HCLA Claim Dismissed Where One of Eight Providers was Named on HIPAA Form

A continued problem for HCLA plaintiffs seems to be complying with the requirement to provide a HIPAA authorization with their pre-suit notice. In Dolman v. Donovan, No. W2015-00392-COA-R3-CV (Tenn. Ct. App. Dec. 23, 2015), another HCLA claim was dismissed due to the inadequacy of plaintiffs’ HIPAA authorizations.

Plaintiffs’ claims related to the treatment of their father at Methodist Hospital. In their suit, plaintiffs named two doctors, Methodist LeBonheur Healthcare, Memphis Vascular Center, and Memphis Radiological, P.C. as defendants. In addition to the named defendants, pre-suit notice was served on an additional three parties—another doctor, Methodist Healthcare Germantown, and Mid-South Pulmonary Specialists. “The notice letters were accompanied by three Methodist LeBonheur Healthcare medical records authorizations forms. Substantively, the three authorizations were identical, but each was signed by a different [plaintiff].”

After suit was filed, defendants moved to dismiss, asserting that the authorizations did not comply with the HCLA statute in that they “only allow[ed] the release of records from Methodist LeBonheur Healthcare” and “did not enable them to obtain the records from ‘each provider being sent a notice’ as required by statute.” In response, plaintiffs argued that the HIPAA authorizations were compliant because they authorized the release of records from “Methodist LeBonheur Healthcare and its affiliates,” and that “the doctors and other named healthcare providers were ‘affiliates’ of Methodist….” Finding that the authorizations were not statutorily compliant, the trial court dismissed the case, and the Court of Appeals affirmed.

Tenn. Code Ann. § 29-26-121(a)(2)(E) requires that pre-suit notice include a HIPAA authorization “permitting the provider receiving the notice to obtain complete medical records from each other provider being sent a notice.” Here, plaintiffs asked the Court to take judicial notice of their assertion that all the providers who were sent notice were affiliates of Methodist. “A judicially noticed fact must be one that is not subject to reasonable dispute. It must be either (1) generally known within the territorial jurisdiction of the trial court or (2) capable of accurate and ready determination by resort to sources whose accuracy cannot reasonably be questioned.” (citations omitted). In support of their assertion that all parties were affiliates of Methodist, plaintiffs presented the following: (1) the fact that one of the doctors arranged for the other two to perform a procedure on decedent while in the hospital; (2) two pages printed from the internet, one that stated that one of the doctors was “the Medical Director of the ICU at Methodist Germantown Hospital” and one from the “Medicare healthcare professional profile page” that stated that the same doctor had “hospital affiliations” at Methodist Healthcare Memphis Hospitals; and (3) an assertion that two of the providers, including Methodist Healthcare, established one of the other providers.

In analyzing this matter, the Court noted that “affiliate” could have many meanings, not all of which “would suffice to allow access to a patient’s medical records.” Based on the evidence provided, the Court held that plaintiffs’ “rather sparse evidence regarding affiliation does not reveal the extent of [defendants’] right of access to the hospital’s records.” Here, the Court determined that there was not enough evidence to allow them to take judicial notice of the allegation that all the providers who received notice were affiliates with Methodist in such a way to be covered by the HIPAA authorization as written.

Plaintiffs tried to save their case by asserting that defendants had suffered no prejudice, first because defendants had not tried to obtain and been denied medical records and second because all relevant records were in the possession of Methodist Hospital. As to the first argument, the Court rejected the premise that a defendant must try to use a medical authorization and be denied before moving to dismiss based on its noncompliance with the statute, holding that “plaintiff—not defendants—is responsible for complying with the requirements of section 29-26-121(a)(2)(E).” (citation omitted). Regarding the argument that all relevant records were in the hospital’s possession (which was covered by the release), the Court pointed to defendants’ argument that “they do not know whether any of the other noticed providers have any relevant medical records because they were not given an opportunity to request or obtain records from each of the other noticed providers due to [plaintiffs’] failure to comply with the [statutory] mandates.” Rejecting the argument that defendants were not prejudiced, the Court affirmed dismissal of the case.

While many cases dismissing an HCLA claim for a faulty HIPAA authorization seem overly stringent and lacking in common sense, this case was problematic for the plaintiffs because sent pre-suit notice to eight separate healthcare providers, yet only listed one on the HIPAA authorization form. The entities listed were far more extensive than just a single medical practice and a doctor contained within that practice. The statute requires that providers being sent notice have authorization to obtain medical records from each other provider being sent notice, and listing only one of eight providers on your notice will likely never be sufficient under the current statutory scheme.