The Georgia Supreme Court's potentially important May 14 decision in Allen v. Wright, 2007 Ga. Lexis 343, held that the HIPAA Privacy Rule preempted Georgia's 2005 tort reform statute requiring malpractice plaintiffs to file with their complaints a "medical authorization form" enabling the defendants' attorneys to obtain and disclose protected health information to facilitate their defense of the plaintiff's claims. (OCGA §9-11-9.2.) Beyond the significance of that ruling itself, the method of analysis and rationale adopted by the Georgia Supreme Court, if followed by other courts, suggest that HIPAA preemption of state laws may prove to be much broader than previously has been supposed.

The Georgia Statute

The 2005 tort reform legislation was enacted to address a perceived crisis in the provision and quality of health care in Georgia, which included that hospitals and other health care providers were "having increasing difficulty in locating liability insurance." The General Assembly found that the reforms adopted would "promote predictability and improvement" in the "resolution of health care liability claims" and thereby "assist in promoting the provision of health care liability insurance by insurance providers."

Prior to this legislation, Georgia law provided that a patient's right of privacy in medical records is waived automatically to the extent that the patient places his care and treatment at issue in a civil action. After the HIPAA Privacy Rule took effect, it was understood to contemplate that, in circumstances such as litigation, a patient would provide a written authorization before a hospital would release the patient's protected health information, and, consequently, the 2005 Georgia legislation sought to provide for a written authorization. Section 9-11-9.2(b) states that, in addition to medical records access, the "authorization includes the defendant's attorney's right to discuss the care and treatment of the plaintiff" with "all" of the plaintiff's "treating physicians." The Georgia plaintiffs' bar found that enabling of "ex parte" communications between defense counsel and the plaintiff's treating physicians to be objectionable, "particularly given the small number of medical malpractice insurers in Georgia, and the concomitant result that the treating physician will often be insured by the same carrier as the defendant."

Ernestine Wright's Suit

In that context, three test cases were commenced, including Ernestine Wright's suit against Thomas Allen, M.D., Four Rivers Orthopedics Associates, P.C., and the Meadows Regional Medical Center, Inc., which alleged negligence in connection with her 2004 hip replacement surgery. Wright's complaint was accompanied by an authorization that the defendants deemed to be inadequate, and, consequently, they moved for dismissal of the complaint, relying on §9-11-9.2(a)'s requirement that "Failure to provide this authorization shall subject the complaint to dismissal."

The trial judge denied the defendants' motion to dismiss, finding that §9-11-9.2 is preempted by HIPAA and conflicts with the formal discovery methods recognized under the Georgia Civil Practice Act, but certified the ruling for interlocutory review. The Court of Appeals of Georgia then accepted review and affirmed, in Allen v. Wright, 280 Ga. App. 554, 634, S.E.2d 518 (2006), by a 5 to 2 majority, based on the conclusion that another decision, reached one day earlier, addressing the "identical issue"—whether HIPAA preempts §9-11-9.2—was "controlling." Northlake Medical Center, LLC v. Queen, 280 Ga. App. 510, 634 S.E.2d 486 (2006) (holding the statute preempted). The Georgia Supreme Court then granted certiorari, noting that it was "particularly concerned with" whether "§9-11-9.2 is preempted" by HIPAA.

HIPAA Preemption

Joining the parties before the Supreme Court, as amici curiae, were the Medical Association of Georgia (representing Georgia physicians) together with The Georgia Hospital Association, supporting the defendants-appellants, and The Georgia Trial Lawyers Association, supporting the plaintiff-appellee. Thus, this was a full dress confrontation between the Georgia medical establishment and the plaintiffs' bar.

The appellants and their amici argued that the "legislature was (1) aware of HIPAA; and (2) intended plaintiffs in medical malpractice cases to comply with OCGA 9-11-9.2 by submitting HIPAA compliant medical authorization forms." The appellee argued that preemption should be found for the reasons stated by the Court of Appeals in Northlake v. Queen, namely that §9-11-9.2 is contrary to HIPAA because the Georgia statute itself "does not satisfy the requirements for a valid HIPAA authorization." The Georgia Trial Lawyers Association, taking a different approach, argued that the federal preemption issue need not be addressed, because Georgia law does not authorize ex parte communications with a plaintiff's treating physicians.

Whether the HIPAA Privacy Rule preempts state law is specifically addressed by Privacy Rule §160.203, which provides that a Privacy Rule "standard, requirement, or implementation specification" that "is contrary to a provision of state law preempts the provision of state law." The term "contrary" is defined to mean that "a covered entity would find it impossible to comply with both the state and federal requirements," or the "provision of state law stands as an obstacle to the accomplishment and execution of the full purposes and objectives" of HIPAA. Thus, the federal preemption standard contemplates assessment of (i) whether the hospital or doctor possessing the protected health information whose disclosure is sought would find it impossible to comply with both the state and federal requirements or (ii) whether the state requirement is an obstacle to achievement of HIPAA objectives. In that context, some commentators have reasoned that if the law of state X imposes requirements 1 and 2, while the Privacy Rule imposes requirements 1, 2 and 3, then there is no preemption because the covered entity can comply with both, by meeting requirements 1, 2 and 3. However, the analysis undertaken by the Georgia Supreme Court was much different.

The Georgia Supreme Court's Decision

The Georgia Supreme Court, by a 6 to 1 majority, affirmed the trial court's denial of the motion to dismiss, determining that §9-11-9.2 was preempted. In doing so, it did not discuss the authorization that plaintiff Wright actually gave, and, thus, made no determination of whether that authorization complied with either §9-11-9.2 or the HIPAA Privacy Rule §164.508 requirements for a valid authorization. Rather, Justice George H. Carley's majority opinion compared the HIPAA authorization requirements stated in §164.508 with the requirements he derived from the text of §9-11-9.2.

Under the Privacy Rule, a valid authorization must contain a specific and meaningful description of the information to be disclosed, the identity of those authorized to make the disclosure, to whom they may make the disclosure, the purposes of the disclosure, the authorization's expiration date or event, the individual's signature and the date signed. Additionally, the authorization "must contain statements adequate to place the individual on notice" of the "individual's right to revoke the authorization in writing."

The text of §9-11-9.2(b) provides simply that the authorization "shall provide that the attorney representing the defendant is authorized to obtain and disclose protected health information contained in medical records to facilitate investigation, evaluation and defense of the claims."

The Supreme Court's lead basis for finding preemption was that the Georgia statute was contrary to the Privacy Rule because "HIPAA requires that a patient be expressly informed of the right to revoke the authorization, "whereas §9-11-9.2 "does not require that the authorization form contain such a notification provision." On that basis, the Court concluded the Georgia statute "does not sufficiently comply with the HIPAA requirement of notice" and is preempted.

The Court presented no clear analysis explaining why the Georgia statute's silence should matter. In the typical scenario where an authorization form is used in the HIPAA context, a hospital or doctor's office prepares an authorization form that the patient is asked to sign. If such forms do not themselves state that the authorization may be revoked, the patients are unlikely to know that the authorization may be revoked. So there is a purpose for the authorization form's giving notice to the patients. The malpractice suit authorization scenario is quite different. There the authorization document is drafted by the plaintiff's lawyer and is designed to give notice and instructions to the custodian of the plaintiff's medical records. The plaintiff is not using that authorization document to give notice to herself.

As additional grounds for preemption, the Georgia Supreme Court endorsed the Court of Appeals' finding in Northlake v. Queen that §9-11-9.2 was preempted for "failure to require a specific and meaningful identification of the information to be disclosed" and "failure to provide for an expiration date or a sufficient expiration event." As phrased by the dissent, "the majority appears to equate the absence of certain elements as statutory prohibition on their inclusion." Clearly, the majority might have read §9-11-9.2 as stating objectives consistent with what would be required in the HIPAA authorization. That is, §9-11-9.2 could be read as providing that the authorization should cover the information made relevant by the complaint allegations and that the expiration event is completion of the plaintiff's suit. But the majority implicitly rejected such a construction of the Georgia statute. Instead, it found §9-11-9.2 to be preempted because "it is possible to satisfy its provisions while failing to comply with the more stringent requirements of HIPAA."

Of course, even under that formulation it is not clear why preemption need be found. HIPAA regulates the disclosure policies and decisions of hospitals and doctors. If a plaintiff created an authorization that complied with §9-11-9.2 but not HIPAA, that authorization would be sufficient to prevent dismissal of the complaint, but it would not be sufficient to cause a hospital to release information to the defense counsel. Viewed in that way, §9-11-9.2 would fail as a Georgia tort reform device, but it would not necessarily stand as an obstacle to the achievement of any objective of HIPAA.

Implications of the Georgia Decision

By invalidating §9-11-9.2 for failure to restate the requirements of a HIPAA-compliant authorization, the Georgia Supreme Court nullified the statute providing for ex parte communications by defense counsel with plaintiff's treating physicians without ever discussing the merits of that provision. Given that the ex parte communications provision was at the heart of this controversy, it seems unlikely that the Court's ignoring it was inadvertent.

The Court's indirect approach may well have continuing ripple effects. First, the decision cannot be dismissed as merely reflecting the views of a couple of judges. Between the Supreme Court and the Court of Appeals, at least 11 of the 14 Georgia appellate judges, in reported decisions, subscribed to the analytic approach under which a state statute will be found preempted if it does not restate on its face all the requirements applicable under the HIPAA Privacy Rule. That rationale would seem to place at risk many state statutes enacted prior to adoption of the Privacy Rule (which statutes could not have stated its terms) as well as many more recent statutes that are not drafted in matching detail or fail to adopt HIPAA requirements by express reference. Time will tell.