HIPAA-Compliant Authorization Still Required where Defendant is only Health Care Provider at Issue

The HIPAA release required by the Health Care Liability Act and the standards for HIPAA compliance continue to be a litigated issues in this evolving area of Tennessee law.

In Bray v. Khuri, No. W2015-00397-COA-R3-CV (Tenn. Ct. App. Dec. 3, 2015), plaintiff was the surviving spouse of a patient who committed suicide while admitted to a hospital under defendant doctor’s care. Before filing suit, plaintiff sent a notice letter and a medical authorization form to defendant. Once plaintiff filed her complaint, defendant filed a motion to dismiss, arguing that plaintiff failed to provide a HIPAA-compliant medical authorization as required by Tenn. Code Ann. § 29-26-121(a)(2)(E) because the authorization provided “did not include a description of the information to be used and it failed to identify which health care providers were authorized to make the requested disclosure.” Plaintiff opposed the motion to dismiss, asserting that she did not have to provide a HIPAA-compliant authorization since the only health care provider at issue was defendant, and that “the form she provided was not deficient when read in conjunction with the potential claim letter accompanying it.”  The trial court agreed with defendant, dismissing plaintiff’s claim, and the Court of Appeals affirmed.

The first issue on appeal was whether plaintiff was required to provide defendant with a HIPAA-compliant authorization when defendant “was the only medical provider being sent the notice of potential claim.” In support of her argument that no medical authorization was required here, plaintiff pointed to the language of the statute, which states that a plaintiff’s written notice “shall include…[a] HIPAA compliant medical authorization permitting the provider receiving the notice to obtain complete medical records from each other provider being sent a notice.” Tenn. Code Ann. § 29-26-121(a)(2)(E). Plaintiff asserted that “the inclusion of the phrase ‘from each other provider’ signals that it is unnecessary to include an authorization when only one provider is receiving the notice because that provider already has all the relevant records in its possession.”

The Court, however, rejected this argument. In its analysis, the Court noted that one purpose of the notice statute is to “equip defendants with the actual means to evaluate the substantive merits of a plaintiff’s claim by enabling early access to a plaintiff’s medical records.” (internal citation omitted). Even in a situation such as the one in this case, where there was only one health care provider, the Court found that failure to provide a HIPAA-compliant authorization would “frustrate” the “full purpose of the statute.” “While [defendant] may have physically possessed Decedent’s records, he was unable to review them with his attorney in order to evaluate the merits of [plaintiff’s] claim.” Thus, the Court stated that it could not “construe a statute in such a sway that would violate ‘the obvious intention of the legislature’” and held that a HIPAA authorization was required in this case.

The next issue was whether the form provided by plaintiff was, in fact, HIPAA compliant. According to defendant, plaintiff’s form failed to satisfy the statutory requirements because it “did not include a description of the information to be used and also failed to specifically identify which health care providers were authorized to make the requested disclosures.” Plaintiff’s form left blank “the portion of the authorization form describing the type and amount of information to be used.” Plaintiff argued, though, that “the accompanying notice letter authorized [defendant] to fill in the blank with the necessary information.” The Court found two problems with this assertion. First, the Court found that “nothing in the notice letter explicitly authorize[d] [defendant] to make any additions or changes to the authorization.” Second, the Court pointed out that the onus for statutory compliance is on the plaintiff, not the defendant. Further, “federal regulations state that an authorization is not valid if the authorization has not been filled out completely, with respect to an element described” by a specific section of the federal regulations.  45 C.F.R. § 164.508(b)(2)(ii). Accordingly, the Court held that a “core element” was left blank and that the form provided was not HIPAA-compliant, affirming dismissal of the complaint.

This case is yet another example of a plaintiff who potentially had a meritorious claim losing her chance to litigate due to errors on her HIPAA form. In single defendant cases where the defendant health care provider has all of the relevant records, a common sense approach to issues like these would seem to lean towards a more lenient approach. The Court of Appeals, however, has repeatedly held HIPAA forms to exacting standards, even in these single provider cases. One interesting issue here is whether it would have made a difference if plaintiff’s letter had, in fact, explicitly allowed defendant to fill in any blank spaces on the authorization. Since the Court rejected plaintiff’s argument that her form was compliant for two reasons, both that the letter did not authorize defendant to add to the form and that the burden to provide a statutorily compliant form is on plaintiff, it is unclear whether an explicit allowance for defendant to fill in the blanks would have changed the outcome of this case.

One final point.  The notion that  the defendant “was unable to review them with his attorney in order to evaluate the merits of [plaintiff’s] claim” is a interesting claim.  I don’t profess to be an expert on HIPAA law, but I can tell you that before the notice statute came into effect I was never, not once, asked by a defendant health care provider for a release so that it could show my client’s medical records to their attorneys.  Now, perhaps those defendants were violating the law.

But I doubt it.