HIPAA-compliant authorization forms continue to cause trouble for medical malpractice (now called “health care liability action” or ‘HCLA”) plaintiffs in Tennessee, with a recent plaintiff having his case dismissed due to his failure to fill in the portion of the form that lists who was authorized to make disclosures thereunder.
In Lawson v. Knoxville Dermatology Group, P.C., No. E2017-00077-COA-R3-CV (Tenn. Ct. App. Aug. 1, 2017), plaintiff filed suit against “a dermatology practice and a certified physician’s assistant employed by the practice.” The underlying injury occurred when plaintiff fell off an allegedly improperly secured examination table. Defendants filed motions to dismiss, asserting that plaintiff had failed to substantially comply with Tenn. Code Ann. § 29-26-121(a)(2)(E), the HCLA provision that requires that pre-suit notice include a HIPAA-compliant authorization. Specifically, defendants pointed out that plaintiff’s “authorization form did not list which individual(s) or organization(s) were authorized to make disclosures of the specified medical records.”
The trial court granted the motions to dismiss and entered an order dismissing all of plaintiff’s claims without prejudice. Plaintiff appealed the dismissal only as to the dermatology group, which the Court of Appeals affirmed.
On appeal, defendant pointed out that “the name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure” is listed as a “core element of the authorization” by the Code of Federal Regulations. (citation omitted). Defendant asserted that because this “core element” was left blank, plaintiff did not substantially comply with the HCLA requirements and dismissal was appropriate. According to defendant, “the medical authorization provided by [plaintiff] was insufficient to allow [defendant] to access relevant medical records to mount a defense.”
While plaintiff did not contest the fact that the blank was not completed, he advanced four arguments as to why dismissal should be overturned. First, plaintiff asserted that defendant “already had access to the medical record it generated when [plaintiff] underwent treatment there on April 29, 2013[.]” Plaintiff argued that defendant “was not prejudiced because it was already in possession of the only medical record relevant to the case at bar.” The Court of Appeals rejected plaintiff’s argument, stating:
Although in limited circumstances, HIPAA provides for the use or disclosure of medical records without specific authorization by the covered entity to defendant itself in a legal action, HIPAA generally provides that a covered entity may not use or disclose protected health information without valid authorization.
(internal citations and quotations omitted). The Court cited extensively from Roberts v. Prill, 2014 WL 2921930 (Tenn. Ct. App. June 26, 2014), a case in which a plaintiff filed suit against both an oncologist and the group that employed the oncologist. In Roberts, dismissal of the case was affirmed because of a similarly flawed HIPAA authorization.
Plaintiff argued that the recent ruling in Bray v. Khuri, __ S.W.3d __, 2017 WL 2856697 (Tenn. July 5, 2017), which rejected some of the reasoning of Roberts, should apply here. In Bray, the Tennessee Supreme Court held that “a plaintiff need not provide a HIPAA-compliant authorization when a single healthcare provider is given pre-suit notice of a healthcare liability claim.” There, the Court stated that “HIPAA does not require [defendant] to obtain a medical authorization to use a patient’s medical records in his possession and consult with counsel to evaluate the merits of a potential claim.” The Court of Appeals in the instant case held, however, that Bray was inapplicable here because plaintiff had named two defendants.
Second, plaintiff argued that the HIPAA authorization should be deemed to substantially comply with the statute because “it was one missing element, rather than several.” The Court ruled, though, that “substantial compliance…does not refer solely to the number of satisfied elements, but rather to a degree of compliance that provides the defendant with the ability to access and use the medical records for the purpose of mounting a defense.” Regarding the omission made by plaintiff, the Court stated that “health care providers presented with a medical authorization missing the identification of those authorized to release information would have no way of knowing that they were the providers for which the authorization was intended or that they were allowed to release medical records.” The Court thus determined that the omitted information was a “necessary element” of the authorization.
Third, plaintiff argued that a document listing health care providers that was attached to the pre-suit notice could be read to supplement the authorization. The Court quickly rejected this assertion, stating that the CFR, “with certain exceptions not applicable here, specifically prohibits compound authorizations,” and that the Court has previously refused to consider authorizations compliant based on their supplementation by pre-suit notice letters with which they were sent.
Finally, plaintiff argued that the HIPAA form was essentially irrelevant because “the April 29, 2013 medical record did not document the incident or injury at issue.” While it was true that the medical record from that date focused on plaintiff’s dermatological issues and did not mention his fall, the Court rejected the notion that this made the HIPAA form unnecessary. The Court reasoned:
[W]e have no way of knowing, nor did the trial court, how the medical record before us, which includes a description of [plaintiff’s] presenting his condition requiring dermatology treatment subsequent to suffering his purported injury allegedly caused by the table malfunction, would be evaluated by an expert witness or consultant. …Moreover, because the medical authorization [was incomplete], [defendant] was foreclosed by HIPAA regulations from consulting with anyone to determine whether the record could aid in mounting a defense.
Having rejected all of plaintiff’s arguments, the Court affirmed dismissal. The Court further noted that because the HIPAA authorization was insufficient, plaintiff did not comply with the pre-suit notice requirements and was not entitled to the 120-day extension of the statute of limitations. Thus, although the dismissal was without prejudice, “any future claims filed by [plaintiff] in this matter would be time-barred.”
As this case reminds us, when filing an HCLA claim it’s best to fully comply with all pre-suit notice requirements, no matter what exceptions you think your case might fall under. Interestingly, when discussing the theory that although defendant had possession of the relevant medical record it could not use it without the authorization, the Court here seemed to rely on reasoning that was rejected by the Supreme Court in Bray. While this case technically dealt with two defendants, there was never an argument that these defendants had separate medical records. It will be interesting to see if this case is appealed to and taken up by the Supreme Court.