HIPAA authorization required after plaintiff sent HCLA notice to multiple providers.

Where plaintiff only named one provider as a defendant in an HCLA case, but sent pre-suit notice to forty healthcare providers, a HIPAA-compliant medical authorization was required to be sent with her pre-suit notice. Further, a HIPAA form that left blank the section stating who could disclose records to defendant did not substantially comply with the statute.

In Moore-Pitts v. Bradley, No. E2018-01729-COA-R3-CV (Tenn. Ct. App. Dec. 9, 2019), plaintiff filed an HCLA claim against a single defendant. Before filing suit, however, plaintiff sent pre-suit notice to approximately forty healthcare providers. With her pre-suit notice, plaintiff attached a HIPAA authorization, but the authorization left blank the portion listing “the name of the person or entity authorized to provide records to Defendant.” Attached to the authorization was a list of the forty providers who had received the notice.

Defendant filed a motion to dismiss based on the allegedly insufficient HIPAA authorization. The trial court ruled that the authorization provided did not comply with the statute, that plaintiff was thus not entitled to the 120-day extension of the statute of limitations, and that plaintiff’s complaint should be dismissed as time barred. The Court of Appeals affirmed.

On appeal, the Court first looked at whether plaintiff had substantially complied with the requirements of Tenn. Code Ann. § 29-26-121(a)(2)(E). The Court noted that a description of the person or entity authorized to make the disclosure is a “core requirement for a HIPAA-compliant medical authorization,” but also pointed out that “not every failure to comply perfectly with [the] statute is fatal to a healthcare liability plaintiff’s case.” (internal citations omitted). When analyzing substantial compliance, “a reviewing court should consider the extent and significance of the plaintiff’s errors and omissions and whether defendant was prejudiced by the plaintiff’s noncompliance.” (internal citation omitted).

Regarding this specific HIPAA authorization, the Court ruled:

[A] defendant is not required to fill in the blanks of a medical authorization to make it a valid authorization in compliance with HIPAA. …[P]roviders[are] under no obligation to complete the authorization forms provided to them by the plaintiff in order to assist the plaintiff in achieving substantial compliance[.] …In the case before us, Plaintiffs failed to identify on the medical authorization the identity of the individual entity authorized to make the disclosure of medical records to defendant. …[W]e conclude that this is an essential element for the Defendant to obtain records from the other providers. The omission of the individual or entity authorized to make the disclosure of medical records to Defendant prevented Defendant from obtaining the records for investigatory purposes prior to commencement of the action.

(internal citations omitted). The Court thus held that plaintiff did not substantially comply with the HCLA requirements.

Plaintiff argued that a HIPAA authorization was not required here, as the Supreme Court held in Bray v. Khuri, 523 S.W.3d 619 (Tenn. 2017) that a HIPAA form was not required when plaintiff sued a single defendant who was in possession of all the relevant records. The Court distinguished this case from Bray, however, by stating that the holding in Bray only applies “when a plaintiff sends pre-suit notice to only one provider, not when he or she files suit against only one provider.” Here, plaintiff sent pre-suit notice to forty providers, and defendant was unable to obtain records from these other providers. “Defendant had no way to know that Plaintiffs would file suit against only him.” Because pre-suit notice was sent to multiple providers, the Court ruled that Bray was inapplicable.

Finally, plaintiff argued that her noncompliance should be excused for extraordinary cause, asserting that she had “sought treatment from numerous medical providers.” The Court ruled that the “factual circumstances surrounding this action are not extraordinary” and that many HCLA plaintiffs have previously sought treatment with multiple doctors.

Because plaintiff did not substantially comply with the HIPAA authorization requirements of the HCLA, she was not entitled to rely on the 120-day extension of the statute of limitations, and dismissal of her case as time-barred was affirmed.

The HIPAA authorization continues to be one of the most troublesome portions of the HCLA for many plaintiffs. Based on this opinion, plaintiffs sending notice to more than one provider must send compliant HIPAA authorizations and cannot rely on the single defendant exception to this requirement.

NOTE:  to aid lawyers in giving clients guidance about how long it takes to receive an opinion after oral argument in the appellate courts, we are going to start sharing that information with readers.   Please understand that the length of time that elapses between oral argument and the date the opinion is released is dependent on a multitude of factors, not the least of which is the complexity of the issues presented.  In this case, the opinion was released about seven weeks after oral argument.