Konah Evangeline Buckman, Mother And Next Of Kin Of Edward Kofi Sasa Lenox Buckman A/K/A Edward Welsely, Deceased v. Mountain States Health Alliance, Et Al.
Annotate this CaseCourt Description:
Authoring Judge: Judge Brandon O. Gibson
Trial Court Judge: Judge James E. Lauderback
This is a healthcare liability case. Before filing the complaint, the plaintiff gave written notice to the potential defendants of her healthcare liability claim against them. Tennessee Code Annotated section 29-26-121(a)(2)(E) requires that a plaintiff s pre-suit notice include a HIPAA compliant medical authorization permitting the healthcare provider receiving the notice to obtain complete medical records from every other provider that is being sent a notice. After the plaintiff filed suit, the defendants moved to dismiss the complaint based on noncompliance with the statute, as the defendants alleged that the HIPAA authorization provided by the plaintiff had already expired when they received it. The trial court granted the defendants motion to dismiss, concluding that the HIPAA authorization was invalid due to the fact that the listed expiration date had already passed when the authorization was provided to the defendants with pre-suit notice. The plaintiff appeals. We affirm and remand for further proceedings.
Download PDF
IN THE COURT OF APPEALS OF TENNESSEE AT KNOXVILLE 07/26/2018 May 29, 2018 Session KONAH EVANGELINE BUCKMAN, MOTHER AND NEXT OF KIN OF EDWARD KOFI SASA LENOX BUCKMAN A/K/A EDWARD WELSELY, DECEASED v. MOUNTAIN STATES HEALTH ALLIANCE, ET AL. Appeal from the Circuit Court for Washington County No. 36257 James E. Lauderback, Judge No. E2017-01766-COA-R3-CV This is a healthcare liability case. Before filing the complaint, the plaintiff gave written notice to the potential defendants of her healthcare liability claim against them. Tennessee Code Annotated section 29-26-121(a)(2)(E) requires that a plaintiff’s pre-suit notice include a HIPAA compliant medical authorization permitting the healthcare provider receiving the notice to obtain complete medical records from every other provider that is being sent a notice. After the plaintiff filed suit, the defendants moved to dismiss the complaint based on noncompliance with the statute, as the defendants alleged that the HIPAA authorization provided by the plaintiff had already expired when they received it. The trial court granted the defendants’ motion to dismiss, concluding that the HIPAA authorization was invalid due to the fact that the listed expiration date had already passed when the authorization was provided to the defendants with pre-suit notice. The plaintiff appeals. We affirm and remand for further proceedings. Tenn. R. App. P. 3 Appeal as of Right; Judgment of the Circuit Court Affirmed and Remanded BRANDON O. GIBSON, J., delivered the opinion of the court, in which CHARLES D. SUSANO, JR., J., joined. D. MICHAEL SWINEY, C.J., filed a separate concurring opinion. R. Wayne Culbertson, Kingsport, Tennessee, for the appellant, Konah Evangeline Buckman. Frank H. Anderson, Jr., Johnson City, Tennessee, for the appellees, Mountain States Health Alliance, Individually, and Mountain States Health Alliance d/b/a Johnson City Medical Center, and Mountain States Health Alliance d/b/a Niswonger Children’s Hospital. Charles Thaddeus Herndon, IV, and Charles Jason London, Johnson City, Tennessee, for the appellees, Medical Education Assistance Corporation d/b/a ETSU Physicians & Associates, Neil Kooy, M.D., and Demetrio Rebano Macariola, M.D. OPINION I. FACTS & PROCEDURAL HISTORY On August 11, 2016, counsel for Konah Evangeline Buckman (“Plaintiff”) sent letters to at least ten healthcare providers, notifying them of a potential healthcare liability claim arising out of their care and treatment of Plaintiff’s son on August 15-16, 2015. The notice stated that counsel was enclosing a HIPAA compliant medical authorization permitting each provider to obtain a complete copy of the child’s medical records generated by the other providers.1 According to federal regulations, a HIPAA compliant authorization must include six “core elements,” including, (v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository. 45 C.F.R. § 164.508(c)(1). The HIPAA authorization sent by Plaintiff on August 11, 2016, provided, in part: HIPAA COMPLIANT AUTHORIZATION FOR RELEASE OF MEDICAL INFORMATION Patient: Edward Koff Sasa Lenox Buckman aka Edward Welslev A. I hereby authorize any of the following listed providers to release information/ran my medical records to yourself and all other medical providers listed below: .... 1 “HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104–191, 110 Stat. 1936(codified as amended in scattered sections of 18 U.S.C., 26 U.S.C., 29 U.S.C., 42 U.S.C.).” Runions v. Jackson-Madison Cnty. Gen. Hosp. Dist., No. W2016-00901-SC-R11-CV, --S.W.3d ---, 2018 WL 2710948, at *1 n.3 (Tenn. June 6, 2018). 2 B. For the following purpose: To be reviewed by said providers and his/her/their Attorneys, agents or representatives. C. For treatment dates: All treatment dates and all medical records D. Description of Information to be used: Copies of medical records regarding Edward Kali Sass Lenox Buckman aka Edward Welsley in the possession of the medical providers listed above in Part A, including but riot limited to, all medical records, meaning every page in the records, including but not limited to: office notes, fact sheets, history and physical, consultation notes, impatient, outpatient and emergency room treatment, all clinical charts, reports, order sheets, progress notes, nurse's notes. social worker records, clinic records, treatment plans, admission records, discharge summaries, requests for and reports of consultations, documents, correspondence, test results, statements, questionnaires/histories, correspondence, photographs, telephone messages, and records received by other medical providers. All physical, occupational and rehab requests, consultations and progress notes. All autopsy, laboratory, histology, cytology, pathology, immunohistochemistry records and specimens; radiology records and including CT scan, MR.I,!ARA,EMG,bone scan, myleograrn; nerve condition study, echocardiogram and cardiac catheterization results, videos/CDs/ films/reels and reports' All pharmacy/prescription records. All billing records including all statements. E. I understand the information to be released or disclosed may include information relating to sexually transmitted diseases• acquired immunodeficiency syndrome (AIDS), or human immunodeficiency virus(HIV), and alcohol and drug abuse. I authorize the release or disclosure of this type of Information. This authorization is given in compliance with the federal consent requirements for release of alcohol or substance abuse records of 42 CFR 2°31,the restrictions of which have been specifically considered and expressly waived" F. I understand the following: I. I have a right to revoke this authorization in writing at any time, except to the extent information has been released in reliance upon this authorization' 2. The information released in response to this authorization may here-disclosed to other parties' 3. Trealment or payment for treatment cannot be conditioned on the signing of this authorization. 4. The providers releasing the medical records are hereby released and discharged of any liability and I will hold the facilities harmless for complying with this authorization for release of medical information. G. Any facsimile copy or photocopy of this authorization shall authorize the medical provider to release the records requested herein. This authorization shall be in force and effect until the conclusion of any litigation involving the providers listed above. H. This authorization shall expire on the following date- or (2 years from signature) or Event: O8/15/2015. I. All medical records obtained pursuant to this authorization shall be copied by the recipient's office and a Bates-numbered copy shall he furnished to my counsel, R. Wayne CulbertRin, Mama at Law 119 W. Market Street. Kinesport,IN 37660 within five (5)days after the records are obtained by recipient. Plaintiff filed her healthcare liability complaint on December 1, 2016. On January 30, 2017, some of the defendants jointly filed a motion to dismiss asserting that they were provided with an expired and therefore invalid HIPPA authorization, and consequently, Plaintiff had failed to substantially comply with Tennessee Code Annotated section 29-26-121(a)(2)(E). These defendants argued in their motion that they were unable to obtain copies of the patient’s medical records as a result. Plaintiff filed a response, arguing that the expiration date was sufficient but that even if it was deficient, the HIPAA authorization substantially complied with the statute. Plaintiff 3 argued that the defendants had failed to demonstrate any prejudice as a result of the alleged deficiency in the form. Additional defendants filed a motion to dismiss on the same ground, asserting that the HIPAA authorization provided to them was likewise expired and therefore Plaintiff did not substantially comply with the pre-suit notice requirement of Tennessee Code Annotated section 29-26-121(a)(2)(E). These defendants argued that they were forbidden from using or disclosing the patient’s protected health information without a valid HIPAA authorization and that releasing, obtaining, or using the records pursuant to the expired HIPAA authorization would have constituted a violation of HIPAA by both the party releasing the records and the recipient or user of the records. After a hearing, the trial court entered an order of dismissal granting the motion to dismiss that was filed first. Noting the “core elements” of a HIPAA authorization required by federal regulations, the trial court concluded that Plaintiff’s HIPAA authorization was expired and “thereby invalid for use by the defendants” at the time it was received. The trial court found that the defendants were prejudiced by the invalid HIPAA release in that they were unable to obtain medical records from healthcare providers. The trial court added, “see Exhibit 1, Refusal Notice received by Defendants in response to request for medical records, on the basis of an invalid HIPAA release,” but no exhibit is attached to the order in the appellate record. Because the defendants were unable to lawfully use the HIPAA authorizations provided by Plaintiff, the trial court concluded that Plaintiff failed to substantially comply with Tennessee Code Annotated section 29-26-121(a)(2)(E) and dismissed the claims against these defendants without prejudice. The order of dismissal was entered on August 22, 2017. On September 7, 2017, the trial court entered a second order resolving the second motion to dismiss that was filed by additional defendants. The order noted that the identical issue had been raised and previously addressed with regard to other defendants. Specifically, the order referenced the court’s previous ruling that Plaintiff’s HIPAA authorization had expired by its terms and was therefore invalid for use by the defendants at the time of receipt, preventing them from obtaining the patient’s medical records. The trial court attached a transcript of its prior ruling to the order and granted the second motion to dismiss filed by the additional defendants. Plaintiff timely filed a notice of appeal. 4 II. ISSUES PRESENTED As we perceive it, Plaintiff presents the following issue for review on appeal: whether the trial court misinterpreted Plaintiff’s HIPAA authorization by concluding that it listed an expiration date that preceded the execution of the document and erred in finding that the authorization was not HIPAA-compliant. For the following reasons, we affirm the trial court’s decision and remand for further proceedings. III. STANDARD OF REVIEW According to the Tennessee Supreme Court, The proper way for a defendant to challenge a complaint’s compliance with Tennessee Code Annotated section 29-26-121 and Tennessee Code Annotated section 29-26-122 is to file a Tennessee Rule of Procedure 12.02 motion to dismiss. In the motion, the defendant should state how the plaintiff has failed to comply with the statutory requirements by referencing specific omissions in the complaint and/or by submitting affidavits or other proof. Once the defendant makes a properly supported motion under this rule, the burden shifts to the plaintiff to show either that it complied with the statutes or that it had extraordinary cause for failing to do so. Based on the complaint and any other relevant evidence submitted by the parties, the trial court must determine whether the plaintiff has complied with the statutes. If the trial court determines that the plaintiff has not complied with the statutes, then the trial court may consider whether the plaintiff has demonstrated extraordinary cause for its noncompliance. If the defendant prevails and the complaint is dismissed, the plaintiff is entitled to an appeal of right under Tennessee Rule of Appellate Procedure 3 using the standards of review in Tennessee Rule of Appellate Procedure 13. Myers v. AMISUB (SFH), Inc., 382 S.W.3d 300, 307 (Tenn. 2012). Because the trial court’s decision on the motion “involves a question of law, our review is de novo with no presumption of correctness.” Id. (citing Graham v. Caples, 325 S.W.3d 578, 581 (Tenn. 2010)). 5 IV. DISCUSSION In Tennessee, a claimant must provide written pre-suit notice to a potential defendant before filing a complaint alleging healthcare liability: Any person, or that person’s authorized agent, asserting a potential claim for health care liability shall give written notice of the potential claim to each health care provider that will be a named defendant at least sixty (60) days before the filing of a complaint based upon health care liability in any court of this state. Tenn. Code Ann. § 29-26-121(a)(1). By statute, the pre-suit notice must include “[a] HIPAA compliant medical authorization permitting the provider receiving the notice to obtain complete medical records from each other provider being sent a notice.” Tenn. Code Ann. § 29-26-121(a)(2)(E). HIPAA “establishes requirements for protecting confidential medical information by healthcare providers” and generally “prohibits a healthcare provider from using or disclosing protected health information without a valid authorization.” Bray v. Khuri, 523 S.W.3d 619, 622 (Tenn. 2017) (citing 45 C.F.R. § 164.508(a)(1)). The specific requirements for a HIPAA compliant medical authorization are set forth in 45 C.F.R. § 164.508, which provides: (a) Standard: Authorizations for uses and disclosures (1) Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. . . . .... (c) Implementation specifications: Core elements and requirements— (1) Core elements. A valid authorization under this section must contain at least the following elements: (i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. 6 (ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure. (iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. (iv) A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose. (v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository. (vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided. (Emphasis added.) The regulation further provides: (2) Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects: (i) The expiration date has passed or the expiration event is known by the covered entity to have occurred[.] 45 C.F.R. § 164.508(b)(2). Finally, the regulation contains a “[p]lain language requirement,” which provides that “[t]he authorization must be written in plain language.” 45 C.F.R. § 164.508(c)(3). In the case before us, the HIPAA authorization sent by Plaintiff on August 11, 2016, provided the following, all of which was type-written: This authorization shall expire on the following date: __________ or (2 years from signature) or Event: 08/15/2015. 7 (Emphasis in original.) Plaintiff argues that the trial court and the defendants unilaterally misinterpreted this provision as providing an expiration date of “8/15/2015” when, according to Plaintiff, it provided an expiration date of two years from the date of signature. In her brief on appeal, Plaintiff argues: The CFR set forth above clearly refers to two different ways to establish the expiration of the HIPAA agreement. The first is by a date, or the second way is by an event that relates to the individual or the purpose of the use or disclosure. Plaintiff submits that a date is straight forward but blank in this agreement. Instead the plaintiff chose to use an event, which is the expiration of two years from her signature.2 We simply cannot agree with Plaintiff’s strained interpretation of the HIPAA authorization. First of all, the authorization clearly lists “Event: 08/15/2015,” which refutes Plaintiff’s argument that she chose to designate an “Event” of “two years from her signature.” The pre-printed blank beside the “date” was left blank. Plaintiff entered “08/15/2015” in the second blank and emphasized it with bold font, as she did when answering other questions on the form, such as, “For treatment dates: All treatment dates and all medical records.” The phrase “2 years from signature” only appears parenthetically in the provision, without bold emphasis, and would appear to be a default parenthetical that appeared on the original form beside the blank for the date. Although the provision as a whole is not a model of clarity, the most reasonable interpretation of it is that the HIPAA authorization would expire on “08/15/2015.” Plaintiff certainly did not specify any other expiration date or event in the “plain language” required by federal regulations. See 45 C.F.R. § 164.508(c)(3). Plaintiff suggests on appeal that she listed “08/15/2015” simply in order “to assist the defendants in their search for records” because that was the date of “the negligent event,” but again, we find such an interpretation unreasonable. The form clearly states, “This authorization shall expire on the following date: __________ or (2 years from signature) or Event: 08/15/2015.” (Italics added.) Regardless of Plaintiff’s unexpressed intention, the provision contains nothing to convey to a healthcare provider receiving the form that 08/15/2015 was not really intended to signify the expiration of the authorization. As the appellees note on appeal, medical providers are “not at liberty to disregard [a plaintiff’s] explicitly designated expiration date just because it happened to coincide with the date of injury,” nor can they be expected to effectively rewrite a release to correct a perceived error. Compare J.A.C. by & through Carter v. Methodist 2 Although Plaintiff suggests on appeal that she made a deliberate choice to complete the form in this manner, at the hearing before the trial court, her attorney suggested that the form contained “a typo.” 8 Healthcare Memphis Hosps., 542 S.W.3d 502, 515 (Tenn. Ct. App. 2016), perm. app. denied (Tenn. Mar. 9, 2017) (rejecting the argument that a healthcare provider could have used information from the pre-suit notice letters and attachments to “customize” incomplete medical authorizations); Roberts v. Prill, No. E2013-02202-COA-R3-CV, 2014 WL 2921930, at *6 (Tenn. Ct. App. June 26, 2014) (rejecting the suggestion that defendants should be required to complete an inadequate form). Defendant providers owe no duty to plaintiffs to help them achieve compliance with the requirements of the statute. J.A.C., 542 S.W.3d at 516. Our research has revealed another Tennessee case involving the sufficiency of an already-passed expiration date on a HIPAA authorization. In Byrge v. Parkwest Medical Center, 442 S.W.3d 245, 246 (Tenn. Ct. App. 2014), the plaintiff sent pre-suit notice along with a HIPAA authorization on September 20, 2010, but the HIPAA authorization listed an expiration date of October 4, 2009, nearly one year prior to its mailing. (This was the date of the patient’s death.) After the defendant filed a motion to dismiss, the plaintiff took a nonsuit and refiled his claim. Id. The trial court granted a motion to dismiss the second complaint on the basis that the first complaint was not timely filed because the plaintiff failed to comply with Tennessee Code Annotated section 29-26-121. Id. at 247. On appeal, this Court considered whether the first lawsuit was timely filed and found it undisputed that the plaintiff did not comply with Tennessee Code Annotated section 29-26-121 in his first suit. Id. at 251. “Specifically,” we said, “the medical authorization form Plaintiff sent to Parkwest was deficient because it did not authorize release of information to Parkwest and because it contained an expiration date that predated the cover letter accompanying the medical authorization form by almost one year.” Id. (emphasis added). The same defect exists in this case. Having concluded that Plaintiff’s pre-suit notice included an expired HIPAA authorization, we now consider the effect of such an error. The Tennessee Supreme Court provided guidance on that issue in Stevens ex rel. Stevens v. Hickman Community Health Care Services, Inc., 418 S.W.3d 547 (Tenn. 2013). In that case, the pre-suit notice provided by the plaintiff included a HIPAA medical authorization that only permitted the release of medical records to plaintiff’s counsel, not to the providers being sent notice, and it also failed to contain other required information. Id. at 551-52. The defendants moved to dismiss the complaint based on noncompliance with Tennessee Code Annotated section 29-26-121(a)(2)(E). Id. at 552. The trial court denied the motion, and the case eventually made its way to the Tennessee Supreme Court. Id. at 553. The supreme court explained that the HIPAA authorization requirement of section 29-26-121(a)(2)(E) serves “an investigatory function, equipping defendants with the actual means to evaluate the substantive merits of a plaintiff’s claim by enabling early discovery of potential co-defendants and early access to a plaintiff’s 9 medical records.” Id. at 554. The court explained that Tennessee Code Annotated section 29-26-121(d)(1) “creates a statutory entitlement to the records governed by § 2926-121(a)(2)(E),” as the statute provides that all parties “shall be entitled to obtain complete copies of the claimant’s medical records from any other provider receiving notice.” Id. at 555 (emphasis in original). According to the court, Because HIPAA itself prohibits medical providers from using or disclosing a plaintiff's medical records without a fully compliant authorization form, it is a threshold requirement of the statute that the plaintiff’s medical authorization must be sufficient to enable defendants to obtain and review a plaintiff’s relevant medical records. See 45 C.F.R. § 164.508(a)(1) (“a covered entity may not use or disclose protected health information without an authorization that is valid under this section”). . . . A plaintiff’s less-than-perfect compliance with Tenn. Code Ann. § 29-26-121(a)(2)(E), however, should not derail a healthcare liability claim. Non-substantive errors and omissions will not always prejudice defendants by preventing them from obtaining a plaintiff’s relevant medical records. Thus, we hold that a plaintiff must substantially comply, rather than strictly comply, with the requirements of Tenn. Code Ann. § 29-26-121(a)(2)(E). Id. (emphasis added). Next, the court considered the sufficiency of the medical authorization provided in that case to determine whether it substantially satisfied the requirements of the statute. Id. After noting the six core elements required by federal regulations, the supreme court concluded that the authorization at issue was not HIPAA compliant. Id. at 556. “First, and most importantly,” the court said, “by permitting disclosure only to Plaintiff’s counsel, Plaintiff’s medical authorization failed to satisfy the express requirement of Tenn. Code Ann. § 29-26-121(a)(2)(E) that a plaintiff’s medical authorization ‘permit[ ] the provider receiving the notice to obtain complete medical records from each other provider being sent a notice.’” Id. Secondly, the court found that the authorization failed to satisfy at least three of the six compliance requirements mandated by HIPAA. Id. The court continued, In determining whether a plaintiff has substantially complied with a statutory requirement, a reviewing court should consider the extent and significance of the plaintiff’s errors and omissions and whether the defendant was prejudiced by the plaintiff’s noncompliance. Not every noncompliant HIPAA medical authorization will result in prejudice. But in this case, the medical authorization submitted by Plaintiff was woefully deficient. The errors and omissions were numerous and significant. Due to 10 Plaintiff's material non-compliance, Defendants were not authorized to receive any of the Plaintiff’s records. As a result of multiple errors, Plaintiff failed to substantially comply with the requirements of Tenn. Code Ann. § 29-26-121(a)(2)(E). Id. (emphasis added). In a later case, the supreme court summarized Stevens as holding that “non-substantive errors and omissions and a plaintiff's less-than-perfect compliance with subsection 29-26-121(a)(2)(E) will not derail a healthcare liability claim so long as the medical authorization provided is sufficient to enable defendants to obtain and review a plaintiff’s relevant medical records.” Thurmond v. Mid-Cumberland Infectious Disease Consultants, PLC, 433 S.W.3d 512, 519-20 (Tenn. 2014) (quotations and bracketing omitted). In sum, “there is no bright line rule that determines whether a party has substantially complied with the requirements of Tenn. Code Ann. § 29-26121(a)(2)(E)[.]” Rush v. Jackson Surgical Assocs. PA, No. W2016-01289-COA-R3-CV, 2017 WL 564887, at *4 (Tenn. Ct. App. Feb. 13, 2017), perm. app. denied (Tenn. June 8, 2017). However, in order to substantially comply with the statute, a plaintiff must provide a defendant with a HIPAA compliant medical authorization form that is sufficient to allow the defendant to obtain the plaintiff’s medical records from the other providers being sent the notice. Brookins v. Tabor, No. W2017-00576-COA-R3-CV, 2018 WL 2106652, at *5 (Tenn. Ct. App. May 8, 2018); Travis v. Cookeville Reg’l Med. Ctr., No. M2015-01989-COA-R3-CV, 2016 WL 5266554, at *7 (Tenn. Ct. App. Sept. 21, 2016); see also Riley v. Methodist Healthcare Memphis Hosps., No. 17-5621, 2018 WL 2059524, at *8 (6th Cir. May 2, 2018) (gleaning from Tennessee cases that “substantial compliance requires that the noncomplying features of the authorization do not render it insufficient to authorize access and use of the records”). In this context, substantial compliance refers to “a degree of compliance that provides the defendant with the ability to access and use the medical records for the purpose of mounting a defense.” Lawson v. Knoxville Dermatology Grp., P.C., 544 S.W.3d 704, 711 (Tenn. Ct. App. 2017), perm. app. denied (Tenn. Nov. 16, 2017). Applying these principles to the case before us, we agree with the trial court’s conclusion that Plaintiff failed to substantially comply with section 29-26-121(a)(2)(E) by providing the defendants with an expired and therefore invalid HIPAA authorization form. Considering first “the extent and significance of the plaintiff’s errors and omissions,” as instructed by Stevens, 418 S.W.3d at 556, we find that the HIPAA authorization was expressly invalid under HIPAA regulations: 11 (2) Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects: (i) The expiration date has passed or the expiration event is known by the covered entity to have occurred[.] 45 C.F.R. § 164.508(b)(2). Thus, the error in the form was both substantive and significant. As a result of the expiration date having passed, the defendants were not authorized to receive any of the patient’s medical records. See 45 C.F.R. § 164.508(a)(1) (“a covered entity may not use or disclose protected health information without an authorization that is valid under this section”). We further conclude that the defendants were prejudiced by Plaintiff’s noncompliance with the statute. “‘Defendants are clearly prejudiced when unable, due to a form procedural error, to obtain medical records needed for their legal defense.’” Lawson v. Knoxville Dermatology Grp., P.C., 544 S.W.3d 704, 709-10 (Tenn. Ct. App. 2017), perm. app. denied (Tenn. Nov. 16, 2017)3 (quoting Hamilton v. Abercrombie Radiological Consultants, Inc., 487 S.W.3d 114, 120 (Tenn. Ct. App. 2014)). At this juncture, we note that the trial court referenced an exhibit to its order entitled, “Exhibit 1, Refusal Notice received by Defendants in response to request for medical records, on the basis of an invalid HIPAA release,” but no such exhibit is attached to the order in the appellate record. However, the absence of such a “refusal notice” does not lead us to conclude that the defendants were not prejudiced. As a result of the invalid and expired HIPAA authorization, the defendants could not lawfully request the patient’s medical records, whether they attempted to do so or not. “Because the penalties imposed on entities that wrongfully disclose or obtain private health information in violation of HIPAA are severe, the sufficiency of the plaintiffs’ medical authorizations is imperative.” Woodruff by & through Cockrell v. Walker, 542 S.W.3d 486, 499 (Tenn. Ct. App. 2017), perm. app. denied (Tenn. Oct. 6, 2017). The penalties for wrongfully disclosing or obtaining private health information in violation of HIPAA are “extremely severe, with such entities facing punishment of up to 3 In Lawson, for example, the Court found no substantial compliance where a core element of the plaintiff’s HIPAA authorization, designating who was authorized to make the requested use or disclosure, was left blank. Lawson, 544 S.W.3d at 712. The Court explained that “health care providers presented with a medical authorization missing the identification of those authorized to release information would have no way of knowing that they were the providers for which the authorization was intended or that they were allowed to release medical records.” Id. As such, we concluded that the omitted core element was “a necessary element” to the defendants’ legal authorization to use the pertinent medical records. Id. 12 $50,000 per offense and/or imprisonment of up to one year for non-compliance.” Stevens, 418 S.W.3d at 555 n.6 (citing 42 U.S.C.A. § 1320d–6). “Several Tennessee decisions have rejected the proposition that a health care liability defendant has a duty to assist a plaintiff achieve compliance or to test whether an obviously deficient HIPAA form would allow the release of records.” J.A.C., 542 S.W.3d at 514; see, e.g., Dolman v. Donovan, No. W2015-00392-COA-R3-CV, 2015 WL 9315565, at *5 (Tenn. Ct. App. Dec. 23, 2015), perm. app. denied (Tenn. May 6, 2016) (rejecting the plaintiffs’ argument that the medical providers could not have been prejudiced because they never attempted to obtain medical records with the deficient medical authorization provided); Roberts, 2014 WL 2921930, at *6 (rejecting the argument that the onus should be placed on the defendants to test the sufficiency of the form and finding dismissal warranted even in the absence of evidence of any “failed attempt” to obtain records); see also Riley, 2018 WL 2059524, at *10 (wherein the Sixth Circuit concluded from Tennessee caselaw that “where the authorizations do not permit access and use, the defendant-providers need not affirmatively show that they sought and were denied medical records in order to establish prejudice”). The healthcare liability plaintiff is the party responsible for complying with the requirements of Tennessee Code Annotated section 29-26-121(a)(2)(E), not the defendants. Stevens, 418 S.W.3d at 559.4 Ultimately, the statute requires pre-suit notice to include “[a] HIPAA compliant medical authorization permitting the provider receiving the notice to obtain complete 4 When discussing the issue of prejudice and finding that prejudice occurred in the Stevens case, the supreme court said, In determining whether a plaintiff has substantially complied with a statutory requirement, a reviewing court should consider the extent and significance of the plaintiff’s errors and omissions and whether the defendant was prejudiced by the plaintiff's noncompliance. Not every non-compliant HIPAA medical authorization will result in prejudice. But in this case, the medical authorization submitted by Plaintiff was woefully deficient. The errors and omissions were numerous and significant. Due to Plaintiff's material non-compliance, Defendants were not authorized to receive any of the Plaintiff's records. Stevens, 418 S.W.3d at 556 (emphasis added). There was no mention of a failed attempt to obtain records. In fact, the dissent argued that the complaint should not have been dismissed because “the Defendants have not demonstrated any prejudice caused by the deficiency in the medical authorization form.” Id. at 561. The dissent criticized the majority as essentially holding that the defendants were “effectively prevented access to the medical records” and “presumptively prejudiced” by the inadequate form. Id. at 564-65. So, while Stevens requires us to consider whether the defendant was prejudiced, we do not read Stevens as also requiring that a provider affirmatively prove that it requested and was denied access to records. 13 medical records from each other provider being sent a notice.” Tenn. Code Ann. § 2926-121(a)(2)(E). The expired and invalid HIPAA authorization provided in this case failed to meet the “threshold requirement of the statute that the plaintiff’s medical authorization must be sufficient to enable defendants to obtain and review [the] relevant medical records.” See Stevens, 418 S.W.3d at 555. We therefore affirm the trial court’s order of dismissal without prejudice. On appeal, the appellees attempt to raise an additional issue regarding “[w]hether Plaintiff is barred from re-filing her case by the interaction of the Statute of Limitations and the failure to comply with Tenn. Code Ann. § 29-26-121, which Plaintiff utilized to extend the filing deadline by one hundred and twenty (120) days.” At the conclusion of the hearing on the motion to dismiss, the trial judge stated that he would dismiss the case without prejudice due to noncompliance with Tennessee Code Annotated section 29-26121, but he also recognized that “the effect . . . would be a dismissal with prejudice because you were relying on the 120 day extension of the statute by giving the pre-suit notice.” To the extent that this could be construed as a ruling on this issue, it was not challenged on appeal by Plaintiff. In fact, Plaintiff’s counsel conceded during oral argument that if we concluded that his HIPAA authorization was non-compliant, he was not entitled to the 120-day extension. We will not address the issue further in this opinion. V. CONCLUSION For the aforementioned reasons, the decision of the circuit court is hereby affirmed and remanded for further proceedings. All other issues are pretermitted. Costs of this appeal are taxed to the appellant, Konah Evangeline Buckman, and her surety, for which execution may issue if necessary. _________________________________ BRANDON O. GIBSON, JUDGE 14
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
