Commissioner, Department of Human Resources
The federal Health Insurance Portability and Accountability Act (HIPAA) does not prevent the release of information on copies of death certificates about the cause of death of an individual, as well as conditions leading to the persons death and information regarding surgical proceedings conducted on the deceased, if any, that are released under the Georgia Open Records Act.
You have requested my advice regarding whether the federal Health Insurance Portability and Accountability Act, 42 U.S.C. § 1320d to 1320d 8, which is otherwise known as “HIPAA,” prevents the release of copies of death certificates maintained by the Vital Records Division of the Department of Human Resources (DHR). You have also asked whether, if death certificate records are available under the Open Records Act (ORA), information related to the cause of death of the deceased, conditions leading to the person’s death, information regarding surgical proceedings conducted on the deceased, if any, and his or her social security number specifically should be disclosed pursuant to a request under the ORA. It is my official opinion that death certificates are indeed public records subject to disclosure under the ORA and such disclosure is not prohibited by HIPAA. However, while information related to the cause of death as well as conditions leading to the person’s death and information regarding surgical proceedings conducted on the deceased, if any, is not subject to the prohibitions of HIPAA, the social security number of the deceased should be redacted unless the requestor is a bona fide member of the news media who submits the appropriate affidavit and otherwise complies with the ORA in requesting that particular piece of information.
Under Georgia law, all public records of an agency are subject to inspection and copying. O.C.G.A. §§ 50-18-70(b), 50-18-71. A public record means “all documents, papers, letters, maps, books, tapes, photographs, computer based or generated information, or similar material prepared and maintained or received in the course of the operation of a public office or agency.” O.C.G.A § 50-18-70(a). The Department of Human Resources is a state agency that is subject to the ORA. See Georgia Hospital Ass’n v. Ledbetter, 260 Ga. 477 (1990).
The requirements for the openness of public records under the ORA must be read broadly. 2005 Op. Att’y Gen. U2005-1 (citing City of Atlanta v. Corey Entm't, Inc., 278 Ga. 474 (2004)). However, the ORA also provides exceptions from public disclosure, which must be narrowly interpreted and applied. Id.; O.C.G.A.§ 50-18-72. See also Sawnee Elec. Membership Corp. v. Georgia Pub. Serv. Corp., 273 Ga. 702, 704 (2001) (holding that legislative exceptions in statutes are to be strictly construed and should only be applied as far as the language warrants).
For example, records that are required by the federal government to be kept confidential are not subject to disclosure. O.C.G.A. § 50-18-72 (a)(1). Additionally, the ORA prohibits the release of social security numbers in a number of provisions. O.C.G.A. § 50-18-72(a)(11.1), (11.3), (13), (13.1). However, in relation to the release of social security numbers, the General Assembly has also provided that members of legitimate news media organizations may obtain access to social security numbers by submitting an affidavit that they seek the information for use “in connection with news gathering and reporting.” O.C.G.A. § 50-18-72(a)(11.3)(A). Furthermore, “[a]ny agency or person who provides access to information in good faith reliance on the requirements of this chapter shall not be liable in any action on account of having provided access to such information.” O.C.G.A. § 50-18-73(c).
Georgia law provides that a “certificate of death for each death which occurs in this state shall be filed with the local registrar of the county in which the death occurred or the body was found within ten days after the death[.]” O.C.G.A. § 31-10-15(a). I understand a death certificate will contain information regarding the cause of death of an individual, as well as conditions leading to the person’s death and information regarding surgical proceedings conducted on the deceased, if any. Additionally, the death certificate may contain the individual’s social security number.
“When a death certificate is filed with a local registrar, it shall be transmitted to the State Office of Vital Records for state registration immediately upon receipt.” O.C.G.A. § 31-10-17(a). The state’s vital records registration system is operated by the DHR. See O.C.G.A. §§ 31-10-1, 31 10 2. Additionally, “[o]fficial copies of records of deaths, applications for marriages and marriage certificates, divorces, dissolutions of marriages, and annulments located in the counties shall remain accessible to the public.” O.C.G.A. § 31-10-25(f). As the Attorney General has previously opined, “access to, or examination of, death certificates appears to be a right accorded to the general public” pursuant to this statute and this would include access by the news media. 1984 Op. Att’y Gen. 84-3, 1970 Op. Att’y Gen. 70-1. See also Conklin v. State, 254 Ga. 558, 566 (1985) (holding that death certificates are public records that are accessible to all). Accordingly, death certificates are required to be transmitted to DHR, which would then be the custodian of those records as described in the ORA, and these death records are by law accessible by the public.
Given those circumstances, you have then asked whether HIPAA, as a federal statute addressing the confidentiality of certain patient information, prohibits the Department from disclosing the cause of death, contributing conditions to the cause of death, and information on surgical operations on death certificates in response to a request under the ORA. As previously discussed, under the Open Records Act, information “required by the federal government to be kept confidential” is exempt from disclosure. O.C.G.A. § 50-18-72.
The intent of HIPAA is “‘to ensure the integrity and confidentiality of patients' information and to protect against unauthorized uses or disclosures of the information.’ The rules promulgating the standards set forth in HIPAA, which govern the disclosure of ‘protected health information’ by health care providers, are collectively known as ‘the Privacy Rule.’” Northlake Med. Ctr. v. Queen, 280 Ga. App. 510, 511-12 (2006) (quoting In re Vioxx Prods. Liab. Litig., 230 F.R.D. 473, 477 (E.D. La. 2005); 45 C.F.R. § 160.103; Smith v. American Home Prods. Corp., 855 A.2d 608, 611-12 (N.J. Super. 2003)) (holding that O.C.G.A. § 9-11-9.2 is preempted by HIPAA).1
To carry out this mandate to protect patient privacy, Congress authorized the United States Department of Health and Human Services (“HHS”) to promulgate regulations to protect the confidentiality and security of health information and also made the improper disclosure of “individually identifiable health information” a criminal offense. 42 U.S.C.A. §§ 1320d 1(d), 1320d 2, 1320d 5, 1320d 6; 67 Fed. Reg. 14,776, 14,776 (Mar. 27, 2002).
In order for a regulation to have the “force and effect of law,” it must have certain substantive characteristics and be the product of certain procedural requisites. . . [the United States Supreme Court] described a substantive rule -- or a “legislative-type rule,” -- as one “affecting individual rights and obligations.”
That an agency regulation is ‘substantive,’ however, does not by itself give it the "force and effect of law." The legislative power of the United States is vested in the Congress, and the exercise of quasi-legislative authority by governmental departments and agencies must be rooted in a grant of such power by the Congress and subject to limitations which that body imposes. As [the United States Supreme Court] noted in Batterton v. Francis, 432 U.S. 416, 425 n. 9 (1977): ‘Legislative, or substantive, regulations are 'issued by an agency pursuant to statutory authority and . . . implement the statute. . . . Such rules have the force and effect of law.’
Chrysler Corp. v. Brown, 441 U.S. 281, 301-02 (1979) (citations omitted).
HIPAA’s Privacy Rule prohibits “covered” entities from disclosing or utilizing protected health information except as set forth by the applicable regulations. See Smith, supra, 855 A.2d at 611 12. There are three categories of “covered entities”: (1) health plans, (2) health care clearinghouses, and (3) health care providers who transmit any health information in electronic form in connection with a transaction covered by HIPAA. See 45 C.F.R. § 160.103. The Department has designated itself a covered entity and as such is subject to HIPAA. See 45 C.F.R. § 164.103, .105, .106, .508 (prohibiting the release of protected health information without authorization). HIPAA even applies to deceased individuals. See 45 CFR § 164.502(f). Accordingly, it initially appears that the Department is precluded from releasing “Protected Health Information” as that term is defined in HIPAA, such as cause of death, contributing conditions to the cause of death, and information about other surgical procedures, in response to an ORA request as such information is required to be kept confidential by federal law. Id.
Thus, the question becomes whether HIPAA preempts the ORA requirement for disclosure. In order to answer that question, “[f]irst, we must decide whether the state law is contrary to HIPAA; that is, whether compliance with both the state and federal rules would be impossible or if the state law is an ‘obstacle to the accomplishment and execution of the full purposes and objectives’ of the federal rules. If the state law is contrary to HIPAA, then we ascertain whether one of the exceptions to preemption applies.” Northlake Med. Ctr., 280 Ga. App. at 513 (quoting 45 C.F.R. § 160.202; citing In re Diet Drug Litig., 895 A.2d 493, 501 (N.J. Super. 2005); 45 C.F.R. § 160.203; Law v. Zuckerman, 307 F. Supp. 2d 705, 709 (D. Md. 2004)).2
Federal law under 42 U.S.C.A. § 1320d 7(b) provides that “[n]othing in [HIPAA] shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of . . . birth, or death, public health surveillance, or public health investigation or intervention.” The HIPAA regulations further advise:
A standard, requirement or implementation specification adopted under [HIPAA] that is contrary to a provision of State law preempts the provision of State law. This general rule applies, except . . .(c) The provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth or death or for the conduct of public health surveillance, investigation, or intervention.
45 C.F.R. § 160.203.
“The first rule in statutory construction is to determine whether the language at issue has a plain and unambiguous meaning with regard to the particular dispute. If the statute's meaning is plain and unambiguous, there is no need for further inquiry.” United States v. Silva, 443 F.3d 795, 797-98 (11th Cir. 2006) (interpreting the Federal Juvenile Delinquency Act). In this situation, Congress, through HHS, has specifically indicated its intent not to preempt state laws regarding death certificates by specifically excluding those laws from the purview of HIPAA. See 45 C.F.R. § 160.203. “There are also certain areas of state law (generally relating to public health . . . that are explicitly carved out of the general rule of preemption.” Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462, 82,471, 82,480 (Dec. 28, 2000).
This has been reiterated by HHS in the “frequently asked questions” section of the HHS website, where the agency indicates that “State laws that provide for the reporting of disease or injury, child abuse, birth or death, or for the conduct of public health surveillance, investigation, or intervention, likely will not conflict with the Privacy Rule. In the unusual case where there is a conflict, the State law would stand.”3 Accordingly, there is not a conflict between HIPAA and O.C.G.A. § 31 10 25, which mandates that death certificates should be accessible to the public.
Moreover, even if death certificates were not exempt under HIPAA as a “State law, including State procedures . . . for the reporting of . . . birth or death,” death certificates would be exempt from HIPAA and disclosable as required by law. 45 C.F.R. §§ 160.203, 164.512(a). “A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.” 45 C.F.R. § 164.512(a). See also 45 C.F.R. § 164.501 (defining the phrase “required by law”).
This section of the Code of Federal Regulations “was necessary to harmonize the rule with existing state and federal laws mandating uses and disclosures of protected health information . . .[and thus] it permits covered entities to use or disclose protected health information.” Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. at 82,666. See also Chrysler Corp., 441 U.S. at 301-02 n.31 (holding that interpretative rules are issued by an agency “to advise the public of the agency’s construction of the statutes and rules which it administers”). The commentary to the HIPAA regulations also indicates that “we intend this provision to preserve access to information considered important enough by state or federal authorities to require its disclosure by law.” Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. at 82,667. “[G]iven the variety of [existing legal requirements regarding privacy protections], the varied contexts in which they arise, and their significance in ensuring that important public policies are achieved, we do not believe that Congress intended to preempt each such law unless HHS specifically recognized the law or purpose in the regulation.” Id. “[F]or the purposes of § 164.512(a), law is not limited to state action; rather, it encompasses federal, state or local actions with legally binding effect.” Id. at 82,668. The commentary also provides an example of the Freedom of Information Act, “[u]ses and disclosures required by [the Freedom of Information Act] come within § 164.512(a) of the privacy regulation that permits uses or disclosures required by law.” Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. at 82,482, 82,597. See also Abbott v. Texas Dep’t of Mental Health and Mental Retardation, No. 03-04-00743-CV, 2006 Tex. App. LEXIS 7655 (Tex. App. Aug. 30, 2006), http://www.hhs.gov/hipaafaq/state/506.html (last visited May 15, 2007).
If the disclosure is required by state law and not merely permissive, the state law is not preempted. See Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. at 82,485. To determine if a disclosure is required by law, the HIPAA commentary asserts disclosure is required if the entity would be subject to sanction for failing to disclose the information. Id. at 82,591. In the instant matter, the Department is required under Georgia law to provide access to death certificates under the State’s Open Records Act. O.C.G.A. § 50-18-70(b). If the Department fails to provide access, this office is authorized to enforce compliance, and the state agency may be subject to criminal sanction. O.C.G.A. §§ 50-18-73, 50-18-74.
Here, as outlined above, Georgia law makes death certificates an open record. HIPAA does not provide an exception to that openness requirement. Furthermore, “[c]overed entities will not be sanctioned under this rule for responding in good faith to such legal process and reporting requirements [required by other laws].” Id. at 82,525.4 Accordingly, responding to a request for access to or information from death certificates, as the media have sought in the request, is required by law and not subject to the prohibitions of HIPAA.5
You have asked me whether the Department must redact social security numbers from death certificates that are released pursuant to an open record request. As I noted above, pursuant to O.C.G.A. § 50-18-72(a)(11.3), the Department should redact social security numbers on death certificates unless “the person or entity requesting such records requests such information in a writing signed under oath by such person or a person legally authorized to represent such entity which states that such person or entity is gathering information as a representative of a news media organization for use in connection with news gathering and reporting.” Here, the news media have provided a sworn, signed request that an authorized representative of a news organization is seeking death certificates for a particular time period for the purpose of news gathering. That appears to satisfy the requirement of the statute for release of the information.
The question then becomes whether the Open Records Act requires the news media to specify the particular death certificates that they are seeking in order to obtain the social security numbers.
In construing a statute, [a court’s] goal is to determine its legislative purpose. In this regard, a court must first focus on the statute's text. In order to discern the meaning of the words of a statute, the reader must look at the context in which the statute was written, remembering at all times that “the meaning of a sentence may be more than that of the separate words, as a melody is more than the notes.” If the words of a statute, however, are plain and capable of having but one meaning, and do not produce any absurd, impractical, or contradictory results, then [the court] is bound to follow the meaning of those words. If, on the other hand, the words of the statute are ambiguous, then this Court must construe the statute, keeping in mind the purpose of the statute and “the old law, the evil, and the remedy.”
Busch v. State, 271 Ga. 591, 592 (1999) (citations omitted). See also O.C.G.A. § 1-3-1. “Because the meaning of this statute is plain, unambiguous, and leads to no absurd or impracticable consequence, we must construe it according to its terms.” In the Interest of A.D.L., 253 Ga. App. 64, 68 (2001). As the statute states “all public records of an agency . . . shall be open for a personal inspection by any citizen,” it does not impose a condition that the requestor identify with particularity the specific individual’s death certificate being requested. O.C.G.A. § 50-18-70(b). That is, the plain language of the statute requires the Department to provide the social security numbers to the news media pursuant to O.C.G.A. § 50-18-72(a)(11.3)(A).
For all of the reasons set forth above, it is my official opinion that the Department is authorized to provide social security numbers from death certificates to the news media if the request complies with O.C.G.A. § 50-18-72(a)(11.3). HIPAA does not prohibit the Department from providing information on death certificates regarding the cause of death of an individual, as well as conditions leading to the person’s death and information regarding surgical proceedings conducted on the deceased, if any, that are released to the news media in response to a Georgia Open Records Act request.
JASON S. NAUNAS
1 The Supreme Court of Georgia recently affirmed the Georgia Court of Appeals’ ruling in the case of Allen v. Wright, 2007 Ga. LEXIS 343 (Ga. May 14, 2007), aff’g 280 Ga. App. 554 (2006). In that case, Georgia law required an authorization to be submitted with the filing of a medical malpractice action. The statutory authorization failed to comply with all of the requirements of an authorization issued under HIPAA. Thus, O.C.G.A. § 9-11-9.2 is contrary to HIPAA and less stringent; accordingly, it is preempted thereby. Id.
2 “Whether federal statutes or regulations preempt state law is a question of congressional intent.” Continental Pet Techs., Inc. v. Palacias, 269 Ga. App. 561, 562 (2004) (quoting Gentry v. Volkswagen of America, 238 Ga. App. 785, 787 (1999)). “Congress may express its intent to preempt state law: (1) by expressly defining the extent of the preemption; (2) by regulating an area so pervasively that an intent to preempt the entire field may be inferred; and (3) by enacting a law that directly conflicts with state law.” Id. (quoting Wet Walls v. Ledezma, 266 Ga. App. 685, 686-87 (2004)).
3See http://www.hhs.gov/hipaafaq/state/401.html (last visited May 15, 2007).
4 HHS is responsible for enforcing compliance with HIPAA, and HIPAA limits enforcement of the statute to the Secretary of HHS. See Acara v. Banks, 470 F.3d 569, 571 (5th Cir. 2006)(citing 42 U.S.C. §§ 1320d 5, -6 and holding that HIPAA is enforced only by the Secretary of HHS).
5See also State ex rel. Cincinnati Enquirer v. Daniels, 844 N.E.2d 1181, 1186-89 (Ohio 2006) (holding that the HIPAA exemption of required by law encompasses the Ohio Public Records Act); Op. Att’y Gen. No. 04018 (Neb. 2004) (concluding that HIPAA does not require the Nebraska Department of Health and Human Services Finance & Support to redact the cause of death in response to a request for public records because such information is required by law); Op. Att’y Gen. ORD 681 (Tex. 2004) (concluding that the required by law exemption of HIPAA allows entities to release certain health information pursuant to Texas law).