Tennessee HCLA Case Dismissed for Non-Compliant HIPAA Form.

As HCLA cases continue to make their way through the court system, we are learning more about what will constitute substantial compliance with the pre-suit notice content requirements. In the recent case of Harmon v. Shore, No. M2014-01339-COA-R3-CV (Tenn. Ct. App. April 23, 2015), the Court of Appeals reaffirmed what seems like an overly harsh result related to substantial compliance with the required HIPAA authorization.

In Harmon, plaintiff was injured by a procedure performed solely by Dr. Shore. Plaintiff submitted pre-suit notice to the two defendants she later named in her suit, Dr. Shore and the relevant hospital. The HIPAA form enclosed, however, only released plaintiff’s medical records to her own lawyer. Defendants filed a motion to dismiss, which was initially denied in 2013, but following a denial of Rule 9 appeal from the Court of Appeals and then a remand from the Supreme Court to reconsider in light of the holding in Stevens v. Hickman Cmty. Health Care Servs., 418 S.W.3d 547 (Tenn. 2013), the motion to dismiss was granted by the trial court.

Plaintiff did not argue that her HIPAA form strictly complied with the statutory requirements. Instead, her essential argument was that her non-compliance with the technical requirements should be excused because the defendants already had all the records at issue in this case. In her reply to defendants’ motion to dismiss, plaintiff stated:

Appellants submit that an example of sufficient “cause” is that Appellants knew [the hospital] had Dr. Shore’s records. We know [the hospital] had all of her records because it sent them to her four months before the Notice was sent and Dr. Shore’s records were included.

[The hospital] also had a HIPAA compliant medical authorization in its possession as early as June 7, 2012, scarcely a month after the incident. It also had the other Defendant’s records, i.e., Gregg Ian Shore, M.D. We know this because it sent those exact records to Ms. Harmon on June 7, 2010.

We also know that [the hospital] had the Shore records because Shore was their agent and he sent her the same records. Therefore, extraordinary cause exists for the exercise of judicial discretion.

The Court of Appeals rejected this argument and affirmed dismissal of plaintiff’s case. Citing Stevens, the Court stated that “because HIPAA itself prohibits medical providers from using or disclosing a plaintiff’s medical records without a fully compliant authorization form, it is a threshold requirement of the statute that the plaintiff’s medical authorization must be sufficient to enable defendants to obtain and review a plaintiff’s relevant medical records.” Though the errors in the HIPAA form that led to dismissal in Stevens were “multiple” and here plaintiff made the sole error of only allowing disclosure to her own attorney, the Court found this difference immaterial. Quoting Stevens, it noted that “First, and most importantly, by permitting disclosure only to Plaintiff’s counsel, Plaintiff’s medical authorization failed to satisfy the express requirement of Tenn. Code Ann. § 29-26-121(a)(2)(E) that a plaintiff’s medical authorization permit the provider receiving the notice to obtain complete medical records from each other provider being sent notice.”

The Court went on to cite Roberts v. Prill, No. E2013-02202-COA-R3-CV, 2014 WL 2921930 (Tenn. Ct. App. June 26, 2014), where it said that “[t]he question of whether a plaintiff’s permitting disclosure of medical records only to plaintiff’s lawyer is sufficient, standing alone, to warrant dismissal of a lawsuit on grounds of failure to substantially comply with the pre-suit notice requirements” had been answered in the affirmative. Like the plaintiff here, the plaintiff in Roberts argued that the defendant was not prejudiced by the non-compliant HIPAA form because he already had all the relevant records in his possession. The Roberts Court, however, held that “HIPAA generally provides that a covered entity may not use or disclose protected health information without valid authorization. Plaintiff’s case did not fall within one of the limited circumstances anticipated by HIPAA that would allow for the use of the records without authorization. The form failed to provide Defendants with the proper authorization to use the medical records to mount a defense.”

Likewise, the Court here ultimately upheld the trial court’s dismissal of plaintiff’s case, as the error on the HIPAA form allowing disclosure only to plaintiff’s counsel was determined to make the case subject to dismissal.

This result seems excessively harsh considering that the defendants in this case had access to all of the medical records they might have requested with proper HIPAA forms. With two cases on this issue, though, the Court of Appeals appears to have made its opinion fairly clear. It will be interesting to see if the Supreme Court takes one of these cases to provide clarity on this matter.