Ezel / AG Opinions / GA
GA 2007-4 July 11, 2007

Can a journalist or other member of the public get a copy of someone's death certificate from Georgia's Vital Records Division, including the cause of death and any surgical procedures performed, without violating HIPAA medical privacy laws?

Short answer: Yes. Georgia's Open Records Act makes death certificates public, and the federal HIPAA Privacy Rule does not block this disclosure. HIPAA's regulations (45 C.F.R. § 160.203) explicitly carve out state laws providing for the reporting of birth or death from HIPAA preemption, and HIPAA's required-by-law exception (45 C.F.R. § 164.512(a)) lets covered entities disclose protected health information when state law mandates disclosure. Cause of death, conditions leading to death, and surgical-procedure information on the death certificate are all releasable. The deceased's social security number must be redacted unless the requester is a bona fide news media representative who submits the affidavit required under O.C.G.A. § 50-18-72(a)(11.3)(A).
Currency note: this opinion is from 2007
Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here.
Disclaimer: This is an official Georgia Attorney General opinion. AG opinions are persuasive authority but not binding precedent. This summary is for informational purposes only and is not legal advice. Consult a licensed Georgia attorney for advice on your specific situation.

Plain-English summary

The Commissioner of the Department of Human Resources (DHR) needed to know whether HIPAA, the federal medical privacy law, prevented DHR's Vital Records Division from disclosing death certificates in response to Open Records Act requests, and whether specific items on the death certificate (cause of death, contributing conditions, surgical procedures, social security number) needed special treatment.

AG Thurbert Baker said death certificates are public records that must be disclosed under Georgia's Open Records Act, and HIPAA does not prevent this disclosure. The cause of death, contributing conditions, and surgical procedure information are all releasable. Social security numbers must be redacted unless the requester is a news media representative who submits an affidavit.

The Georgia Open Records Act framework. Under O.C.G.A. §§ 50-18-70(b) and 50-18-71, all public records of an agency are subject to inspection and copying. DHR is a state agency subject to the ORA (Georgia Hospital Ass'n v. Ledbetter (1990)). The ORA's openness requirement is read broadly (City of Atlanta v. Corey Entm't, Inc. (2004)); exceptions are narrowly construed (Sawnee Elec. Membership Corp. v. Georgia Pub. Serv. Corp. (2001)).

Death certificates as public records. O.C.G.A. § 31-10-15(a) requires a death certificate for every Georgia death to be filed with the local registrar within ten days. § 31-10-17(a) requires immediate transmittal to the State Office of Vital Records, which DHR operates. § 31-10-25(f) provides that "[o]fficial copies of records of deaths . . . located in the counties shall remain accessible to the public." Two prior AG opinions (1984 Op. Att'y Gen. 84-3 and 1970 Op. Att'y Gen. 70-1) had treated death-certificate access as a public right. The Supreme Court of Georgia confirmed this in Conklin v. State (1985): death certificates are public records that are accessible to all.

HIPAA generally applies to DHR. The DHR has designated itself a HIPAA "covered entity," and HIPAA applies even to deceased individuals (45 C.F.R. § 164.502(f)). HIPAA's Privacy Rule prohibits covered entities from disclosing protected health information except as set forth in the regulations. So initially, it appears that DHR cannot release cause-of-death and similar information.

The HIPAA preemption framework. When state law conflicts with HIPAA, the question is whether the state law is preempted. Northlake Med. Ctr. v. Queen (2006) frames the analysis: first, is the state law contrary to HIPAA (compliance with both impossible, or state law obstructs federal purposes); second, if contrary, does an exception to preemption apply.

The birth/death/public health carve-out. 42 U.S.C. § 1320d-7(b) provides:

Nothing in [HIPAA] shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of . . . birth, or death, public health surveillance, or public health investigation or intervention.

The HIPAA regulations implement this at 45 C.F.R. § 160.203(c): a HIPAA standard preempts state law except where the state law "provides for the reporting of disease or injury, child abuse, birth or death or for the conduct of public health surveillance, investigation, or intervention." HHS commentary at 65 Fed. Reg. 82,471, 82,480 confirms that "[t]here are also certain areas of state law (generally relating to public health . . . that are explicitly carved out of the general rule of preemption." The HHS FAQ section explicitly says: "State laws that provide for the reporting of disease or injury, child abuse, birth or death, or for the conduct of public health surveillance, investigation, or intervention, likely will not conflict with the Privacy Rule. In the unusual case where there is a conflict, the State law would stand."

The "required by law" exception. Even if the carve-out didn't apply, HIPAA has a separate exception under 45 C.F.R. § 164.512(a): "A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law." HHS commentary makes clear this provision "was necessary to harmonize the rule with existing state and federal laws mandating uses and disclosures of protected health information." It "preserve[s] access to information considered important enough by state or federal authorities to require its disclosure by law." HHS specifically named the federal Freedom of Information Act as an example of a "required by law" disclosure regime. Multiple state AG and court rulings (Ohio, Nebraska, Texas) have treated their state public-records laws the same way.

DHR's duty under Georgia law. DHR is required by O.C.G.A. § 50-18-70(b) to provide access to death certificates. If DHR refuses, the AG's office is authorized to enforce compliance under §§ 50-18-73 and 50-18-74, and DHR may face criminal sanctions. So DHR's death-certificate disclosure is "required by law" within the meaning of § 164.512(a). And HIPAA's regulations expressly state that "[c]overed entities will not be sanctioned under this rule for responding in good faith to such legal process and reporting requirements" required by other laws.

Bottom line. Cause of death, conditions leading to death, and surgical procedure information from death certificates can be disclosed under the Georgia Open Records Act. HIPAA does not block disclosure.

Social security number treatment. Different rules apply to the deceased's SSN. O.C.G.A. § 50-18-72(a)(11.1), (11.3), (13), and (13.1) contain various restrictions on SSN disclosure. § 50-18-72(a)(11.3)(A) provides an affidavit-based access path for news media: a representative of a "legitimate news media organization" can obtain SSNs by filing a written, sworn statement that they're gathering information "for use in connection with news gathering and reporting." The statute doesn't require the news media to specify particular individuals' death certificates; ORA's general "all public records of an agency" framework allows broader requests. So if the news media affidavit is properly submitted, DHR must provide the SSN information along with the rest of the death certificate.

Currency note

This opinion was issued in 2007. Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here.

The Georgia Open Records Act has been substantially amended since 2007 (the 2012 reform notably restructured the exceptions in § 50-18-72). The Department of Human Resources was reorganized into the Department of Public Health (which now operates Vital Records) and the Department of Community Health. HIPAA has been amended by the HITECH Act and subsequent OMNIBUS rules. Anyone working with current Georgia death-certificate disclosure should consult the present versions of all these authorities, not this 2007 opinion.

Common questions

Q: Can anyone request a death certificate, or just family members?
A: Anyone, under the Georgia Open Records Act framework. Death certificates are public records, and ORA gives "any citizen" the right to inspect them. The classic users are family, estate attorneys, genealogists, journalists, and researchers, but ORA doesn't limit access to specific categories.

Q: Why are SSNs on death certificates protected differently?
A: SSN protection reflects identity-theft concerns. SSNs are uniquely valuable to identity thieves because they're used as the master identifier for credit applications, government benefits, and many other systems. Open release of decedent SSNs would create a steady supply of IDs that thieves could use to open accounts in deceased persons' names. Georgia's news-media affidavit framework lets journalists access SSNs for reporting purposes while keeping general public access closed.

Q: What's "Protected Health Information" under HIPAA?
A: PHI is individually identifiable health information held or transmitted by a covered entity, in any form or medium. Cause of death and surgical procedure information about a specific decedent qualifies. HIPAA applies to deceased individuals' PHI, though somewhat differently than living individuals' PHI (45 C.F.R. § 164.502(f)).

Q: What does it mean to be a "covered entity" under HIPAA?
A: HIPAA covers three categories: health plans, health care clearinghouses, and health care providers who transmit health information electronically in a covered transaction (45 C.F.R. § 160.103). DHR designated itself a covered entity given its role in vital records (which involves receipt and transmission of health information from health care providers and medical examiners).

Q: How does this opinion interact with the HIPAA preemption analysis?
A: HIPAA generally preempts contrary state law, but with exceptions. The most important ones for this opinion are: (1) the public-health/birth-death carve-out at 45 C.F.R. § 160.203(c), and (2) the "required by law" disclosure exception at § 164.512(a). The opinion's analysis works through both: the Georgia death-certificate framework falls into the public-health/birth-death carve-out, and disclosure under ORA is "required by law."

Q: Does this mean any state public records law overrides HIPAA?
A: Not categorically. The HHS commentary the opinion cites suggests that public-records laws are generally consistent with HIPAA where the disclosure is required (not just permitted) by the public records law, and where the underlying records are within state public-health frameworks. The specific death-certificate analysis is straightforward; other categories of medical records would require their own preemption analysis.

Q: What if a family wants to keep cause-of-death information private?
A: Under Georgia law, death certificates are public records and the cause of death is on the certificate. Families don't have a right to suppress that information from public access. They could request that the medical certifier select less specific terminology where medically appropriate (e.g., "cardiac arrest" instead of more specific cause), but the certificate itself remains public.

Background and statutory framework

Vital records, birth and death certificates: are a longstanding category of public records. Their public character predates modern medical privacy law and reflects basic civic functions: tracking births and deaths is essential for inheritance law, social security administration, public health surveillance, life insurance claims, and historical research. State laws requiring filing and public access to vital records are foundational, not exceptional.

When HIPAA was enacted in 1996 and its Privacy Rule took effect in 2003, there was widespread concern that it might disrupt these longstanding public-records frameworks. Congress addressed this directly in 42 U.S.C. § 1320d-7(b), which expressly preserves state laws providing for the reporting of birth or death and for public health surveillance. HHS implemented this through 45 C.F.R. § 160.203(c) and through the broader required-by-law exception at § 164.512(a).

The 2007 AG opinion is a careful walk through the HIPAA preemption framework as applied to death certificates. The opinion's analytic structure: (1) establish that death certificates are public records under Georgia law; (2) acknowledge that HIPAA generally applies to DHR's handling of PHI; (3) apply HIPAA's birth/death carve-out; (4) apply HIPAA's required-by-law exception; (5) conclude no preemption.

The SSN portion adds a Georgia-specific layer: the state has chosen to add SSN protection beyond what's required for the underlying death-certificate framework, and the news-media affidavit path addresses the journalism-access concern without opening SSNs to general public access.

The opinion is also doctrinally significant for its treatment of HIPAA preemption generally. Several other state AGs and courts had reached similar conclusions: Ohio (Cincinnati Enquirer v. Daniels (2006)), Nebraska (Op. Att'y Gen. No. 04018 (2004)), Texas (Op. Att'y Gen. ORD 681 (2004)). The Georgia opinion fits within this emerging consensus that state public-records laws are generally compatible with HIPAA.

The opinion notes (in footnote 1) the contemporaneous development of the Allen v. Wright (Ga. May 14, 2007) decision, which affirmed the Court of Appeals' ruling that O.C.G.A. § 9-11-9.2 (the medical-malpractice authorization statute) was preempted by HIPAA because it required an authorization that didn't comply with all HIPAA requirements. That preemption holding is the inverse of the death-certificate analysis: where state law required something contrary to HIPAA without falling within an exception, preemption applied. Where state law fits within an exception (as the death-certificate framework does), no preemption.

Citations and references

Federal:
- 42 U.S.C. § 1320d to 1320d-8 (HIPAA)
- 42 U.S.C. § 1320d-7(b) (non-preemption of birth/death/public health reporting)
- 45 C.F.R. §§ 160.103, 160.202, 160.203 (preemption framework)
- 45 C.F.R. § 164.103.105.106.501.502(f).508.512(a) (Privacy Rule)
- 65 Fed. Reg. 82,462 (Dec. 28, 2000) (Privacy Rule preamble)
- 67 Fed. Reg. 14,776 (Mar. 27, 2002)

State Statutes:
- O.C.G.A. § 31-10-15(a) (death certificate filing)
- O.C.G.A. § 31-10-17(a) (transmission to State Office of Vital Records)
- O.C.G.A. §§ 31-10-1, 31-10-2 (vital records system)
- O.C.G.A. § 31-10-25(f) (public access to death records)
- O.C.G.A. §§ 50-18-70 through 50-18-74 (Open Records Act)

Cases:
- Conklin v. State, 254 Ga. 558 (1985) (death certificates are public records)
- Georgia Hospital Ass'n v. Ledbetter, 260 Ga. 477 (1990) (state agency subject to ORA)
- Northlake Med. Ctr. v. Queen, 280 Ga. App. 510 (2006) (HIPAA preemption framework)
- Allen v. Wright, 2007 Ga. LEXIS 343 (Ga. 2007) (O.C.G.A. § 9-11-9.2 preempted)
- Acara v. Banks, 470 F.3d 569 (5th Cir. 2006) (HIPAA enforcement only by HHS Secretary)
- State ex rel. Cincinnati Enquirer v. Daniels, 844 N.E.2d 1181 (Ohio 2006) (Ohio Public Records Act under HIPAA required-by-law exemption)
- Chrysler Corp. v. Brown, 441 U.S. 281 (1979) (regulatory force-and-effect principles)
- Multiple cases in Georgia and other jurisdictions on statutory construction

Prior state AG opinions:
- 1984 Op. Att'y Gen. 84-3; 1970 Op. Att'y Gen. 70-1 (death certificate access)
- 2005 Op. Att'y Gen. U2005-1 (broad ORA reading)
- Op. Att'y Gen. No. 04018 (Neb. 2004)
- Op. Att'y Gen. ORD 681 (Tex. 2004)

Source

Original opinion text

You have requested my advice regarding whether the federal Health Insurance Portability and Accountability Act, 42 U.S.C. § 1320d to 1320d 8, which is otherwise known as "HIPAA," prevents the release of copies of death certificates maintained by the Vital Records Division of the Department of Human Resources (DHR). You have also asked whether, if death certificate records are available under the Open Records Act (ORA), information related to the cause of death of the deceased, conditions leading to the person's death, information regarding surgical proceedings conducted on the deceased, if any, and his or her social security number specifically should be disclosed pursuant to a request under the ORA. It is my official opinion that death certificates are indeed public records subject to disclosure under the ORA and such disclosure is not prohibited by HIPAA. However, while information related to the cause of death as well as conditions leading to the person's death and information regarding surgical proceedings conducted on the deceased, if any, is not subject to the prohibitions of HIPAA, the social security number of the deceased should be redacted unless the requestor is a bona fide member of the news media who submits the appropriate affidavit and otherwise complies with the ORA in requesting that particular piece of information. The Georgia Open Records Act Under Georgia law, all public records of an agency are subject to inspection and copying. O.C.G.A. §§ 50-18-70(b), 50-18-71. A public record means "all documents, papers, letters, maps, books, tapes, photographs, computer based or generated information, or similar material prepared and maintained or received in the course of the operation of a public office or agency." O.C.G.A § 50-18-70(a). The Department of Human Resources is a state agency that is subject to the ORA. See Georgia Hospital Ass'n v. Ledbetter, 260 Ga. 477 (1990). The requirements for the openness of public records under the ORA must be read broadly. 2005 Op. Att'y Gen. U2005-1 (citing City of Atlanta v. Corey Entm't, Inc., 278 Ga. 474 (2004)). However, the ORA also provides exceptions from public disclosure, which must be narrowly interpreted and applied. Id.; O.C.G.A.§ 50-18-72. See also Sawnee Elec. Membership Corp. v. Georgia Pub. Serv. Corp., 273 Ga. 702, 704 (2001) (holding that legislative exceptions in statutes are to be strictly construed and should only be applied as far as the language warrants). For example, records that are required by the federal government to be kept confidential are not subject to disclosure. O.C.G.A. § 50-18-72 (a)(1). Additionally, the ORA prohibits the release of social security numbers in a number of provisions. O.C.G.A. § 50-18-72(a)(11.1), (11.3), (13), (13.1). However, in relation to the release of social security numbers, the General Assembly has also provided that members of legitimate news media organizations may obtain access to social security numbers by submitting an affidavit that they seek the information for use "in connection with news gathering and reporting." O.C.G.A. § 50-18-72(a)(11.3)(A). Furthermore, "[a]ny agency or person who provides access to information in good faith reliance on the requirements of this chapter shall not be liable in any action on account of having provided access to such information." O.C.G.A. § 50-18-73(c). Death Certificates in the Custody of DHR Georgia law provides that a "certificate of death for each death which occurs in this state shall be filed with the local registrar of the county in which the death occurred or the body was found within ten days after the death[.]" O.C.G.A. § 31-10-15(a). I understand a death certificate will contain information regarding the cause of death of an individual, as well as conditions leading to the person's death and information regarding surgical proceedings conducted on the deceased, if any. Additionally, the death certificate may contain the individual's social security number. "When a death certificate is filed with a local registrar, it shall be transmitted to the State Office of Vital Records for state registration immediately upon receipt." O.C.G.A. § 31-10-17(a). The state's vital records registration system is operated by the DHR. See O.C.G.A. §§ 31-10-1, 31 10 2. Additionally, "[o]fficial copies of records of deaths, applications for marriages and marriage certificates, divorces, dissolutions of marriages, and annulments located in the counties shall remain accessible to the public." O.C.G.A. § 31-10-25(f). As the Attorney General has previously opined, "access to, or examination of, death certificates appears to be a right accorded to the general public" pursuant to this statute and this would include access by the news media. 1984 Op. Att'y Gen. 84-3, 1970 Op. Att'y Gen. 70-1. See also Conklin v. State, 254 Ga. 558, 566 (1985) (holding that death certificates are public records that are accessible to all). Accordingly, death certificates are required to be transmitted to DHR, which would then be the custodian of those records as described in the ORA, and these death records are by law accessible by the public. The Application of HIPAA as an ORA Exception Given those circumstances, you have then asked whether HIPAA, as a federal statute addressing the confidentiality of certain patient information, prohibits the Department from disclosing the cause of death, contributing conditions to the cause of death, and information on surgical operations on death certificates in response to a request under the ORA. As previously discussed, under the Open Records Act, information "required by the federal government to be kept confidential" is exempt from disclosure. O.C.G.A. § 50-18-72. The intent of HIPAA is "'to ensure the integrity and confidentiality of patients' information and to protect against unauthorized uses or disclosures of the information.' The rules promulgating the standards set forth in HIPAA, which govern the disclosure of 'protected health information' by health care providers, are collectively known as 'the Privacy Rule.'" Northlake Med. Ctr. v. Queen, 280 Ga. App. 510, 511-12 (2006) (quoting In re Vioxx Prods. Liab. Litig., 230 F.R.D. 473, 477 (E.D. La. 2005); 45 C.F.R. § 160.103; Smith v. American Home Prods. Corp., 855 A.2d 608, 611-12 (N.J. Super. 2003)) (holding that O.C.G.A. § 9-11-9.2 is preempted by HIPAA).1 To carry out this mandate to protect patient privacy, Congress authorized the United States Department of Health and Human Services ("HHS") to promulgate regulations to protect the confidentiality and security of health information and also made the improper disclosure of "individually identifiable health information" a criminal offense. 42 U.S.C.A. §§ 1320d 1(d), 1320d 2, 1320d 5, 1320d 6; 67 Fed. Reg. 14,776, 14,776 (Mar. 27, 2002). In order for a regulation to have the "force and effect of law," it must have certain substantive characteristics and be the product of certain procedural requisites. . . [the United States Supreme Court] described a substantive rule -- or a "legislative-type rule," -- as one "affecting individual rights and obligations." That an agency regulation is 'substantive,' however, does not by itself give it the "force and effect of law." The legislative power of the United States is vested in the Congress, and the exercise of quasi-legislative authority by governmental departments and agencies must be rooted in a grant of such power by the Congress and subject to limitations which that body imposes. As [the United States Supreme Court] noted in Batterton v. Francis, 432 U.S. 416, 425 n. 9 (1977): 'Legislative, or substantive, regulations are 'issued by an agency pursuant to statutory authority and . . . implement the statute. . . . Such rules have the force and effect of law.' Chrysler Corp. v. Brown, 441 U.S. 281, 301-02 (1979) (citations omitted). HIPAA's Privacy Rule prohibits "covered" entities from disclosing or utilizing protected health information except as set forth by the applicable regulations. See Smith, supra, 855 A.2d at 611 12. There are three categories of "covered entities": (1) health plans, (2) health care clearinghouses, and (3) health care providers who transmit any health information in electronic form in connection with a transaction covered by HIPAA. See 45 C.F.R. § 160.103. The Department has designated itself a covered entity and as such is subject to HIPAA. See 45 C.F.R. § 164.103, .105, .106, .508 (prohibiting the release of protected health information without authorization). HIPAA even applies to deceased individuals. See 45 CFR § 164.502(f). Accordingly, it initially appears that the Department is precluded from releasing "Protected Health Information" as that term is defined in HIPAA, such as cause of death, contributing conditions to the cause of death, and information about other surgical procedures, in response to an ORA request as such information is required to be kept confidential by federal law. Id. Thus, the question becomes whether HIPAA preempts the ORA requirement for disclosure. In order to answer that question, "[f]irst, we must decide whether the state law is contrary to HIPAA; that is, whether compliance with both the state and federal rules would be impossible or if the state law is an 'obstacle to the accomplishment and execution of the full purposes and objectives' of the federal rules. If the state law is contrary to HIPAA, then we ascertain whether one of the exceptions to preemption applies." Northlake Med. Ctr., 280 Ga. App. at 513 (quoting 45 C.F.R. § 160.202; citing In re Diet Drug Litig., 895 A.2d 493, 501 (N.J. Super. 2005); 45 C.F.R. § 160.203; Law v. Zuckerman, 307 F. Supp. 2d 705, 709 (D. Md. 2004)).2 Federal law under 42 U.S.C.A. § 1320d 7(b) provides that "[n]othing in [HIPAA] shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of . . . birth, or death, public health surveillance, or public health investigation or intervention." The HIPAA regulations further advise: A standard, requirement or implementation specification adopted under [HIPAA] that is contrary to a provision of State law preempts the provision of State law. This general rule applies, except . . .(c) The provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth or death or for the conduct of public health surveillance, investigation, or intervention. 45 C.F.R. § 160.203. "The first rule in statutory construction is to determine whether the language at issue has a plain and unambiguous meaning with regard to the particular dispute. If the statute's meaning is plain and unambiguous, there is no need for further inquiry." United States v. Silva, 443 F.3d 795, 797-98 (11th Cir. 2006) (interpreting the Federal Juvenile Delinquency Act). In this situation, Congress, through HHS, has specifically indicated its intent not to preempt state laws regarding death certificates by specifically excluding those laws from the purview of HIPAA. See 45 C.F.R. § 160.203. "There are also certain areas of state law (generally relating to public health . . . that are explicitly carved out of the general rule of preemption." Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462, 82,471, 82,480 (Dec. 28, 2000). This has been reiterated by HHS in the "frequently asked questions" section of the HHS website, where the agency indicates that "State laws that provide for the reporting of disease or injury, child abuse, birth or death, or for the conduct of public health surveillance, investigation, or intervention, likely will not conflict with the Privacy Rule. In the unusual case where there is a conflict, the State law would stand."3 Accordingly, there is not a conflict between HIPAA and O.C.G.A. § 31 10 25, which mandates that death certificates should be accessible to the public. Moreover, even if death certificates were not exempt under HIPAA as a "State law, including State procedures . . . for the reporting of . . . birth or death," death certificates would be exempt from HIPAA and disclosable as required by law. 45 C.F.R. §§ 160.203, 164.512(a). "A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law." 45 C.F.R. § 164.512(a). See also 45 C.F.R. § 164.501 (defining the phrase "required by law"). This section of the Code of Federal Regulations "was necessary to harmonize the rule with existing state and federal laws mandating uses and disclosures of protected health information . . .[and thus] it permits covered entities to use or disclose protected health information." Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. at 82,666. See also Chrysler Corp., 441 U.S. at 301-02 n.31 (holding that interpretative rules are issued by an agency "to advise the public of the agency's construction of the statutes and rules which it administers"). The commentary to the HIPAA regulations also indicates that "we intend this provision to preserve access to information considered important enough by state or federal authorities to require its disclosure by law." Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. at 82,667. "[G]iven the variety of [existing legal requirements regarding privacy protections], the varied contexts in which they arise, and their significance in ensuring that important public policies are achieved, we do not believe that Congress intended to preempt each such law unless HHS specifically recognized the law or purpose in the regulation." Id. "[F]or the purposes of § 164.512(a), law is not limited to state action; rather, it encompasses federal, state or local actions with legally binding effect." Id. at 82,668. The commentary also provides an example of the Freedom of Information Act, "[u]ses and disclosures required by [the Freedom of Information Act] come within § 164.512(a) of the privacy regulation that permits uses or disclosures required by law." Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. at 82,482, 82,597. See also Abbott v. Texas Dep't of Mental Health and Mental Retardation, No. 03-04-00743-CV, 2006 Tex. App. LEXIS 7655 (Tex. App. Aug. 30, 2006), http://www.hhs.gov/hipaafaq/state/506.html (last visited May 15, 2007). If the disclosure is required by state law and not merely permissive, the state law is not preempted. See Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. at 82,485. To determine if a disclosure is required by law, the HIPAA commentary asserts disclosure is required if the entity would be subject to sanction for failing to disclose the information. Id. at 82,591. In the instant matter, the Department is required under Georgia law to provide access to death certificates under the State's Open Records Act. O.C.G.A. § 50-18-70(b). If the Department fails to provide access, this office is authorized to enforce compliance, and the state agency may be subject to criminal sanction. O.C.G.A. §§ 50-18-73, 50-18-74. Here, as outlined above, Georgia law makes death certificates an open record. HIPAA does not provide an exception to that openness requirement. Furthermore, "[c]overed entities will not be sanctioned under this rule for responding in good faith to such legal process and reporting requirements [required by other laws]." Id. at 82,525.4 Accordingly, responding to a request for access to or information from death certificates, as the media have sought in the request, is required by law and not subject to the prohibitions of HIPAA.5 Release of Social Security Numbers You have asked me whether the Department must redact social security numbers from death certificates that are released pursuant to an open record request. As I noted above, pursuant to O.C.G.A. § 50-18-72(a)(11.3), the Department should redact social security numbers on death certificates unless "the person or entity requesting such records requests such information in a writing signed under oath by such person or a person legally authorized to represent such entity which states that such person or entity is gathering information as a representative of a news media organization for use in connection with news gathering and reporting." Here, the news media have provided a sworn, signed request that an authorized representative of a news organization is seeking death certificates for a particular time period for the purpose of news gathering. That appears to satisfy the requirement of the statute for release of the information. The question then becomes whether the Open Records Act requires the news media to specify the particular death certificates that they are seeking in order to obtain the social security numbers. In construing a statute, [a court's] goal is to determine its legislative purpose. In this regard, a court must first focus on the statute's text. In order to discern the meaning of the words of a statute, the reader must look at the context in which the statute was written, remembering at all times that "the meaning of a sentence may be more than that of the separate words, as a melody is more than the notes." If the words of a statute, however, are plain and capable of having but one meaning, and do not produce any absurd, impractical, or contradictory results, then [the court] is bound to follow the meaning of those words. If, on the other hand, the words of the statute are ambiguous, then this Court must construe the statute, keeping in mind the purpose of the statute and "the old law, the evil, and the remedy." Busch v. State, 271 Ga. 591, 592 (1999) (citations omitted). See also O.C.G.A. § 1-3-1. "Because the meaning of this statute is plain, unambiguous, and leads to no absurd or impracticable consequence, we must construe it according to its terms." In the Interest of A.D.L., 253 Ga. App. 64, 68 (2001). As the statute states "all public records of an agency . . . shall be open for a personal inspection by any citizen," it does not impose a condition that the requestor identify with particularity the specific individual's death certificate being requested. O.C.G.A. § 50-18-70(b). That is, the plain language of the statute requires the Department to provide the social security numbers to the news media pursuant to O.C.G.A. § 50-18-72(a)(11.3)(A). For all of the reasons set forth above, it is my official opinion that the Department is authorized to provide social security numbers from death certificates to the news media if the request complies with O.C.G.A. § 50-18-72(a)(11.3). HIPAA does not prohibit the Department from providing information on death certificates regarding the cause of death of an individual, as well as conditions leading to the person's death and information regarding surgical proceedings conducted on the deceased, if any, that are released to the news media in response to a Georgia Open Records Act request. Prepared by: JASON S. NAUNAS 1 The Supreme Court of Georgia recently affirmed the Georgia Court of Appeals' ruling in the case of Allen v. Wright, 2007 Ga. LEXIS 343 (Ga. May 14, 2007), aff'g 280 Ga. App. 554 (2006). In that case, Georgia law required an authorization to be submitted with the filing of a medical malpractice action. The statutory authorization failed to comply with all of the requirements of an authorization issued under HIPAA. Thus, O.C.G.A. § 9-11-9.2 is contrary to HIPAA and less stringent; accordingly, it is preempted thereby. Id. 2 "Whether federal statutes or regulations preempt state law is a question of congressional intent." Continental Pet Techs., Inc. v. Palacias, 269 Ga. App. 561, 562 (2004) (quoting Gentry v. Volkswagen of America, 238 Ga. App. 785, 787 (1999)). "Congress may express its intent to preempt state law: (1) by expressly defining the extent of the preemption; (2) by regulating an area so pervasively that an intent to preempt the entire field may be inferred; and (3) by enacting a law that directly conflicts with state law." Id. (quoting Wet Walls v. Ledezma, 266 Ga. App. 685, 686-87 (2004)). 3 See http://www.hhs.gov/hipaafaq/state/401.html (last visited May 15, 2007). 4 HHS is responsible for enforcing compliance with HIPAA, and HIPAA limits enforcement of the statute to the Secretary of HHS. See Acara v. Banks, 470 F.3d 569, 571 (5th Cir. 2006)(citing 42 U.S.C. §§ 1320d 5, -6 and holding that HIPAA is enforced only by the Secretary of HHS). 5 See also State ex rel. Cincinnati Enquirer v. Daniels, 844 N.E.2d 1181, 1186-89 (Ohio 2006) (holding that the HIPAA exemption of required by law encompasses the Ohio Public Records Act); Op. Att'y Gen. No. 04018 (Neb. 2004) (concluding that HIPAA does not require the Nebraska Department of Health and Human Services Finance & Support to redact the cause of death in response to a request for public records because such information is required by law); Op. Att'y Gen. ORD 681 (Tex. 2004) (concluding that the required by law exemption of HIPAA allows entities to release certain health information pursuant to Texas law).