
686 S.E.2d 96 (2009)
ALVISTA HEALTHCARE CENTER, INC., et al.
v.
MILLER.
No. S09G1005.
Supreme Court of Georgia.
November 2, 2009.
*97 Arnall, Golden & Gregory, Glenn P. Hendrix, Jason E. Bring, Robert T. Strang III, William J. Rissler, Charles L. Gregory, Atlanta, for appellants.
Watkins, Lourie, Roll & Chance, Lance D. Lourie, Stephen Chance, Atlanta, for appellee.
CARLEY, Presiding Justice.
Mary Miller is the surviving spouse of Stanton Miller, who resided in a nursing care facility owned and operated by Alvista Healthcare Center, Inc. After he died intestate on March 19, 2006, Ms. Miller, who was investigating a potential wrongful death action, requested copies of his medical records from Alvista in January and March 2008. Those requests were denied on the ground that, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the privacy regulations promulgated thereunder, the records could be released only to a permanent executor or administrator of Mr. Miller's estate, which was still unrepresented. On March 4, 2008, Ms. Miller brought this action against Alvista and related entities (Appellants), seeking a temporary restraining order and permanent injunction requiring release of the medical records, as well as a declaratory judgment that she is entitled to those records.
The trial court granted all requested relief, determining that, because OCGA § 31-33-2(a)(2)(B) specifically authorizes a surviving spouse to obtain access to her deceased spouse's medical records, Ms. Miller "has authority to act on behalf of a deceased individual or of the individual's estate" and, therefore, must be treated as a "personal representative" to whom protected health information may be disclosed. 45 C.F.R. § 164.502(g)(4). The Court of Appeals affirmed, holding that a surviving spouse who wishes to pursue an action for the decedent's wrongful death has authority to act on his behalf, as the measure of damages for wrongful death in Georgia is the full value of the decedent's life to him, rather than to the surviving spouse who brings the action. Alvista Healthcare Center v. Miller, 296 Ga. App. 133, 137(1), 673 S.E.2d 637 (2009). Having granted certiorari to review this ruling, we affirm the judgment of the Court of Appeals, but on a different basis. We hold that OCGA § 31-33-2(a)(2)(B) authorizes a surviving spouse to act on behalf of the decedent or his estate in obtaining medical records and, therefore, that the surviving spouse is entitled to access the decedent's protected health information in accordance with 45 C.F.R. § 164.502(g)(4).
HIPAA "authorized the Secretary of the Department of Health and Human Services to promulgate rules and regulations which would ensure the privacy of patients' medical information. 42[U.S.C.] § 1320d-2 (d)(2)(A)." Moreland v. Austin, 284 Ga. 730, 731, 670 S.E.2d 68 (2008). Those privacy regulations apply "`to the protected health information of a deceased individual.' 45 C.F.R. § 164.502(f). . . . In cases of a deceased individual, the covered entity must `treat a personal representative as the individual.' 45 C.F.R. § 164.502(g)(1)." Estate of Broderick, 34 Kan.App.2d 695, 125 P.3d 564, 570 (2005).
If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual's estate, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation.
45 C.F.R. § 164.502(g)(4). This definition is a functional one and, therefore, the "applicable law" to which the regulation refers clearly is state law. See Daniel B. Evans, What Estate Lawyers Need to Know about HIPAA and "Protected Health Information", 18-AUG Prob. & Prop. 20, 22 (2004); Helen W. Gunnarsson, Are Statutory Health Care *98 POAs HIPAA-Compliant?, 92 Ill. B.J. 302, 303 (2004) ("`Applicable law' generally means state law, since that's what governs who may act on behalf of another."). Ms. Miller asserts that OCGA § 31-33-2(a)(2)(B) constitutes the "applicable law" which gives her "authority to act on behalf of [the] deceased individual or of the individual's estate."
Prior to 2006, OCGA § 31-33-2 did not expressly recognize the applicability of HIPAA, and it specified several different persons, any of whom could obtain a deceased patient's record. Ga. L. 2002, pp. 641, 642, § 2. In 2006, however, the General Assembly amended subsections (a) and (b) of the statute so as "to change certain provisions relating to furnishing a copy of records to patient, provider, or other authorized person" and "to provide for compliance with" HIPAA. Ga. L. 2006, p. 494. Thus, OCGA § 31-33-2(b)(1) now provides, in pertinent part, that any request for a deceased patient's medical records by a person authorized under subsection (a)(2) shall be accompanied by an authorization in compliance with HIPAA and its implementing regulations. Subsection (a)(2) requires a healthcare provider to furnish a copy of a deceased patient's record upon written request by
(A) The executor, administrator, or temporary administrator for the decedent's estate if such person has been appointed; (B) If an executor, administrator, or temporary administrator for the decedent's estate has not been appointed, by the surviving spouse; (C) If there is no surviving spouse, by any surviving child; and (D) If there is no surviving child, by any parent.
Thus, subsection (a)(2) establishes a definite order of priority with respect to who is authorized to obtain a deceased patient's medical records. The first priority, set forth in OCGA § 31-33-2(a)(2)(A), obviously is consistent with the specification in 45 C.F.R. § 164.502(g)(4) of an executor, administrator, or other person having authority to act on behalf of the decedent or his estate. OCGA § 31-33-2(a)(2)(B) applies only if an executor or administrator has not been appointed. The evident purpose of subsection (a)(2), when read in conjunction with subsection (b)(1), is to identify several persons, the executor or administrator being the first choice and the surviving spouse being the second, who have authority to submit an authorization in compliance with HIPAA and to obtain medical records on behalf of the decedent or his estate. Accordingly, we conclude that OCGA § 31-33-2(a)(2) constitutes the applicable state law to which 45 C.F.R. § 164.502(g)(4) refers and that subsection (a)(2)(B) necessarily implies that, when there is no executor or administrator, the surviving spouse is granted authority to act on behalf of the decedent or his estate with respect to requests for medical records.
45 C.F.R. § 164.502(g)(4) requires that "a covered entity" such as Alvista "treat such person" having authority to act on behalf of the decedent or his estate "as a personal representative . . . with respect to protected health information relevant to such personal representation." As the preceding discussion of OCGA § 31-33-2(a)(2) makes clear, that statute treats the surviving spouse as a personal representative in lieu of the executor or administrator with respect to requests for medical records. Subsection (a)(2)(B) of the statute establishes a limited personal representation in the surviving spouse for the express purpose of obtaining the decedent's medical records in compliance with HIPAA. The Georgia statute does not provide for personal representation by the surviving spouse for other purposes. However, the statute permits her to obtain all types of medical records, other than mental health records as excepted by OCGA § 31-33-4, and subject to the preservation in OCGA § 31-33-6 of the privileged or confidential nature of communications recognized in other laws. Therefore, OCGA § 31-33-2(a)(2) is carefully tailored to provide the authority contemplated by 45 C.F.R. § 164.502(g)(4). Except for mental health records and any records which remain privileged or confidential, all of the decedent's protected health information is relevant to the limited personal representation granted to a surviving spouse by OCGA § 31-33-2(a)(2)(B). Therefore, Ms. Miller, by qualifying for that limited personal representation and requesting medical records which she is authorized to request by virtue of such representation, has *99 met every requirement of 45 C.F.R. § 164.502(g)(4).
Contrary to the contention of the dissent, the federal regulation does not require that the person having authority to act on behalf of the decedent or his estate and requesting medical records must intend to make future use of those records in her fiduciary capacity as a personal representative. When the person having authority to act on behalf of the decedent or his estate makes a request for medical records which is within the scope of that authority, the very request constitutes an action in that person's capacity as a limited personal representative. Indeed, such request is the only action which can come within the limited personal representation established by OCGA § 31-33-2(a)(2) for the purpose of obtaining medical records. Once the medical records are obtained by a person authorized by state law to act on behalf of the decedent or his estate by requesting them, 45 C.F.R. § 164.502(g)(4) does not restrict the future use of those records. After obtaining the medical records, therefore, the surviving spouse may pursue a wrongful death claim, she may seek appointment as administrator in order to bring a survival action on behalf of the estate pursuant to OCGA § 51-4-5(b), she may do both, or she may do neither.
The logical result of the dissent's analysis is that a wrongful death complaint, together with any affidavit required by OCGA § 9-11-9.1, cannot be filed unless and until an estate has been opened, there has been an appointment of an executor or administrator who is willing to cooperate with the potential wrongful death claimant, and the executor or administrator has made a request for the decedent's medical records soon enough to prevent the action from being barred by the statute of limitations. However, nothing in either OCGA § 31-33-2(a)(2) or 45 C.F.R. § 164.502(g)(4) requires the appointment of an executor or administrator and what may be an otherwise unnecessary administration of an estate. To the contrary, both the Georgia statute and the federal regulation provide for a request by a person who is neither an executor nor an administrator. If the very statute tailored to comply with 45 C.F.R. § 164.502(g)(4) could not be considered to provide anyone other than an executor or administrator with authority to act on behalf of the decedent or his estate for the purpose of obtaining medical records, then that portion of the federal regulation which specifies "other person[s]" having authority to act on behalf of the deceased individual or his estate would be meaningless with respect to this state.
Appellants contend that 45 C.F.R. § 164.502(g)(4) preempts OCGA § 31-33-2(a)(2). However, HIPAA and the related regulations do not preempt any state law which provides more stringent requirements for the disclosure of protected health information. Moreland v. Austin, supra at 733, 670 S.E.2d 68; Allen v. Wright, 282 Ga. 9, 12(1), 14(2), 644 S.E.2d 814 (2007). 45 C.F.R. § 164.502(g)(4) permits an executor, administrator, or some other person authorized to act on behalf of the decedent or his estate to obtain protected health information. However, the person whom OCGA § 31-33-2(a)(2) allows to act on behalf of the deceased individual or his estate is only the executor or administrator if the estate is represented, and only the surviving spouse if one exists and the estate is unrepresented. Therefore, OCGA § 31-33-2(a)(2) is more stringent than, and thus is not preempted by, 45 C.F.R. § 164.502(g)(4). Compare Moreland v. Austin, supra; Allen v. Wright, supra at 12(1), 14(3), 644 S.E.2d 814.
Accordingly, we hold that, when OCGA § 31-33-2(a)(2)(B) is applicable, a surviving spouse has authority thereunder to act on behalf of the decedent or his estate by requesting his medical records and, thus, is entitled to access the decedent's protected health information pursuant to 45 C.F.R. § 164.502(g)(4). We further hold that the Court of Appeals correctly affirmed the trial court's entry of injunctive and declaratory relief. Contrary to Appellants' contention, the Court of Appeals did not hold that a trial court could circumvent HIPAA merely by entering an order compelling the production of medical records. The Court of Appeals clearly required that any such order must, as did the trial court's order here, "`compl[y] with HIPAA requirements for the disclosure *100 of such records.' [Cit.]" Alvista Healthcare Center v. Miller, supra at 138(2), 673 S.E.2d 637. The entry of the trial court's order was not erroneous on the ground that the constitutional right of privacy, as set forth in King v. State, 272 Ga. 788, 535 S.E.2d 492 (2000), required prior notice to the personal representative of the decedent's estate. That right of privacy generally does not survive the death of the patient and, to the extent that it does, its assertion is a matter for the relatives of the deceased. Martin Luther King, Jr., Center for Social Change v. American Heritage Products, 250 Ga. 135, 139(1), 296 S.E.2d 697 (1982). Furthermore, due to compliance with HIPAA regulations, the mandatory injunction did not place Appellants in danger of violating federal law, and the trial court was authorized to find the absence of any "adequate legal remedy, due to the impending expiration of the wrongful death statute of limitation." Alvista Healthcare Center v. Miller, supra at 138(3), 673 S.E.2d 637.
Judgment affirmed.
All the Justices concur, except MELTON, J., who dissents.
MELTON, Justice, dissenting.
Under the Health Insurance Portability and Accountability Act of 1986 (HIPAA) and its regulations, a covered entity may release the protected health information of a deceased individual to a requesting individual if three requirements are met: (1) under state law, the individual requesting the information is "an executor, administrator, or other person [who] has authority to act on behalf of a deceased individual or of the individual's estate"; (2) the executor, administrator, or other person is acting in this capacity on behalf of a deceased individual or his estate; and (3) the protected health information which is being requested is "relevant to such personal representation." 45 C.F.R. § 164.502(g)(4). In this case, irrespective of any raw authority Mary Miller might have to request the protected health information of her deceased husband under Georgia law, she was not acting on her husband's behalf when she made the request which is the subject of this litigation. To the contrary, she was acting on her own behalf in pursuit of a wrongful death claim, and her request for records was in no way relevant to any authority to act on behalf of her deceased husband. Accordingly, Miller's request did not satisfy the requirements of 45 C.F.R. § 164.502(g)(4), and I must respectfully dissent.
HIPAA was passed to guarantee the privacy of a patient's medical information. Moreland v. Austin, 284 Ga. 730, 731, 670 S.E.2d 68 (2008). To achieve this goal, HIPAA places strict limitations on both the persons who may request protected health information and the reasons for which requests may be made. These limitations are reflected in the three prerequisites necessary for a valid request for the protected health information of a decedent. First, under state law, the individual requesting a decedent's protected health information must be "an executor, administrator, or other person [who] has authority to act on behalf of a deceased individual or of the individual's estate." 45 C.F.R. § 164.502(g)(4). In other words, the person requesting the protected health information must be authorized by state law to act as a personal representative in a fiduciary capacity on behalf of the decedent or his estate. A fiduciary is a "person who is required to act for the benefit of another person on all matters within the scope of their relationship; one who owes to another the duties of good faith, trust, confidence, and candor." Black's Law Dictionary (8th ed. 2004).
Mere authorization to act is not sufficient, however. In addition to having authorization, an individual seeking the protected health information of a decedent must satisfy the second prerequisite of 45 C.F.R. § 164.502(g)(4) by making a request in the appropriate fiduciary capacity. In other words, the request for records must be made pursuant to an appropriate purpose which will benefit the decedent or his estate. This requirement is further emphasized by the final prerequisite that the request for protected health information must be relevant to the requesting individual's personal representation of the decedent or his estate. This means that the requested health information must have some appropriate connection to a duty of the requesting individual to act for *101 the benefit of the decedent or his estate. Therefore, even if a requesting party has the authority to act as a personal representative, he or she may not request health information for personal, non-fiduciary reasons. All of these prerequisites were enacted to ensure the privacy of records even after death.
Applying these prerequisites to the facts of this case, Miller has some authority under state law to request the health records of the decedent. OCGA § 31-33-2(a)(2)(B) allows a surviving spouse to request the health records of a decedent if no executor, administrator, or temporary administrator has been appointed. Accordingly, HIPAA's first prerequisite may be arguably satisfied. This bare authority, standing alone, does not satisfy the remaining two requirements of HIPAA, however. For her request for protected health information to be valid, Miller must have made her request in her capacity as a personal representative, and the requested documents must be relevant to the furtherance of her responsibilities as a personal representative.
It is undisputed that the basis for Miller's request was her desire to file a wrongful death action. Such an action is for the benefit of a decedent's survivors, not the decedent or his estate. See Lovett v. Garvin, 232 Ga. 747, 748, 208 S.E.2d 838 (1974) ("the gist of the action is not the injury suffered by the deceased, but the injury suffered by the beneficiaries, resulting from the death of the deceased"). See also Williams v. Ga. Dept. of Human Resources, 272 Ga. 624, 626, n. 14, 532 S.E.2d 401 (2000). Therefore, when Miller requested her deceased husband's protected health information, she did not do so in a representative capacity for the benefit of her deceased husband. Quite to the contrary, she requested the information as an individual wishing to pursue a wrongful death action for her own benefit. Moreover, her request for protected health information under these circumstances has no relevance to the furtherance of any personal representation of the decedent or his estate, an explicit and necessary requirement under federal law. As a result, the prerequisites of HIPAA have not been satisfied, and the Court of Appeals erred in finding that Miller's request for protected health information was proper.
To find otherwise, the majority opinion focuses only on the first prerequisite under HIPAA and fails to properly consider the other two. This deficiency is evident in the majority's holding, which states: "We hold that OCGA § 31-33-2(a)(2)(B) authorizes a surviving spouse to act on behalf of the decedent in obtaining medical records and, therefore, that the surviving spouse is entitled to access the decedent's protected health information in accordance with 45 C.F.R. § 164.502(g)(4)." As explained above, however, the mere authority to act on behalf of the decedent, standing alone, is insufficient to pierce the privacy guarantees of HIPAA. Authority to act must be combined with an appropriate fiduciary purpose, and the protected health information must be relevant to the completion of this fiduciary purpose. By failing to give full consideration to these additional requirements, the majority eliminates the more exacting privacy protections of a federal law with the less stringent requirements of a state law which does not require that the release of health care records of a deceased person be relevant to the personal representation of the deceased. The fundamental problem with the majority's analysis is that it interprets HIPAA as if it were concerned only with the identity of the person who requests protected health information without any consideration for the purpose or nature of the request. By status alone, a surviving spouse is allowed to access the protected health information of the decedent, irrespective of whether she intends to use that information for her own benefit. In fact, under the majority's analysis, it would be possible for a surviving spouse, who has been disinherited under a decedent's will, to immediately request health care records before an administrator or executor is appointed in order to raise a caveat. This would hardly qualify under any scenario as an act by a personal representative on behalf of the decedent. It is, in fact, the opposite extreme of a self-interested party acting against the interest of the decedent or his estate. In short, the majority misconstrues 45 C.F.R. § 164.502(g)(4) by effectively deleting the words "on behalf of" from its text and ignoring *102 the most basic meaning of the term "personal representative."
While 45 C.F.R. § 164.502(g)(4) restricts the field of persons qualified to request documents and the purposes for which such requests may be made, OCGA § 31-33-2 limits only the field of persons, not purposes. For this reason, the majority is also incorrect in its preemption analysis. 45 C.F.R. § 164.502(g)(4) is more stringent than OCGA § 31-33-2. Because HIPAA allows the release of protected health information for a much more limited purpose than OCGA § 31-33-2(a)(2), to the extent that there is any conflict, HIPAA preempts our state law. See Allen v. Wright, 282 Ga. 9(1), 644 S.E.2d 814 (2007).
Therefore, for all of the reasons set forth above, I believe that Miller's request for the protected health information of her deceased husband did not satisfy the requirements of HIPAA, and the Court of Appeals erred by finding otherwise.
