Where an HCLA plaintiff provided incomplete HIPAA authorizations with his pre-suit notice, the trial court should have granted the defendants’ motion to dismiss.
In Elmore v. Mills, No. E2023-01064-COA-R9-CV (Tenn. Ct. App. Mar. 31, 2025), the plaintiff filed an HCLA suit against multiple defendants based on decedent’s death, who aspirated during a hip surgery after being given food on the day of the surgery by hospital staff. The plaintiff sent pre-suit notice to multiple individuals and entities, including Dr. Sorce, the treating physician, and Dr. Sorce’s group, TVO. The plaintiff thereafter filed this HCLA suit.
Defendants Sorce and TVO filed a motion to dismiss, arguing that the pre-suit notice was not sent within the one-year statute of limitations and that the HIPPA authorizations provided with the pre-suit notice were insufficient. The trial court denied the motion to dismiss, but the Court of Appeals reversed based on the incomplete HIPAA authorizations.
The HCLA requires that a plaintiff filing suit under the statute give potential defendants pre-suit notice. This pre-suit notice must include HIPAA authorizations “permitting the provider receiving the notice to obtain complete medical records from each other provider being sent a notice.” (Tenn. Code Ann. § 29-26-121(a)(2)(E)). One way to challenge the sufficiency of a plaintiff’s pre-suit notice is by “alleging that the plaintiff’s Section 121(a)(2)(E) medical authorization lacks one or more of the six core elements required by federal law for HIPAA compliance.” (internal citation omitted). If the defendant shows that the plaintiff failed to substantially comply, “the burden shifts back to the plaintiff who bears the burden of establishing substantial compliance with Section 121, which includes the burden of demonstrating that the noncompliance did not prejudice the defense.” (internal citation omitted).
The defendants argued that three of the HIPAA authorizations were missing at least one of the six core elements, and that one HIPAA authorization was completely missing. Specifically, one authorization was not signed, and two were not signed or dated. The Court of Appeals agreed that the defendants were prejudiced by some of these incomplete authorizations, rejecting the plaintiff’s attempt to characterize these errors as “technical omissions.”
Looking at each authorization individually, the Court first considered the authorization permitting TVO to obtain medical records from itself, which was not signed or dated. Because “TVO would have had access to any of Decedent’s medical records already in its possession, if any, [the Court] determine[d] that TVO suffered no prejudice by this noncompliant authorization.”
Next, the Court considered the authorization allowing TVO to obtain records from the hospital, which was not signed, not dated, and had no expiration date. The plaintiff argued that TVO was not in existence at the time of the incident and was thus not prejudiced by this authorization, but the Court rejected this argument. “[R]egardless of whether TVO was in existence at the time or not, Plaintiff named it as a provider receiving pre-suit notice, and therefore, owed TVA a HIPAA-compliant medical authorization so that it could investigate the merits of Plaintiff’s claims and pursue settlement negotiations prior to litigation.” The Court found that TVO was prejudiced by this noncompliant authorization.
For the authorization permitting Sorce to obtain records from the nurse anesthetist and the clinic, which lacked a date and signature, the plaintiff argued that this was not prejudicial because only the hospital had relevant records. The Court wrote, however, that the plaintiff presented no evidence establishing this fact. Further, “Plaintiff presented no evidence to indicate that the other eleven providers who were sent pre-suit notice knew that only the Hospital had relevant medical records.” The plaintiff “failed to demonstrate that Sorce should have known that [the clinic] did not have any relevant records,” and thus failed to demonstrate a lack of prejudice.
Finally, the Court looked at the authorization allowed Sorce to obtain records from the nurse anesthetist, which had no signature, date, or expiration date. Here, the plaintiff argued that because Sorce and the nurse were treating providers during the incident, they already had full access to the relevant medical records. The Court disagreed. The Court wrote that “[t]o hold that Sorce could have obtained Decedent’s medical records from [the nurse] without a HIPAA-compliant medical authorization simply because Sorce and Mills both treated Decedent would run counter to the purpose of HIPAA and be inconsistent with the body of law surrounding this issue.”
Because the plaintiff failed to show that the defendants were not prejudiced by the noncompliant HIPAA authorizations, the trial court should have granted dismissal.
This opinion was released 2.5 months after oral arguments.