HCLA dismissal based on insufficient HIPAA authorizations affirmed.

by

Where a HIPAA authorization only allowed the healthcare professionals to release records, not to obtain them, the Plaintiff had failed to substantially comply with the HCLA and dismissal was affirmed.

In Moxley v. AMISUB SHF Inc. d/b/a Saint Francis Hospital, No. W2025-00443-COA-R3-CV (Tenn. Ct. App. Mar. 13, 2026) (memorandum opinion), the plaintiff filed a health care liability suit against the defendants based on alleged medical negligence during her cancer treatment. The plaintiff had sent pre-suit notice to twelve possible defendants, but the HIPAA authorizations included with those pre-suit notices only stated that the receiving entity could release records to certain other entities. The HIPAA authorizations did not contain any language “stating that [the defendants] could ‘obtain’ any medical records.”

The defendants filed a motion to dismiss, asserting that the plaintiff failed to comply with the HCLA requirements found in Tenn. Code Ann. § 29-26-121. On this third appeal in this case, the Court of Appeals affirmed dismissal based on the insufficient HIPAA authorizations.

The pre-suit notice content requirements found in Tenn. Code Ann. § 29-26-121(a)(2), which includes the requirement that a HIPAA authorization be sent with pre-suit notice, can be satisfied by substantial compliance. When considering whether a plaintiff has substantially complied, courts should consider whether the defendants were prejudiced. The plaintiff here argued that she substantially complied with the HCLA because the medical providers could have received records from other providers by asking for them. The Court disagreed.

The Court noted that “because the penalties imposed on entities that wrongfully disclose or obtain private health information in violation of HIPAA are severe, the sufficiency of the plaintiffs’ medical authorizations is imperative.” (internal citation and quotation omitted). The “plain language of Tennessee Code Annotated section 29-26-121(a)(2)(E)…requires a HIPAA authorization specifically ‘permitting the provider…to obtain complete medical records.’” The Court concluded:

Because the authorizations tendered by Appellant do not contain the identifying information of each person or entity able to receive/obtain Mr. Moxley’s medical information, the authorizations are incomplete and ineffective. In this regard, Appellant failed to substantially comply with the requirements of Tennessee Code Annotated section 29-26-121(a)(2)(E), and Appellees were deprived of the ability to obtain and review the applicable medical records. This Court has held that, “Defendants are clearly prejudiced when unable, due to a form procedural error, to obtain medical records needed for their legal defense.”

Dismissal of the complaint was therefore affirmed.

Of all the components of HCLA pre-suit notice, HIPAA authorizations continue to be one of the most litigated. HCLA plaintiffs must take care when preparing these authorizations.

This memorandum opinion was released two months after oral arguments.

Contact Information
Brentwood Office
Mailing Address
5141 Virginia Way, #270
Brentwood, TN 37027
Toll Free: 866.812.8787
Phone: 615.742.4880
Fax: 615.742.4881
Nashville Office
810 Dominican Dr #315
Nashville, TN 37228
Toll Free: 866.812.8787
Phone: 615.669.3993
Fax: 615.742.4881
Murfreesboro Office
1639 Medical Center Pkwy #105
Murfreesboro, TN 37129
Toll Free: 866.812.8787
Phone: 615.867.9900
Fax: 615.742.4881
This is a paid legal advertisement.

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2015 – 2026, The Law Offices of John Day, P.C.
JUSTIA Law Firm Blog Design