HIPAA authorization single-provider exception did not apply where 21 providers were sent HCLA pre-suit notice.

Where an HCLA plaintiff sent pre-suit notice to twenty-one healthcare providers but failed to provide HIPAA authorizations for at least nineteen of those providers, dismissal was affirmed. In Shaw v. Gross, No. W2019-01448-COA-R3-CV (Tenn. Ct. App. April 13, 2021), plaintiff filed suit as the administrator of the decedent’s estate after decedent died of sepsis. Decedent had presented at defendant hospital and been treated by defendant doctor before being released with a dehydration diagnosis, but he returned to defendant hospital the next day and was diagnosed with sepsis, which eventually led to his death.

Before filing her complaint, plaintiff sent pre-suit notice to defendant hospital, defendant doctor, and nineteen other medical providers. After an initial grant of summary judgment, appeal, and remand, defendants filed motions to dismiss on the basis that plaintiff’s HIPAA authorizations sent with her pre-suit notice were incomplete, and that the HIPAA authorizations did not allow defendants to obtain records from the nineteen other providers that were sent notice. After the motion to dismiss was filed, plaintiff amended her complaint, alleging that “all doctors and providers to include Dr. Gross only saw and treated Decedent at Methodist Hospital.” The trial court granted the motion to dismiss, finding that plaintiff had failed to comply with the pre-suit notice requirements and thus was not entitled to the 120-day extension of the statute of limitations, making her complaint untimely, and the Court of Appeals affirmed.

The HCLA requires that a plaintiff include with her pre-suit notice a “HIPAA compliant medical authorization permitting the provider receiving the notice to obtain complete medical records from each other provider being sent a notice.” (Tenn. Code Ann. § 29-26-121(a)(2)(E)). The Court of Appeals decided to first analyze defendants’ argument that plaintiff had failed to provide HIPAA authorizations for all required entities, as that issue was dispositive of the appeal.

While perfect compliance with the HIPAA authorization component of pre-suit notice is not required, “[s]ubstantial compliance still requires that medical authorizations must sufficiently enable defendants to obtain and review relevant medical records.” (internal citations omitted). “If a plaintiff’s noncompliance with Section 121 frustrates or interferes with the purposes of Section 121 or prevents the defendant from receiving a benefit Section 121 confers, then the plaintiff likely has not substantially complied with Section 121.” (internal citation omitted). Here, plaintiff argued that because defendant doctor treated decedent at defendant hospital, all records were held at defendant hospital, and she only named the one doctor and the hospital as defendants, “she was not required to provide HIPAA-compliant authorizations because this case falls within the one-provider exception recognized by the Tennessee Supreme Court in Bray v. Khuri, 523 S.W.3d 619 (Tenn. 2017)).” Plaintiff argued that defendants doctor and hospital “should be considered one entity for purposes of HIPAA because they were engaged in joint activity under an Organized Health Care Arrangement, and all relevant records were held by the Hospital.”

Without deciding whether defendants doctor and hospital would have fallen under the one-provider exception, the Court rejected plaintiff’s arguments because more providers than

just the named defendants were sent pre-suit notice in this case. After reviewing similar cases where the one-provider exception was found not to apply, the Court explained:

[Plaintiff] chose to send pre-suit notice to twenty-one different medical providers. Under 29-26-121(a)(2)(E), [plaintiff] was therefore required to provide a HIPAA compliant medical authorization allowing [defendants] to obtain complete medical records from each other provider being sent a notice, i.e., each of the other nineteen medical providers. There is absolutely no dispute in this case that neither Dr. Gross nor the Hospital received authorizations allowing them to obtain records from at least nineteen of the twenty-one medical providers who were sent pre-suit notice…. [Defendants] were therefore denied a benefit conferred by the statute, sufficient to demonstrate prejudice….

The burden therefore shifted to [plaintiff] to show substantial compliance… The holding in Bray, however, provides no support for [plaintiff’s] contentions. As we have repeatedly stated, the Bray exception is only applicable when only a single provider is given pre-suit notice. There is no dispute in this case that pre-suit notice was provided to a total of nineteen medical providers, beyond the two medical providers that were ultimately named as defendants in this case.

(internal citations and quotations omitted).

The Court also explained that plaintiff’s amendment to her complaint, alleging that all treatment occurred at the hospital, did not change the result here. The Court stated that “the relevant time frame for determining the issue of prejudice was during the pre-suit investigative phase,” and the amendment was not filed until after the motion to dismiss. The Court stated that at the time notice was sent, defendants were not “provided access to the records of [the other nineteen] providers” and “had no way to know that [plaintiff] would file suit against only [defendants].” (internal citation omitted). The Court also noted that plaintiff had not “establish[ed] that the other nineteen providers had no relevant records.” The Court stated:

It was [plaintiff’s] choice to give these providers pre-suit notice, indicating that they were somehow relevant to this litigation. And [plaintiff] has submitted no affidavits or other evidence to demonstrate that these other providers had no relevant records related to the injuries at issue in this case, much less that [defendants] knew this fact during the pre-trial investigatory phase.

Because plaintiff failed to provide HIPAA authorizations for all providers being sent notice, she did not comply with the HCLA and was not entitled to the 120-day statute of limitations extension thereunder. Dismissal of her claim based on the statute of limitations was accordingly affirmed.

HIPAA authorizations continue to be a much-litigated aspect of the HCLA. While the one-provider exception is helpful to some HCLA plaintiffs, this case and the cases cited therein are reminders that this exception will only apply in very specific fact scenarios.


NOTE:  This opinion was released thirteen weeks after oral argument.

Contact Information