Close
Updated:

Impact of noncompliant HIPAA authorization

Where an HCLA plaintiff sent pre-suit notice to a hospital and two doctors, the hospital had all the relevant documents, the doctors were independent contractors of the hospital who could only access the records for treatment purposes, and plaintiff’s HIPAA form was noncompliant and only allowed records to be released to plaintiff’s counsel, dismissal for the doctors was affirmed, but dismissal of the claim against the hospital was reversed.

In Christie v. Baptist Memorial Hospital d/b/a Baptist Memorial Hospital for Women, No. W2022-01296-COA-R3-CV (Tenn. Ct. App. Nov. 15, 2023), plaintiffs filed an HCLA claim based on the lack of treatment received by their newborn daughter, who was born and died on the same day at defendant hospital. Before filing suit, plaintiffs sent pre-suit notice to defendant hospital and two doctors who had been involved in the baby’s treatment. It was undisputed that the HIPAA authorization sent with the notice only allowed records to be released to plaintiff’s counsel rather than to other parties receiving notice.

Defendants filed motions to dismiss based on the faulty HIPAA authorizations, which the trial court “reluctantly” granted. On appeal, dismissal of the claims against the doctors was affirmed, but dismissal of the claim against the hospital was reversed.

Before the motions were heard, limited discovery was conducted, and the evidence showed that all records pertaining to the baby were at defendant hospital. The two doctors were independent contractors of the hospital, and they had access to all records, but only for the purpose of treating patients.

While the HCLA requires that a HIPAA compliant medical release be sent with a plaintiff’s pre-suit notice, “a plaintiff must substantially comply, rather than strictly comply, with the requirement of subsection 29-26-121(a)(2)(E).” (internal citation omitted). When reviewing for substantial compliance, a court should “consider the extent and significance of the plaintiff’s errors and omissions and whether the defendant was prejudiced by the plaintiff’s noncompliance.” (internal citation omitted). Regarding the HIPAA authorization, “it is a threshold requirement of the statute that the plaintiff’s medical authorization must be sufficient to enable defendants to obtain and review a plaintiffs’ relevant medical records.” (internal citation omitted).

Here, plaintiffs argued that the three defendants should be treated as a single provider, allowing the single provider exception outlined recognized in Bray v. Khuri, 523 S.W.3d 619, 620 (Tenn. 2017) to apply. This exception “holds that no pre-suit HIPAA authorization is required when only a single defendant is given pre-suit notice.” The Court of Appeals, however, rejected this argument, noting that the single provider exception “is narrow and limited to the case where only a single provider is named as a defendant,” and that utilizing the single provider exception had been rejected in similar cases.

Nonetheless, the Court found that the “health care operations” exception did apply to the hospital in this case. The health care operations exception “permits a provider to use a patient’s protected health care records in the provider’s own possession to consult with legal counsel in order to evaluate the merits of a potential claim.” (internal citation omitted). HIPPA permits a “health care provider to use or disclose protected health information in its possession for its own health care operations,” and health care operations include “conducting or arranging for legal services.” (internal citation omitted). Here, the hospital’s representative conceded that the hospital had all the relevant records and that it had “full access” to such records. Looking at the evidence and existing Tennessee caselaw, the Court ruled that “the pre-suit notice sent to [the hospital] was sufficient to invoke the regulatory exception to the general requirement of a HIPAA compliant medical authorization in this case.” Because plaintiffs presented proof that the hospital had all the records, then, dismissal of the claim against the hospital was reversed.

Regarding the two defendant doctors, plaintiffs argued that since they had access to the records, dismissal of the claims against them should also be reversed. The Court rejected this argument, pointing out that they were only authorized to access the records for treatment purposes, and that the doctors were independent contractors of the hospital. Because the doctors could not use the records to prepare for litigation, plaintiffs’ pre-suit notice to them did not substantially comply with the HCLA requirements, and dismissal of the claims against the doctors was affirmed.

This case is the latest in a long line of cases illustrating the issues that arise when a noncompliant HIPAA authorization is sent with an HCLA plaintiff’s pre-suit notice. As seen here, the single provider exception is very specific and is very unlikely to come into play when multiple defendants are named in the suit.

This opinion was released five months after oral arguments in this case.

 

Preparing an appeal?  Don’t forget to look at BirdDog Law’s free ebooks:  Tennessee Rules of Appellate Procedure, Rules of the Tennessee Supreme Court, and Tennessee Court of Appeals – Internal Operating Rules.  And check out my Practical Procedure and Evidence Blog to learn more traps for the unwary in handling Tennessee civil appeals.   

Contact Us