statute is preempted *490 because it does not require that the elements necessary for a valid authorization under HIPAA be present in an authorization under OCGA § 9-11-9.2.

We conduct a two-step analysis to determine whether a state law is preempted by HIPAA.[12] First, we must decide whether the state law is contrary to HIPAA; that is, whether compliance with both the state and federal rules would be impossible or if the state law is an "obstacle to the accomplishment and execution of the full purposes and objectives" of the federal rules.[13] If the state law is contrary to HIPAA, then we ascertain whether one of the exceptions to preemption applies.[14]

Here, we conclude that the authorization set forth in OCGA § 9-11-9.2 is contrary to HIPAA because it does not satisfy the requirements for a valid HIPAA authorization.[15] First, the Georgia statute does not require "[a] description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion."[16] It is worded in such a way to permit the discovery of all of the plaintiff's medical records, regardless of whether they are relevant to the medical malpractice case. This is not the specific, meaningful identification of the information to be disclosed as contemplated by HIPAA. Next, OCGA § 9-11-9.2 does not provide for "[a]n expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure."[17] And, finally, it does not contain notice of a right to revoke the authorization.[18]

Northlake urges us to read OCGA § 9-11-9.2 to require a HIPAA-compliant authorization because, as a newer statute, it should be read in conjunction with existing law. This would, however, require us not merely to interpret the Code section in light of HIPAA, but to affirmatively add several provisions found nowhere in the statute. It is not the court's function to rewrite statutes.[19] Because we conclude that OCGA § 9-11-9.2 is contrary to HIPAA and none of the exceptions contained in 45 C.F.R. § 160.203 applies,[20] it is preempted by HIPAA.[21]

HIPAA does set forth methods for disclosure of protected health information in judicial proceedings.[22] Where no HIPAA-compliant written authorization exists, disclosure is permitted either in response to a court order or in response to a "subpoena, discovery request, or other lawful process."[23] If disclosure is sought pursuant to a subpoena, discovery request, or other lawful process not accompanied by a court order, then the entity from whom the information is sought must "receive[] satisfactory assurance . . . from the party seeking the information that *491 reasonable efforts have been made by such party" to provide notice to the patient or that there is a qualified protective order in place.[24]

The Medical Association of Georgia, as amicus curiae in this case, asserts that no HIPAA-compliant authorization is necessary because OCGA § 9-11-9.2 constitutes "lawful process" as contemplated by 45 C.F.R. § 164.512(e)(1)(ii). The Final Rule promulgating this regulation states:

[t]he provisions in this paragraph are not intended to disrupt current practice whereby an individual who is a party to a proceeding and has put his or her medical condition at issue will not prevail without consenting to the production of his or her protected health information. In such cases, we presume that parties will have ample notice and an opportunity to object in the context of the proceeding in which the individual is a party.[25]

Clearly, HIPAA contemplates a process in which disclosures are limited to relevant information, and a patient may object to particular disclosures that exceed the scope of the relevant inquiry.[26] OCGA § 9-11-9.2 provides no such process. As discussed herein, it does not limit in any way the protected health information which may be disclosed. And it offers no mechanism by which a plaintiff might object to the disclosure of even completely irrelevant information. Thus, we cannot find that this statute constitutes "lawful process" within the context of HIPAA.

Judgment affirmed.

JOHNSON, P.J., BARNES, MILLER and PHIPPS, JJ., concur.

BERNES, J., concurs specially.

ANDREWS, P.J., dissents.

BERNES, Judge, concurring specially.

I concur in the judgment reached by the majority that OCGA § 9-11-9.2 is preempted by the Health Insurance Portability and Accountability Act of 1996, Pub.L. No. 104-191 ("HIPAA"). However, I write separately because I agree with the dissent's analysis, except for the discussion of the HIPAA requirement that the written authorization put the patient on notice of the right to revoke the authorization. See 45 C.F.R. § 164.508(c)(2). Because OCGA § 9-11-9.2 does not contain notice of the right to revoke the authorization, I agree with the majority that HIPAA preempts it.

ANDREWS, Presiding Judge, dissenting.

I respectfully dissent.

In 2005, the General Assembly amended the Official Code of Georgia by inserting a new Code section, OCGA § 9-11-9.2, for the purpose of improving "defendants' access to plaintiffs' health information in medical malpractice cases . . . ." Ga. L. 2005, p. 1; pp. 4-5. § 4. At issue in this case is whether OCGA § 9-11-9.2 is preempted by a federal law designed to protect health information privacy known as the Health Insurance Portability and Accountability Act of 1996 (HIPAA).[27]

When Linda Queen filed her medical malpractice action against Northlake Medical Center (Northlake), OCGA § 9-11-9.2 provided that Queen was required to file a medical authorization with the complaint authorizing Northlake's attorney to obtain Queen's "protected health information" from physicians or health care facilities to facilitate Northlake's investigation, evaluation and defense of the malpractice claim. OCGA § 9-11-9.2(a) further provides that failure to provide the authorization subjects the complaint to dismissal. As the majority opinion clearly shows, Queen (or her attorneys) deliberately chose to subject her malpractice complaint to *492 a dismissal motion by filing a medical authorization with the complaint that was not in compliance with OCGA § 9-11-9.2, but which stated to the contrary that Queen would not authorize Northlake's attorney to obtain her protected health information because OCGA § 9-11-9.2 was preempted by HIPAA. When Northlake moved for dismissal of the complaint under OCGA § 9-11-9.2(a) on the basis that Queen failed to file the required medical authorization with the complaint, the trial court agreed that HIPAA preempted the requirements of OCGA § 9-11-9.2 and denied the motion to dismiss. Contrary to the majority opinion which affirms the trial court, I find that OCGA § 9-11-9.2 was not preempted by HIPAA and that Queen's failure to comply with OCGA § 9-11-9.2 entitled Northlake to dismissal of the complaint.

The caption and body of OCGA § 9-11-9.2 provides as follows:

§ 9-11-9.2. Medical authorization forms; review of protected health information
(a) In any action for damages alleging medical malpractice against a professional licensed by the State of Georgia and listed in subsection (d) of Code Section 9-11-9.1, against a professional corporation or other legal entity that provides health care services through a professional licensed by the State of Georgia and listed in subsection (d) of Code Section 9-11-9.1, or against any licensed health care facility alleged to be liable based upon the action or inaction of a health care professional licensed by the State of Georgia and listed in subsection (d) of Code Section 9-11-9.1, contemporaneously with the filing of the complaint, the plaintiff shall be required to file a medical authorization form. Failure to provide this authorization shall subject the complaint to dismissal.
(b) The authorization shall provide that the attorney representing the defendant is authorized to obtain and disclose protected health information contained in medical records to facilitate the investigation, evaluation, and defense of the claims and allegations set forth in the complaint which pertain to the plaintiff or, where applicable, the plaintiff's decedent whose treatment is at issue in the complaint. This authorization includes the defendant's attorney's right to discuss the care and treatment of the plaintiff or, where applicable, the plaintiff's decedent with all of the plaintiff's or decedent's treating physicians.
(c) The authorization shall provide for the release of all protected health information except information that is considered privileged and shall authorize the release of such information by any physician or health care facility by which health care records of the plaintiff or the plaintiff's decedent would be maintained.

The provisions of OCGA § 9-11-9.2 were part of a package of civil justice and health care reforms enacted in 2005 in response to a crisis discerned by the General Assembly in the provision and quality of health care in Georgia. As stated in Section 1 of the Act:

The General Assembly finds that there presently exists a crisis affecting the provision and quality of health care services in this state. Hospitals and other health care providers in this state are having increasing difficulty in locating liability insurance and, when such hospitals and providers are able to locate such insurance, the insurance is extremely costly. The result of this crisis is the potential for a diminution of the availability of access to health care services and a resulting adverse impact on the health and well-being of the citizens of this state. The General Assembly further finds that certain civil justice and health care regulatory reforms as provided in this Act will promote predictability and improvement in the provision of quality health care services and the resolution of health care liability claims and will thereby assist in promoting the provision of health care liability insurance by insurance providers.

Ga. L. 2005, pp. 1-2, § 1. As part of this reform Act, OCGA § 9-11-9.2 promotes efficient resolution of medical malpractice claims by requiring the plaintiff to file a written medical authorization form with the complaint which allows the defendant's attorney to immediately "obtain and disclose [the plaintiff's] protected health information *493 contained in medical records to facilitate the investigation, evaluation, and defense of the claims and allegations set forth in the complaint. . . ." OCGA § 9-11-9.2(b). By stating that the authorization includes the defendant's attorney's right to discuss the plaintiff's medical care and treatment with the plaintiff's treating physicians, and that it authorizes physicians or health care facilities to release the plaintiff's protected health information, the statute also encourages use of the authorization form as a means of conducting informal discovery. OCGA § 9-11-9.2(b), (c). Although nothing in the statute requires physicians to engage in ex parte discussions with the defendant's attorney as part of informal discovery, the statute promotes ex parte discussions to facilitate timely and cost-efficient resolution of claims.

In construing the meaning and operation of OCGA § 9-11-9.2, we presume that the General Assembly enacted the statute with knowledge of and with reference to existing law. "Newer statutes are construed in connection and in harmony with existing laws because all statutes are presumed to be enacted by the legislature with full knowledge of the existing condition of the law and with reference to it; they are to be construed in connection and in harmony with the existing law." Lamad Ministries v. Dougherty County Bd. of Tax Assessors, 268 Ga.App. 798, 801, 602 S.E.2d 845 (2004). When OCGA § 9-11-9.2 was enacted, existing Georgia law provided that, although a patient has a privacy right in his or her medical records, the right is not absolute and it is "waived to the extent that the patient places his care and treatment or the nature and extent of his injuries at issue in any civil or criminal proceeding." OCGA § 24-9-40(a); Orr v. Sievert, 162 Ga.App. 677, 678-680, 292 S.E.2d 548 (1982); compare King v. State, 272 Ga. 788, 789-794, 535 S.E.2d 492 (2000). As we explained in Orr, the existing Georgia law provided that:

Once a patient places his care and treatment at issue in a civil proceeding, there no longer remains any restraint upon a doctor in the release of medical information concerning the patient within the parameters of the complaint. To hold otherwise would allow a patient to restrain a doctor who possesses the most relevant information and opinions from responding to inquiries as to such information or giving such opinions without a written authorization, court order, or subpoena.

Orr, 162 Ga.App. at 679-680, 292 S.E.2d 548. Accordingly, when OCGA § 9-11-9.2 was enacted existing Georgia law provided that, by filing a medical malpractice complaint, the plaintiff waived the right to privacy in the plaintiff's medical records — without the necessity of waiver by a written medical authorization — to the extent the complaint placed the plaintiff's medical care and treatment or the nature and extent of the plaintiff's injuries at issue in the civil action.

It follows that, when the General Assembly enacted OCGA § 9-11-9.2, there was no necessity under existing Georgia law to require that the plaintiff file a written medical authorization with the complaint to establish a waiver of the plaintiff's privacy rights in relevant medical records. There was such a necessity, however, under existing federal law in HIPAA. To implement HIPAA privacy standards with respect to health information, regulations were promulgated under title 45 of the Code of Federal Regulations, which are collectively known as the HIPAA "Privacy Rule." The Privacy Rule defines and protects "individually identifiable health information," and then specifically refers to this information throughout the Rule as "protected health information." 45 C.F.R. § 160.103. The type of health information a defendant's attorney is authorized to obtain about a plaintiff pursuant to OCGA § 9-11-9.2 qualifies as "protected health information" under the HIPAA Privacy Rule. 45 C.F.R. § 160.103. Although there are various circumstances under the Privacy Rule where no written authorization is required for use or disclosure of "protected health information," none of those circumstances applies in this case. Accordingly, when OCGA § 9-11-9.2 was enacted, the HIPAA Privacy Rule required that a written authorization be obtained from the plaintiff for a health care provider to disclose the plaintiff's "protected health information" to the defendant's attorney under the statute. 45 C.F.R. §§ 164.502(a); 164.508. Moreover, with certain *494 exceptions, the HIPAA Privacy Rule made clear that it preempted contrary state law, defined as situations where compliance with both state and federal requirements would be impossible, or where the state law "stands as an obstacle to the accomplishment and execution of the full purposes and objectives" of HIPAA. 45 C.F.R. §§ 160.202; 160.203.

As stated above, when OCGA § 9-11-9.2 was enacted in 2005, we presume that the General Assembly had knowledge that, contrary to existing Georgia law, the existing HIPAA Privacy Rule required a written authorization for disclosure of "protected health information" pursuant to OCGA § 9-11-9.2 and that, unless OCGA § 9-11-9.2 required a HIPAA-compliant written authorization, the statute would be preempted by HIPAA. Lamad Ministries, 268 Ga.App. at 801, 602 S.E.2d 845. There is ample reason to apply this presumption and conclude that the General Assembly considered the HIPAA requirements when it enacted OCGA § 9-11-9.2. First, because there was no necessity for a written authorization under existing Georgia law, it stands to reason that the General Assembly had HIPAA in mind when it required a written authorization under OCGA § 9-11-9.2. Second, OCGA § 9-11-9.2 twice uses the term "protected health information" to refer to the information to be disclosed pursuant to the required written authorization. OCGA § 9-11-9.2(b), (c). As set forth above, the HIPAA Privacy Rule defines and protects "individually identifiable health information," and thereafter repeatedly refers to this information by the term "protected health information." 45 C.F.R. § 160.103. In fact, the section of the Privacy Rule which sets forth the core elements for a HIPAA-compliant written authorization provides that: "Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section." 45 C.F.R. § 164.508(a) (emphasis supplied). Third, the provisions of OCGA § 9-11-9.2 describing the required written authorization are consistent with the core elements of a valid written authorization under HIPAA as set forth in 45 C.F.R. § 164.508(c), and nothing in the statute prevents a plaintiff from incorporating those elements in the authorization. Those core elements are set forth in the Privacy Rule as follows:

(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
(iv) A description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement "end of the research study," "none," or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.

45 C.F.R. § 164.508(c)(1). In addition to the above core elements, the Privacy Rule requires that the authorization give notice of the right to revoke the authorization in writing. 45 C.F.R. § 164.508(c)(2).

The provisions of OCGA § 9-11-9.2 are consistent with all of the above core elements. The written authorization required under the statute specifically and meaningfully identifies the information to be disclosed by stating that it is protected health information of the plaintiff that "facilitate[s] the investigation, *495 evaluation, and defense of the claims and allegations set forth in the complaint which pertain to the plaintiff. . . ." OCGA § 9-11-9.2(b). The statute cannot be fairly read, as the majority opinion contends, to authorize disclosure of the plaintiff's health information unrelated to the claims in the medical malpractice complaint. Moreover, reading OCGA § 9-11-9.2 in harmony with existing Georgia law makes clear that the General Assembly did not intend the expansive reading given to the statute by the majority opinion. OCGA § 24-9-40(a); Orr, 162 Ga.App. at 678-680, 292 S.E.2d 548. As to other core elements, the statute identifies the persons disclosing and receiving the information, and describes the purpose for which the disclosed information is to be used. As to the core element requiring an expiration date or event that relates to the purpose of the use or disclosure, the provision in the statute that the information is disclosed to "facilitate the investigation, evaluation, and defense of the claims and allegations set forth in the complaint . . ." provides for an expiration event — the resolution or dismissal of the civil action commenced by the complaint. Finally, the statute clearly calls for the plaintiff's signature on a written authorization which takes effect on the date it is contemporaneously filed with the complaint. Because the provisions of OCGA § 9-11-9.2 are consistent with and not contrary to the core elements of a HIPAA-compliant authorization, there is no basis for finding that HIPAA preempts the statute. 45 C.F.R. §§ 160.202; 160.203.

Although OCGA § 9-11-9.2 says nothing about the additional HIPAA requirement of notice of the right to revoke the authorization, the statute does not prevent a plaintiff from revoking the required authorization after it has been filed with the complaint. The HIPAA Privacy Rule provides that an individual may revoke an authorization in writing at any time, except where the physician or other entity disclosing protected health information pursuant to the authorization has taken action in reliance thereon, and in other cases dealing with authorizations provided as a condition of obtaining insurance coverage. 45 C.F.R. § 164.508(b)(5). These exceptions to the right to revoke would not preclude a plaintiff from revoking the authorization during the pendency of the complaint to prevent disclosure of information not previously disclosed pursuant to the authorization. However, if a plaintiff exercises the right under HIPAA to revoke an authorization filed with the complaint as required by OCGA § 9-11-9.2, revocation would be the equivalent of failure to provide the required authorization and would subject the medical malpractice action to dismissal pursuant to OCGA § 9-11-9.2(a). Giving notice of the right to revoke a HIPAA-compliant authorization for disclosure of protected health information makes clear to the individual giving the authorization that additional disclosure of information can be stopped at any time by revocation before the date or event on which the authorization would expire. A plaintiff required by OCGA § 9-11-9.2 to file a medical authorization as a condition of filing and maintaining the complaint has notice of the right to stop additional disclosure of protected health information at any time by dismissing the complaint and thereby accelerating the expiration event for the authorization. Under the circumstances, notice of the right to dismiss the complaint at any time and cause the authorization to expire provides the equivalent of notice of the right to revoke the authorization at any time. Because the provisions of OCGA § 9-11-9.2 are consistent with and not contrary to the HIPAA Privacy Rule requirement for notice of the right to revoke the authorization, HIPAA does not preempt the statute. 45 C.F.R. §§ 160.202; 160.203.

NOTES

[1] See Dept. of Transp. v. Robinson, 260 Ga.App. 666, 670(3), 580 S.E.2d 535 (2003).

[2] OCGA § 9-11-9.2.

[3] Id. at (a).

[4] (Punctuation omitted.) In re Vioxx Products Liability Litigation, 230 F.R.D. 473, 477 (E.D.La. 2005) (citing 42 U.S.C. § 1320d-2 (d)(2)(A), (B)(ii)).

[5] Protected health information includes

any information, whether oral or recorded in any form or medium, that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

45 C.F.R. § 160.103.

[6] Smith v. American Home Products, etc., 372 N.J.Super. 105, 855 A.2d 608, 611(I)(A) (2003).

[7] See 42 U.S.C. § 1320d-7 (a)(1); 45 C.F.R. § 160.203.

[8] See 45 C.F.R. § 164.506(b)-(c).

[9] See 45 C.F.R. § 164.508.

[10] Id. at (c)(1)(i)-(vi).

[11] See id. at (c)(2)(i).

[12] See In re Diet Drug Litigation, 384 N.J.Super. 546, 895 A.2d 493, 501 (2005).

[13] 45 C.F.R. § 160.202.

[14] See 45 C.F.R. § 160.203; Law v. Zuckerman, 307 F.Supp.2d 705, 709(A) (D.Md.2004).

[15] See 45 C.F.R. § 164.508(c)(1), (2).

[16] Id. at (c)(1)(i).

[17] Id. at (c)(1)(v).

[18] See id. at (c)(2)(i).

[19] See State v. Fielden, 280 Ga. 444, 629 S.E.2d 252 (2006); Dept. of Human Resources v. Coley, 247 Ga.App. 392, 398(3), 544 S.E.2d 165 (2000).

[20] A state law otherwise contrary to HIPAA is not preempted

if it is necessary to prevent fraud and abuse; to regulate insurance or health plans; is designed to report health care delivery or costs; is designed to serve a compelling need related to public health[,] safety[,] and welfare; or is designed to regulate controlled substances. In addition, a state law is not preempted if it provides for: the reporting of disease, injury, child abuse, birth, or death; the conduct of public health surveillance, investigation, or intervention; or requires a health plan to report, or provide access to information for[,] management or financial audits, program monitoring and evaluation or the licensure or certification of people or facilities.

(Punctuation omitted.) Smith, supra at 621 n. 10 (citing 45 C.F.R. § 160.203(a), (c)-(d)).

[21] See Law, supra.

[22] See 45 C.F.R. § 164.512(e)(1), (2); see generally discussion in Tamela J. White & Charlotte A. Hoffman, The Privacy Standards Under the Health Insurance Portability and Accountability Act: A Practical Guide to Promote Order and Avoid Potential Chaos, 106 W. Va. L. Rev. 709, 740-742 (2004).

[23] See 45 C.F.R. § 164.512(e)(1)(i), (ii).

[24] Id. at (ii)(A), (B).

[25] 65 Fed. Reg. 82462, 82530.

[26] See Bayne v. Provost, 359 F.Supp.2d 234, 241-243 (N.D.N.Y.2005); Croskey v. BMW of North America, 2005 WL 1959452, *8-9 (E.D.Mich.2005); Crenshaw v. MONY Life Ins. Co., 318 F.Supp.2d 1015, 1029(E)(1) (S.D.Ca. 2004).

[27] Pub.L. 104-191, codified in various sections of the United States Code.