Skip to main content

MURPHY v. DULAY (2014)

Reset A A Font size: Print

United States Court of Appeals,Eleventh Circuit.

Glen MURPHY, Plaintiff–Appellee, v. Adolfo C. DULAY, Adolfo C. Dulay, M.D., P.A., State of Florida, Defendants–Appellants.

No. 13–14637.

Decided: October 10, 2014

Before HULL, MARCUS, and HILL, Circuit Judges. Robert S. Peck, Center for Constitutional Litigation, P.C., Washington, DC, Ralph Vinson Barrett, Jr., Eubanks & Barrett, Tallahassee, FL, David Marc Buckner, Brett Elliott Von Borke, Grossman Roth, PA, Coral Gables, FL, for Plaintiff–Appellee. Erik P. Bartenhagen, Mark Hicks, Hicks Porter Ebenfeld & Stein, PA, Miami, FL, Michael S. Hull, Hull Henricks, LLP, Austin, TX, Pam Bondi, Albert J. Bowden, III, Diane G. Dewolf, Allen C. Winsor, Attorney General's Office, Tallahassee, FL, for Defendants–Appellants.

This appeal involves a federal preemption challenge to a Florida statute requiring presuit actions by an individual plaintiff before he may bring a medical negligence claim in Florida state court. The district court held that one of those presuit requirements in Florida Statute § 766.1065—that the plaintiff execute a written authorization form for release of protected health information—is preempted by a federal statute, the Health Insurance Portability and Accountability Act (“HIPAA”), and its accompanying regulations, see 45 C.F.R. §§ 164.508, 164.512. That authorization form—required by § 766.1065 as a pre-condition to filing a medical negligence claim—allows the prospective defendant to obtain documents and conduct ex parte interviews of the prospective plaintiff's medical providers on matters pertinent to the medical negligence claim. Fla. Stat. § 766.1065.

After oral argument and careful review of the record and the parties' submissions, we conclude that the written authorization form, required by Florida statute § 766.1065, is fully compliant with the HIPAA statute and its regulations and the state and federal law are not in conflict. Accordingly, there is no federal preemption of § 766.1065, and the district court's entry of judgment in favor of the plaintiff is reversed.


In this declaratory judgment action, the facts are straightforward and not in dispute. Plaintiff-appellee Glen Murphy is a Florida resident who received medical treatment from defendant-appellant Dr. Adolfo C. Dulay. Murphy was not satisfied with Dr. Dulay's care and therefore contemplated suing the doctor in state court for medical negligence. As required by Florida law, Murphy retained experts who were ready to opine that Dr. Dulay's treatment of Murphy fell below the prevailing standard of care and injured Murphy. See Fla. Stat. § 766.203(2).

Murphy was ready to file his lawsuit but first had to comply with Florida's numerous presuit requirements. We review the presuit requirements in § 766.106 not challenged here in order to place the challenged statute, § 766.1065, in context.

II. FLA. STAT. § 766.106

Florida law requires a prospective plaintiff to give a 90–day notice of the “intent to initiate litigation for medical negligence .” See Fla. Stat. § 766.106(2)(a)-(3)(a). No suit may be filed for 90 days after notice is mailed. Id. § 766.106(3)(a). Along with this presuit notice, the plaintiff must provide “a verified written medical expert opinion from a medical expert” to corroborate his “reasonable grounds to initiate medical negligence litigation.” Id. § 766.203(2).

The presuit notice also must include: (1) a list, “if available,” of “all known health care providers” seen by the plaintiff “for the injuries complained of subsequent to the alleged act of negligence”; (2) a list, “if available,” of “all known health care providers” who treated or evaluated the plaintiff “during the 2–year period prior to the alleged act of negligence”; (3) copies of all medical records the plaintiff's experts relied upon in forming their opinions; and (4) an “executed authorization form” permitting the release of medical information. Id. § 766.106(2)(a).

Florida law imposes requirements on the prospective defendant as well. During the 90–day period, Florida law requires the defendant or his insurer to conduct a prompt investigation, review, and evaluation to determine the liability of the defendant. Id. § 766.106(3)(a). At or before the end of the 90–day period, Florida law requires the defendant or his insurer to provide the plaintiff with a response, rejecting the negligence claim, making a settlement offer, or offering to arbitrate. Id. § 766.106(3)(b). The purpose of this procedure is to encourage resolution of medical negligence actions without the expense and drawn out process of formal discovery.

The plaintiff's attorney has 30 days to advise his client regarding the defendant's response and the attorney's evaluation thereof. Id. § 766.106(3)(d).

This Florida statute includes some procedural safeguards for parties in this presuit-screening process. For example, the statute of limitations is tolled during the 90–day period as to all potential defendants. Id. § 766.106(4). No statements, discussions, documents, or reports generated in this presuit-screening process are discoverable or admissible in any civil action. Id. § 766.106(5). We now examine the Florida statute challenged here, which is § 766.1065.

III. FLA. STAT. § 766.1065

Section 766.1065 took effect on July 1, 2013. See 2013 Fla. Sess. Law Serv. Ch.2013–108, § 7 (S.B.1792) (West). Section 766.1065 governs all causes of action accruing before, on, or after that date. Id. § 6(1).

Section 766.1065 requires that an “authorization for release of protected health information” accompany the 90–day presuit notice required by § 766.106(2), and the authorization must be in the written form specified by § 766.1065. Fla. Stat. § 766.1065(1). The form authorizes “the disclosure of protected health information that is potentially relevant to the claim of personal injury or wrongful death.” Id. The presuit notice is void if the plaintiff does not provide the authorization form.1 Id.

Section 766.1065(3) includes the precise language that a valid, written authorization must contain. The Florida legislature expressed its intent to make the presuit authorization form consistent with HIPAA. Specifically, § 766.1065(3) mandates that the authorization “shall be construed in accordance with the ‘Standards for Privacy of Individually Identifiable Health Information’ in 45 C .F.R. parts 160 and 164”—HIPAA's Privacy Rule. Id. § 766.1065(3). In addition, the authorization must inform the plaintiff that signing the form “is not a condition for continued treatment, payment, enrollment, or eligibility for health plan benefits.” Id. § 766.1065(3)(H).

On the statutorily prescribed form, the plaintiff must include a list of all the names and addresses of “all health care providers” known who either: (1) “examined, evaluated, or treated the Patient in connection with injuries complained of after the alleged act of negligence,” or (2) “examined, evaluated, or treated the Patient during a period commencing 2 years before the incident” giving rise to the claim. Id. § 766.1065(3)(B). This authorization, however, does not apply to health care providers or information that the plaintiff certifies “is not potentially relevant” to the injury “that is the basis of the accompanying presuit notice.” Id. § 766.1065(3)(C). Accordingly, the plaintiff can exclude from the list of the treating health care providers whom the defendant may contact, those who have no information potentially relevant to the injury. For those providers who have no relevant information, the plaintiff must supply “the inclusive dates of examination, evaluation, or treatment to be withheld from disclosure.” Id.

The authorization form must expressly allow ex parte interviews, stating: “This authorization expressly allows the persons or class of persons listed ․ above to interview the health care providers listed ․ above, without the presence of the Patient or the Patient's attorney.” Id. § 766.1065(3)(E). Those “persons or class of persons” include the doctor defendant, his insurer, adjuster, experts or attorneys. Id. § 766.1065(3)(D)-(E). Thus, the doctor defendant's attorney would be able to interview ex parte the treating physician of a plaintiff .2 However, the statute does not require the treating provider to submit to a request for an interview. See id. § 766.106(6)(b)(5) (“This subparagraph does not require a claimant's treating health care provider to submit to a request for an interview.”).

The authorization form must provide that the authorization “expires upon resolution of the claim or at the conclusion of any litigation instituted in connection with the matter ․, whichever occurs first.” Id. § 766.1065(3)(F). Further, the authorization form must note that: (1) the plaintiff “has the right to revoke this authorization” but doing so renders the presuit notice retroactively void, and (2) the plaintiff “understands that signing this authorization is not a condition for continued treatment, payment, enrollment, or eligibility for health plan benefits.” Id. § 766.1065(3)(G)-(H).

Importantly, the last paragraph in the authorization form must warn the plaintiff “that information used or disclosed under this authorization may be subject to additional disclosure by the recipient and may not be protected by federal HIPAA privacy regulations.” Id. § 766.1065(3)(I). This paragraph is consistent with other provisions in which the plaintiff authorizes the defendant doctor, his insurer, his attorney, and his consulting expert to share information among themselves for the limited purposes set forth above.


Murphy feared that signing the requisite authorization form would allow ex parte interviews about his health care and would result in an invasion of privacy. Murphy testified that his decision to sue Dr. Dulay in state court depended in part on whether he must submit such authorization form allowing ex parte interviews of his health care providers.

To determine whether compliance was necessary, Murphy filed a complaint against Dr. Dulay in federal district court seeking “a declaration that the presuit authorization of ex parte communications with his physicians and other health-care providers and the scope of information authorized for release ․ violates his federal rights under [HIPAA].”3 Murphy's complaint contended that: (1) HIPAA's Privacy Rule protects “personal health and medical information from uses not related to medical and health care”; (2) Florida's § 766.1065 “authorizes procedures at variance from, and in derogation of, what is authorized by federal law” under the Supremacy Clause; and (3) therefore, “HIPAA expressly preempts these contrary procedures.”

The complaint requested: (1) a declaratory judgment that HIPAA preempted § 766.1065's presuit authorization requirement and (2) an injunction against forced compliance with § 766.1065 in the event Murphy sued Dr. Dulay.

The State of Florida intervened to defend the Florida statute. Both Dr. Dulay and the State filed motions to dismiss.

After oral argument, the district court granted Murphy's request for declaratory and injunctive relief and denied Dr. Dulay's and the State's motions to dismiss. The district court found that Murphy had retained experts already and his decision to give presuit notice depended on whether he had to authorize ex parte interviews. The district court also found that Dr. Dulay and his representatives wanted to conduct the ex parte interviews allowed by § 766.1065.

The district court held that “consent given only in an authorization that is required by Florida law as a presuit condition is not voluntary.” Because the § 766.1065 authorization form was not voluntary, the district court concluded that § 766.1065 would result in disclosure of Murphy's HIPAA-protected health information without his consent and without other safeguards in HIPAA and its regulations. Thus, § 766.1065 was contrary to the HIPAA provisions and preempted. The district court enjoined Dr. Dulay from obtaining any of Murphy's health information through ex parte interviews, unless Dr. Dulay complied with HIPAA or Murphy voluntarily consented outside the Florida statutory scheme.4

Dr. Dulay and the State timely appealed.


We review de novo the district court's decision that a federal law preempts a state statute. See Pace v. CSX Transp., Inc ., 613 F.3d 1066, 1068 (11th Cir.2010); Conn. State Dental Ass'n v. Anthem Health Plans, Inc., 591 F.3d 1337, 1343 (11th Cir.2009).


Our preemption analysis must begin with “the bedrock principle that the Constitution designates the laws of the United States as the supreme law of the land, requiring that ‘all conflicting state provisions be without effect.’ “ OPIS Mgmt. Res., LLC v. Sec'y, Fla. Agency for Health Care Admin., 713 F.3d 1291, 1294 (11th Cir.2013) (quoting Maryland v. Louisiana, 451 U.S. 725, 746, 101 S.Ct. 2114, 2128–29 (1981)); see U.S. Const. art. VI, cl. 2 (“This Constitution, and the Laws of the United States which shall be made in Pursuance thereof ․ shall be the supreme Law of the Land․”); Altria Grp., Inc. v. Good, 555 U.S. 70, 76, 129 S.Ct. 538, 543 (2008) (“[W]e have long recognized that state laws that conflict with federal law are without effect.” (quotation marks omitted)).

A state law conflicts with federal law when it is “impossible for a private party to comply with both state and federal requirements.” PLIVA, Inc. v. Mensing, 564 U.S. ––––, ––––, 131 S.Ct. 2567, 2577 (2011) (quotation marks omitted). “ ‘Pre-emption may result not only from action taken by Congress itself; a federal agency acting within the scope of its congressionally delegated authority may pre-empt state regulation.’ “ Cliff v. Payco Gen. Am. Credits, Inc., 363 F.3d 1113, 1126 n. 9 (11th Cir.2004) (quoting La. Pub. Serv. Comm'n v. F.C.C., 476 U.S. 355, 369, 106 S.Ct. 1890, 1898–99 (1986)).

One circumstance in which preemption occurs is “where a federal statute contains ‘explicit preemptive language,’ “ known as “express preemption.” This That & Other Gift & Tobacco, Inc. v. Cobb Cnty., Ga., 285 F.3d 1319, 1322 (11th Cir.2002) (quoting Wisc. Pub. Intervenor v. Mortier, 501 U.S. 597, 604–05, 111 S.Ct. 2476, 2481–82 (1991)). As outlined below, both the HIPAA statute and its regulations use preemptive language and plaintiff Murphy, as did the district court, relies on only express preemption here.

When determining whether a federal statute's preemption clause expressly preempts state law, “we focus on the plain wording of the clause,” which necessarily contains “the best evidence of Congress' preemptive intent.” OPIS Mgmt., 713 F.3d at 1294 (quoting Chamber of Commerce of U.S. v. Whiting, 563 U.S. ––––, ––––, 131 S.Ct. 1968, 1977 (2011)). If Congress's intent is clear, “courts should not strain to find ways to reconcile federal law with seemingly conflicting state law.” PLIVA, Inc., 131 S.Ct. at 2580. “[A] court need look no further than ‘the ordinary meaning’ of federal law, and should not distort federal law to accommodate conflicting state law.” Id. (quotation marks and alteration omitted).

In areas traditionally regulated by the states, however, there is a presumption against preemption. Medtronic, Inc. v. Lohr, 518 U .S. 470, 485, 116 S.Ct. 2240, 2250 (1996). This presumption applies not only to whether Congress intends preemption but also to “the scope of its intended invalidation of state law.” Id. This “approach is consistent with both federalism concerns and the historic primacy of state regulation of matters of health and safety .” Id. If the terms of the federal statute can be read sensibly not to preempt state law, the presumption controls. Fla. E. Coast Ry. Co. v. City of W. Palm Beach, 266 F.3d 1324, 1328 (11th Cir.2001). Accordingly, if the federal preemption clause is susceptible to multiple plausible interpretations, we ordinarily should “accept the reading that disfavors pre-emption.” OPIS Mgmt., 713 F.3d at 1294 (quotation marks omitted); see Altria Grp., 555 U.S. at 77, 129 S.Ct. at 543 (stating “when the text of a preemption clause is susceptible of more than one plausible reading, courts ordinarily ‘accept the reading that disfavors pre-emption’ ”).


Both the HIPAA statute and its regulations contain express preemption provisions. The HIPAA statute itself provides that HIPAA requirements “shall supersede any contrary provision of State law.” 42 U.S.C. § 1320d–7(a)(1). More fully, the HIPAA statute provides that, subject to exceptions not at issue here, “a provision or requirement under [HIPAA], or a standard or implementation specification adopted or established under sections 1320d–1 through 1320d–3 of [HIPAA], shall supersede any contrary provision of State law.” Id.

The HIPAA statute also allows the Secretary of Health and Human Services to “promulgate such regulations as may be necessary or appropriate to carry out the provisions of [HIPAA].” Id. § 300gg–92; see id. §§ 1320d–1, 1320d–2 & 1320d–3 (setting forth requirements governing the Secretary's adoption of standards under HIPAA). “One of Congress's objectives in enacting HIPAA was to address concerns about the confidentiality of patients' individually identifiable health information.” OPIS Mgmt., 713 F.3d at 1294. Accordingly, Congress specifically authorized the Secretary “to promulgate privacy regulations addressing individuals' rights to individually identifiable health information, procedures for exercising such rights, and the uses and disclosures of such information.” Id. at 1295. In turn, the Secretary promulgated comprehensive privacy and disclosure regulations spanning hundreds of pages. See 45 C.F.R. pts. 160 & 164.

Echoing the HIPAA statute, the HIPAA regulations also state that a HIPAA requirement “that is contrary to a provision of state law preempts the provision of state law,” subject to exceptions not at issue here. 45 C.F.R. § 160.203.5 The Secretary also enacted a regulation to define further what is meant by “contrary” to state law. The Secretary's regulation states that a state law is contrary to HIPAA if: (1) “[a] covered entity ․ would find it impossible to comply with both the State and Federal requirements”; or (2) “[t]he provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of [HIPAA], as applicable.” 45 C.F.R. § 160.202(1)-(2) (emphasis added).

Dr. Dulay and the State do not contend (1) that the HIPAA regulations relevant to this case—the privacy and disclosure regulations in parts 160 and 164—exceed the scope of the Secretary's delegated authority, or (2) that the Florida legislature could permissibly enact a statute contrary to those HIPAA regulations. Rather, they argue that § 766.1065 is consistent with both the HIPAA statute and the HIPAA regulations. Thus, we outline the relevant HIPAA regulations and then analyze whether § 766.1065 is contrary to them.


The HIPAA regulations generally prohibit covered entities from using or disclosing “protected health information.” 45 C.F.R. § 164.508(a)(1); see id. § 164.502(a) (“A covered entity ․ may not use or disclose protected health information, except as permitted or required by [these regulations].”); id. § 164.512 (enumerating exceptions). Only health plans, health care clearinghouses, and certain health care providers are “covered entities” under the HIPAA regulations. Id. § 160.102(a).

The regulations, however, permit covered entities to disclose protected health information when certain requirements are met, two of which are pertinent here.6 First, disclosure may be made through the judicial process. Id. § 164.512(e). Second, disclosure is permitted if an individual expressly authorizes release of his or her medical information in a valid authorization form. See id. § 164.502(a)(1)(iv) (allowing covered entities to disclose protected health information “pursuant to and in compliance with a valid authorization”); id. § 164.508 (“Except as otherwise permitted ․ by [HIPAA], a covered entity may not use or disclose protected health information without an authorization that is valid․”). We discuss each permitted disclosure avenue in turn.

A. Disclosure by Judicial Process

Section 164.512 provides that “[a] covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508 ․ in the situations covered by this section․” Id. § 164.512. One of the twelve situations covered in § 164.512 are “[d]isclosures for judicial and administrative proceedings.” Id. § 164.512(e).7 More precisely, even without a written authorization, “[a] covered entity may disclose protected health information in the course of any judicial or administrative proceeding.” Id. § 164.512(e)(1). But certain procedures must be followed. Information may be released only in response to: (1) an “order of a court or administrative tribunal,” or (2) a “subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal,” when certain conditions are met. Id. § 164.512(e)(1)(i)-(ii).

For the latter, information may be disclosed only if the covered entity receives satisfactory assurance from the party seeking the information that reasonable efforts have been made to either (1) ensure that the individual whose information is to be shared has been given notice of the request, or (2) secure a qualified protective order. Id. § 164.512(e)(1)(ii).

The HIPAA regulations state additional requirements for each of these processes to be valid. For example, to establish that reasonable efforts have been made to give notice, the party requesting information must show by written documentation that it has made a “good faith attempt to provide written notice,” that such notice included sufficient information about the litigation to permit the individual to raise an objection to the court, that the time for the individual to raise objections to the court has elapsed, and that either no objections were filed or all objections filed have been resolved by the court. Id. § 164.512(e)(1)(iii). If instead the party seeks to proceed by protective order, it must show that the parties to the dispute have agreed to a qualified protective order and presented it to the court, or that the party seeking the protected health information has requested a qualified protective order from the court. Id. § 164.512(e)(1)(iv).8

Importantly for this case, § 164.512(e) provides an alternative avenue for disclosure without a written authorization and does not replace or narrow the provisions permitting disclosure by written authorization alone, which are discussed below.

B. Disclosure by Express Authorization

Disclosure of protected health information is also permissible when a person signs a valid written authorization. Id. § 164.508. A valid authorization, alone, is sufficient to permit disclosure in compliance with HIPAA, so long as “such use or disclosure [is] consistent with such authorization.” Id.

The HIPAA regulations specify that, to be valid, an authorization must contain these elements: (1) “[a] description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion”; (2) “[t]he name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure”; (3) “[t]he name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure”; (4) “[a] description of each purpose of the requested use or disclosure”; (5) “[a]n expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure”; and (6) the “[s]ignature of the individual and date.” Id. § 164.508(c)(1)(i)-(vi).

Further, “the authorization must contain statements adequate to place the individual on notice of all of the following:” (1) the individual's “right to revoke,” the exceptions to the right to revoke, and “a description of how the individual may revoke”; (2) that a covered entity “may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization,” subject to narrow exceptions; and (3) “the potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by [HIPAA].” Id. § 164.508(c)(2), (b)(4).

In short, the HIPAA regulations mandate that an authorization contain many different elements in order to be a valid authorization. The authorization form required by § 766.1065 must have those same HIPAA elements to be valid too.

The HIPAA regulations also set forth circumstances when a written authorization is invalid, specifically: (1) “[t]he expiration date has passed or the expiration event is known by the covered entity to have occurred”; (2) “[t]he authorization has not been filled out completely, with respect to [each element required]”; (3) “[t]he authorization is known by the covered entity to have been revoked”; (4) the authorization is a compound authorization or is a condition for receiving treatment (and neither exception is applicable); or (5) “[a]ny material information in the authorization is known ․ to be false.” Id. § 164.508(b)(2).

The HIPAA regulations explain that a “compound authorization,” subject to exceptions not at issue here, is an authorization for the disclosure of protected health information that is “combined with any other document to create a compound authorization.” Id. § 164.508(b)(3). The Secretary gave this example of a compound authorization: an authorization for the use or disclosure of protected health information “may be combined with an informed consent to receive treatment, [or] a consent to assign payment of benefits to a provider.” Standards for Privacy of Individually Identifiable Health Information, 65 Fed.Reg. 82,462, 82,511 (Dec. 28, 2000).

Further, as part of a larger modification of the HIPAA regulations, the Secretary stated that a compound authorization is created when “an authorization for the use and disclosure of protected health information is combined with any other legal permission.” Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, 78 Fed.Reg. 5565, 5609 (Jan. 25, 2013). Citing the fact that the use of multiple authorization forms has confused patients, the Secretary permitted the use of compound authorization forms under certain circumstances. Id. at 5609–11. The Secretary's statements elucidate the HIPAA regulations' circular definition of “compound authorization,” clarifying that the regulation prohibits the combination of an authorization with another “legal permission”—such as a consent to treatment or consent to assign payment—not its combination with literally “any other document.”

The exceptions to the compound authorization prohibition also inform this conclusion. See 45 C.F.R. § 164.508(b)(3)(i)-(iii). The first exception permits an authorization for disclosure of health information for a research study to be combined with another authorization for the same or another study. Id. § 164.508(b)(3)(i). The second exception authorizes a compound authorization for the use or disclosure of psychotherapy notes. Id . § 164.508(b)(3)(ii). The third exception allows an authorization—other than an authorization for use or disclosure of psychotherapy notes—to be combined with any other such authorization, unless the covered entity has conditioned treatment or enrollment in a health care plan on the provision of an authorization. Id. § 164.508(b)(3)(iii). Notably, each exception discusses an authorization combined with another authorization—not an authorization combined with a wholly different type of document, such as a presuit notice.


The HIPAA regulations prohibit only the conditioning of medical treatment or health care benefits on the execution of a HIPAA authorization. See 45 C.F.R. § 164.508(b)(4) (“A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization[.]”). Even that limited prohibition has rather broad exceptions.

A covered entity may condition medical treatment on the signing of an authorization when: (1) the treatment is research-related and the information to be disclosed is to be used in the research; (2) a health plan conditions enrollment in the health plan or eligibility for benefits on the signing of an authorization if the authorization is necessary for the health plan's underwriting or risk rating determinations and the authorization is not for the disclosure of psychotherapy notes; or (3) “the provision of health care ․ is solely for the purpose of creating protected health information for disclosure to a third party,” when the authorization permits disclosure to that third party. Id. § 164.508(b)(4)(i)-(iii).

In responding to issues raised by public comments, the Secretary has interpreted the HIPAA regulations to allow other benefits to be conditioned on the signing of a HIPAA authorization. See 65 Fed.Reg. at 82,658. The Secretary considered suggestions that it “prohibit the provision of anything of value” from being conditioned on an authorization for disclosure of protected information. Id. After such consideration, the Secretary acknowledged that, due to its limited authority, it “cannot entirely prevent individuals from being coerced into signing these [authorization] forms.” Id. The Secretary added that “[w]e do not, for example, have the authority to prohibit an employer from requiring its employees to sign an authorization as a condition of employment.” Id. Similarly, the Secretary said “a program such as the Job Corps may make such an authorization a condition of enrollment in the Job Corps program.” Id.

In that same comment section, the Secretary also recognized that many states require state Medicaid agencies to obtain, for payment purposes, an individual's HIPAA authorization as a condition of enrolling an individual as a Medicaid recipient. “If state law requires a Medicaid agency to obtain the individual's authorization for providers to disclose protected health information to the Medicaid agency for payment purposes, the agency may do so under § 164.508(e). This authorization must not be a condition of enrollment or eligibility, but may be a condition of payment of a claim for specified benefits if the disclosure is necessary to determine payment of the claim.” Id. State law may thus require a Medicaid agency to condition payment of a claim for benefits on an individual's signing an authorization if the disclosure of protected health information is necessary to determine payment. See id.


With this background, we examine whether § 766.1065 is contrary to HIPAA and its regulations.

A. § 766.1065 Authorizations Meet HIPAA's Requirements

The HIPAA regulations expressly allow the release of protected health information upon the signing of a valid authorization. Our first task is to determine whether the presuit authorization form required by § 766.1065 meets the HIPAA requirements for a valid, written authorization.

As outlined above, the HIPAA regulations include explicit details about what an authorization must contain to be valid under HIPAA. In turn, the Florida statute, in § 766.1065, provides the precise form that a presuit authorization must take, ensuring that the form meets each of the required elements set forth in the HIPAA regulations. To the extent that there remains any ambiguity, § 766.1065 explicitly states that presuit authorizations “shall be construed in accordance with the [HIPAA requirements].” Fla. Stat. § 766.1065(3). Thus, the plain text of § 766.1065 makes clear that it requires presuit authorizations to meet HIPAA's requirements.

Murphy argues that the § 766.1065 authorization fails to satisfy HIPAA's required elements for four reasons, each of which lacks merit.

First, Murphy views the authorizations required by § 766.1065 as irrevocable and, therefore, in conflict with the HIPAA regulations' requirement that an authorization be revocable. See 45 C.F.R. § 164.508(b)(5). This is not so. Subsection (2) of § 766.1065 plainly contemplates a plaintiff's ability to revoke the required authorization. See Fla. Stat. § 766.1065(2) ( “If the authorization required by this section is revoked․”). Further, subsection (3) explicitly requires that the authorization include the phrase “the Patient has the right to revoke this authorization in writing.” Id. § 766.1065(G). There is a consequence for revocation, though—that the presuit notice is deemed retroactively void. As a result, and if too much time passes, a plaintiff's medical negligence claim may be barred by the statute of limitations. See id. § 766.1065(2). But, the HIPAA regulations do not require that a person be able to revoke an authorization free of any consequences; they just require that an authorization be revocable. The Florida statute requires the same.

Second, Murphy argues that § 766.1065 authorizations are non-HIPAA compliant because they require a plaintiff to list health care providers to whom the presuit authorization does not apply, as well as those to whom it applies. He contends that requiring a plaintiff to disclose other health care providers who do not have information about the plaintiff's medical negligence claim “cannot serve a legitimate purpose.” We disagree. Requiring a plaintiff to name health care providers whom a defendant may not contact for information does serve a legitimate purpose—it protects a plaintiff's privacy by resolving any ambiguity about which providers a defendant may not contact. Furthermore, the HIPAA regulations do not require that the scope of an authorization be commensurate to a specific, legitimate purpose. Under HIPAA an individual may disclose his entire medical history for any purpose. It is no defect, therefore, that the Florida presuit authorization permits disclosure of some information that may be irrelevant to the plaintiff's medical negligence claim.

Third, Murphy contends that the authorizations required by § 766.1065 do not meet the HIPAA regulations' specificity requirement. See 45 C.F.R. § 164.508(c)(1)(i). To meet the specificity requirement, an “authorization must include a description of the information to be used or disclosed, with sufficient specificity to allow the covered entity to know which information the authorization references.” 65 Fed.Reg. at 82,517. Importantly, “[t]here are no limitations on the information that can be authorized for disclosure,” and an individual may authorize a health care provider to release all of his medical records. Id. Here, the authorization form in § 766.1065 specifically authorizes the release of health information held by health care providers that the plaintiff identifies, including those who have examined, evaluated, or treated him (or who will do so) in connection with the complained-of injury; and those who have examined, evaluated, or treated him two years prior to the injury. Fla. Stat. § 766.1065(3)(B). Murphy may not like the breadth of the authorization required by § 766.1065, but the HIPAA regulations do not require that authorizations be narrow, simply that they be specific.

And in accordance with HIPAA's requirement that a valid authorization form include “[a] description of each purpose of the requested use or disclosure,” 45 C.F.R. § 164.508(c)(1)(iv), § 766.1065's authorization form states that disclosure is authorized for the following “specific purposes”: (1) “[f]acilitating the investigation and evaluation” of the claim; (2) “[d]efending against any litigation arising out of” the claim; or (3) “[o]btaining legal advice or representation arising out of” the claim. Fla. Stat. § 766.1065(3)(A).

The form's limitation on how disclosed information may be used, however, does not alter the form's clear description of which information may be turned over. Section 766.1065's authorization form is clear that all information in the listed doctors' possession, both verbal and written, is subject to disclosure. The form is also clear that disclosed information may be used only to investigate and defend the medical negligence claim. Doctors will have no difficulty discerning the obvious purpose of a defendant's request when presented with a signed authorization. Therefore, § 766 .1065's authorization form fully satisfies HIPAA's requirement that the information permitted for disclosure be identified “in a specific and meaningful fashion.” 45 C.F.R. § 164.508(c)(1)(i).

Fourth, Murphy argues that § 766.1065 requires a prohibited compound authorization. See 45 C.F.R. § 164.508(b)(3). He reasons that a compound authorization is an authorization combined “with any other document” and that § 766.1065 requires an authorization combined with a 90–day presuit notice. However, as explained above, a compound authorization is created when “an authorization for the use and disclosure of protected health information is combined with any other legal permission.” 78 Fed.Reg. at 5609. The presuit notice is not a legal permission, much less a consent to treatment or consent to assign payment. The presuit notice is merely a condition precedent for filing a medical negligence suit in Florida state court. The fact that the presuit notice document and the authorization form are submitted together does not alter our analysis. Accordingly, the fact that the authorization must be sent out with the presuit notice does not create an impermissible compound authorization.

In summary, after reviewing the HIPAA regulations, we conclude that the authorization form required in § 766.1065 complies with HIPAA. Indeed, § 766.1065 expressly requires that an individual execute a HIPAA-compliant authorization before bringing a medical negligence claim. The Florida law requires only that a prospective plaintiff act in accordance with a federal provision, exactly as contemplated by Congress and the Secretary who promulgated the regulations, before filing a medical negligence complaint in state court. Conditioning the use of the state courts on compliance with a federal provision (HIPAA) does not conflict with that federal provision (HIPAA).

Because § 766.1065 is consistent with HIPAA's requirements for disclosure by written authorization, it is also irrelevant whether § 766.1065 calls for procedures that satisfy the requirements of another HIPAA disclosure exception—including the exception for disclosure by judicial process. See 45 C.F.R. § 164.512(e)(1)(i)-(ii). Clearly, § 766.1065 does not provide the same privacy safeguards as those called for in the judicial-process exception. But when an individual executes a valid HIPAA authorization, he waives all HIPAA protection as to the health information covered by the authorization, including the protections against litigation-related disclosures. See 45 C.F.R. § 164.512 (noting that additional privacy safeguards apply only where a covered entity seeks to “use or disclose protected health information without the written authorization of the individual” (emphasis added)). Accordingly, no other HIPAA exception for disclosure needs to be satisfied once an individual signs a valid written authorization.

B. Mandatory Nature of § 766.1065

Because § 766.1065's authorization form meets HIPAA's required elements to be a valid authorization, Murphy is left to focus on the mandatory nature of § 766.1065. Because § 766.1065 requires HIPAA authorizations as a mandatory pre-condition to filing a medical negligence claim in Florida court, Murphy argues individuals are being coerced by the State of Florida to sign them. Murphy contends that HIPAA requires all authorizations be signed voluntarily to be valid, and thus § 766.1065 violates HIPAA. We disagree for several reasons.

First, there is no explicit voluntariness requirement in the HIPAA statute or its regulations. Rather, the HIPAA regulations contemplate that HIPAA authorizations may be based on conditions. In fact, the comprehensive regulations prohibit only conditioning medical treatment or health care benefits on execution of an authorization.9 Notably, HIPAA does not state that any other types of conditions are invalid. Additionally, the regulations' explicit prohibition on only conditioning treatment or benefits on executing a HIPAA authorization implies that there are no implicit prohibitions on requiring HIPAA authorizations in other circumstances. See Fla. Right to Life, Inc. v. Lamar, 273 F.3d 1318, 1327 (11th Cir.2001) (applying the canon of expressio unius est exclusio alterius—“under which ‘the expression of one thing implies the exclusion of another’ “—to conclude that explicit statutory exceptions “imply the exclusion of all other possible exceptions” (citation omitted)).

Even the regulations' sole prohibition is not absolute, allowing some covered entities to condition the provision of medical treatment or other services on signing an authorization. 45 C.F.R. § 164.508(b)(4)(i)-(iii). Had the drafters of the HIPAA regulations wished to preclude a state legislature from conditioning a public benefit—such as filing a lawsuit—on signing a HIPAA authorization, they could have easily done so, just as they generally prohibited doctors from conditioning medical treatment on signing a HIPAA authorization. The regulations do not do so, and we must give effect to the regulations' silence. See id.

Second, Murphy, and others like him, voluntarily choose to seek redress for grievances through Florida's judicial system. By enacting § 766.1065, the State conditioned an individual's ability to use a state-provided resource to advance medical negligence claims—the state judicial system—upon that individual's executing a limited HIPAA authorization in a form that complies with HIPAA's requirements. An individual retains the choice whether to file suit, and therefore whether to sign the authorization form.

Third, both times a statute like Florida's has been challenged on the basis of HIPAA preemption and the authorization being involuntary, courts have upheld it.10 In 2009, the Texas Supreme Court upheld that state's similar statute. See In re Collins, 286 S.W.3d 911 (Tex.2009). That court began its analysis by noting that “HIPAA itself allows the disclosure of protected health information if the patient has executed a valid, written authorization conforming to the requirements of 45 C.F.R. § 164.508(c).” Id. at 920. Rejecting the plaintiffs' argument that the presuit authorization they signed was invalid because it was involuntary, the court held “while it is true that the [plaintiffs] could not have proceeded with their suit if [one of the plaintiffs] had not executed the authorization, it was their choice to file the suit in the first instance.” Id.

We note that, while portions of the HIPAA regulations governing privacy and disclosure of protected information have been amended several times after the Texas Supreme Court's 2009 decision in Collins, the amendments have not changed the circumstances under which HIPAA authorizations may be based on conditions. See Breach Notification for Unsecured Protected Health Information, 74 Fed.Reg. 42,740, 42,767–70 (Aug. 24, 2009); Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, 78 Fed.Reg. 5566, 5692–5702 (Jan. 25, 2013); see also OPIS Mgmt., 713 F.3d at 1293 n. 2; cf. Phillip C. v. Jefferson Cnty. Bd. of Educ., 701 F.3d 691, 696–97 (11th Cir.2012) (“Congress is presumed to be aware of [a] ․ judicial interpretation of a statute and to adopt that interpretation when it re-enacts a statute without change.” (quotation marks omitted)).

Six years later, in 2013, the Tennessee Supreme Court reached the same conclusion regarding Tennessee's similar statute. See Stevens ex rel. Stevens v. Hickman Comm. Health Care Servs., Inc., 418 S.W.3d 547 (Tenn.2013). Echoing the Texas Supreme Court, that court held that “although [the Tennessee statute] requires that a plaintiff complete a HIPAA authorization as a pre-condition of filing suit, a plaintiff's decision whether to file suit is still a voluntary one.” Id. at 557.11

Fourth, Florida's § 766.1065 statute is not preempted even if we accept Murphy's argument that HIPAA contains an implicit requirement of voluntariness. As outlined above, the HIPAA regulations set forth numerous core elements that must be in an authorization form in order for that authorization to be valid. See 45 C.F.R. § 164.508. These elements help ensure that individuals make a knowing and informed decision about what they are signing and to what extent they are authorizing the release of protected health information about them. In that sense, the Secretary is attempting to assure that an individual is making an informed and thus voluntary decision. See, e.g., 65 Fed.Reg. at 82,657 (“We intend the authorizations required under this rule to be voluntary for individuals, and, therefore, they need to be separate from other forms of consent that may be a condition of treatment or payment or that may otherwise be coerced.”); id. at 82,658 (stating that the right to revoke authorization at any time “is essential to ensuring that the authorization is voluntary”); id. at 82,659 (“We have attempted to create authorization requirements that make the individual's decisions as clear and voluntary as possible.”).

At the same time, the Secretary acknowledges that some coercion is allowed by expressly permitting Medicaid benefits, financial incentives, and even employment to be conditioned on the execution of a HIPAA authorization. We do not find the condition imposed by § 766.1065 to be categorically different from the other conditions and incentives permitted under HIPAA. We cannot say that requiring a HIPAA authorization as a condition of suing a health care provider for medical negligence in state court is more coercive than requiring one as a condition of employment or Medicaid-benefit payments, which HIPAA permits. The Florida law does not rise to the level of duress that might somehow invalidate an otherwise valid authorization.

At a minimum, absent clear intent in the HIPAA regulations to prohibit conditioning the filing of a medical negligence action on executing a valid authorization, we must observe the strong presumption against preemption in areas traditionally regulated by the states. See Medtronic, Inc., 518 U.S. at 485, 116 S.Ct. at 2250.

C. § 766.1065 is “Not Contrary” to HIPAA

In light of our above analysis, we conclude that Murphy has not shown § 766.1065 is contrary to HIPAA.12

First, it is patently clear that § 766.1065 does not make it “impossible” for a covered entity, as defined by the HIPAA regulations, “to comply” with both HIPAA and state law. See 45 C.F.R. § 160.202(1). Section 766.1065 requires the authorization form to comply with HIPAA's requirements. Once a plaintiff executes a valid HIPAA authorization as part of his presuit obligations, his physician can, consistent with HIPAA, convey relevant health information about the plaintiff to the defendant. A medical provider can simultaneously comply with state and federal requirements.

Second, § 766.1065 does not stand “as an obstacle” to fulfilling “the full purposes and objectives” of HIPAA. See 45 C.F.R. § 160.202(2). One of HIPAA's stated objectives is “reducing the administrative costs of providing and paying for health care.” 42 U.S.C. § 1320d–1(b). Likewise, § 766.1065, by allowing health care providers to investigate and potentially settle claims before litigation commences, serves to reduce the overall cost that medical negligence litigation places on Florida's health care system. The Florida law, like HIPAA, attempts to strike a balance between privacy protection and the efficient resolution of medical negligence claims.

Accepting arguendo that one of HIPAA's goals is to ensure that waivers of privacy protections are made knowingly and voluntarily, the Florida statute does not interfere with that goal. The HIPAA regulations allow authorizations to be based on conditions—such as employment, Medicaid benefits, and other incentives—and prohibit only one type of condition. Even that condition is not absolute but has exceptions. Further, an individual's decision to sign an authorization prior to bringing a medical negligence claim in state court is not an involuntary one. If an individual does not wish to execute such an authorization, he does not have to. He is, however, precluded from using the Florida courts to obtain relief through a medical negligence lawsuit against a health care provider.


For the foregoing reasons, we vacate the district court's declaratory judgment order in favor of plaintiff Murphy, as well as the district court's injunction against the enforcement of Fla. Stat. § 766.1065. We remand for the district court to enter final judgment in favor of the defendants on Murphy's federal preemption claim.



1.  If, after giving the authorization, a plaintiff revokes the authorization, the presuit notice “is deemed retroactively void from the date of issuance.” Id. § 766.1065(2).

2.  Section 766.106(6)(b)(5) provides that when the doctor defendant gives notice of his intent to conduct an ex parte interview, the plaintiff's attorney must arrange the interview within 15 days after the request is made. For subsequent interviews, the defendant must notify the plaintiff only 72 hours before the subsequent interview. And if the plaintiff fails to arrange an interview, the defendant may attempt to conduct an interview “without further notice” to the plaintiff. The fact remains, however, that the treating provider is not required to consent to a request for an interview.Further, if a defendant takes an unsworn statement from one of the plaintiff's treating providers, “[r]easonable notice and opportunity to be heard” must be given to the plaintiff, and the plaintiff “has the right to attend the taking of such unsworn statements.” Id. § 766.106(6)(b)(6).

3.  The complaint also named as a defendant “Adolfo C. Dulay, M.D., P.A.,” the entity through which Dr. Dulay practices medicine. For ease of reference, we refer to these two defendants collectively as “Dr. Dulay.”

4.  In the district court, the State and Dr. Dulay argued: (1) that Murphy lacked standing to challenge the statute; (2) that the controversy, to the extent there was one, was not ripe for adjudication; and (3) that there was no valid federal cause of action for Murphy to bring his declaratory judgment claim. The district court rejected these arguments and the defendants do not renew them on appeal. Although these arguments raise jurisdictional questions which we must consider sua sponte, see Region 8 Forest Serv. Timber Purchasers Council v. Alcock, 993 F.2d 800, 807 n. 9 (11th Cir.1993), we agree with the district court's cogent analysis and conclusion that Murphy has standing and that his claims present a case or controversy that is ripe for adjudication.

5.  HIPAA, however, does not preempt state laws that provide “more stringent” privacy protections. See 45 C.F.R. § 160.203(b); see also Opis Mgmt., 713 F.3d at 1294.

6.  There are numerous categories of permissive uses and disclosures in the HIPAA regulations, only two of which we discuss here.

7.  Section 164.512 also covers standards in these other situations involving disclosure without a written authorization: (1) when required by law, (2) for public health activities, (3) about victims of abuse, neglect, or domestic violence, (4) for health oversight activities, (5) for law enforcement purposes, (6) about decedents, (7) for cadaveric organ, eye, or tissue donation purposes, (8) for research purposes, (9) to avert a serious threat to health or safety, (10) for specialized government functions, (11) for workers' compensation. Id. § 164.512(a)-(l). The provisions governing disclosure by judicial process “do not supersede other provisions of [§ 164.512] that otherwise permit or restrict uses or disclosures of protected health information.” Id. § 164.512(e)(2).

8.  A qualified protective order means an order that prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation for which it was requested and requires that the protected health information, at the end of the litigation, be returned to the covered entity or destroyed. Id . § 164.512(e)(1)(v).

9.  Specifically, a covered entity may not condition “treatment, payment, enrollment in the health plan, or eligibility for benefits” on execution of an authorization, subject to three limited exceptions. 45 C.F.R. § 164.508(b)(4).

10.  Both Texas and Tennessee have enacted statutes similar to § 766.1065. See Tex. Civ. Prac. & Rem.Code Ann. § 74.052(a)-(c) (substantially identical to the Florida statute but requiring the authorizations 60 days before filing, instead of 90 days); Tenn.Code Ann. § 29–26–121(a)(2)(E) (requiring that, 60 days before filing a medical negligence suit, a prospective plaintiff provide notice and, inter alia, “[a] HIPAA compliant medical authorization permitting the [prospective defendant] to obtain complete medical records from each other provider being sent a notice”).

11.  We recognize that the Georgia Supreme Court held that HIPAA preempted a Georgia statute requiring that a plaintiff file, contemporaneously with a medical negligence complaint, an authorization allowing ex parte interviews of health care providers. See Allen v. Wright, 644 S.E.2d 814, 818 (Ga.2007); see Ga.Code Ann. § 9–11–9.2. In Allen, the Georgia statute did not “expressly provide [ ] that the requisite authorization comply with the provisions of HIPAA” and did not require that the authorization give notice of a plaintiff's right to revoke. 644 S.E.2d at 816. Unlike the Georgia statute, Florida's § 766.1065 requires that authorizations conform to HIPAA's requirements. See Fla. Stat. § 766.1065(3). Moreover, the Georgia Supreme Court's analysis suggests that, had the Georgia statute contained a provision like the § 766.1065(3)—requiring that authorizations meet HIPAA's requirements—the court would have upheld it. See Allen, 644 S.E.2d at 816.Recently, a Florida circuit court in Escambia County ruled that HIPAA does not preempt the presuit authorization requirement in § 766.1065. Weaver v. Myers, No.2013 CA 001714, slip op. at 3–6 (Fla. Cir. Ct. June 24, 2014).

12.  As Murphy's counsel noted at oral argument, whether § 766.1065 violates the Florida Constitution is a state law issue that is not before us. Our decision involves only the claimed federal preemption of a state law.

HULL, Circuit Judge:

Copied to clipboard