HIPAA Form Releasing Records to Plaintiffs’ Counsel Not Compliant.

Where plaintiffs sent pre-suit notice to 45 health care providers, but the HIPAA authorization included with the notice only authorized disclosures to plaintiffs’ counsel, dismissal of their health care liability claim based on failure to comply with the statutory requirements was affirmed.

In Owens v. Stephens, No. E2018-01564-COA-R3-CV (Tenn. Ct. App. April 16, 2020), plaintiffs filed an HCLA claim against numerous defendants alleging that negligent care of plaintiff mother resulted in the death of her child. Before the suit was filed, plaintiffs sent pre-suit notice pursuant to the HCLA to 45 health care providers. This notice included a HIPAA authorization for the release of the mother and child’s medical records, but the release stated that it permitted providers “to disclose my entire medical record…to BREEDING & HENRY, LLC…” Breeding & Henry, LLC was the law firm representing plaintiffs.

Defendants filed a motion to dismiss, arguing that the HIPAA authorization did not meet the requirements of Tenn. Code Ann. § 29-26-121. Defendants asserted that “these forms prejudiced them because they could not access and review the medical records from each of the numerous other providers being sent notice to evaluate the merits of the claim.” The trial court dismissed the case without prejudice, and the Court of Appeals affirmed.

The HCLA requires that a plaintiff send pre-suit notice before filing suit, and that notice must include a HIPAA authorization “permitting the provider receiving notice to obtain complete medical records from each other provider being sent a notice.” (Tenn. Code Ann. § 29-26-121(a)(2)(E)). While the Tennessee Supreme Court has held that a plaintiff must only substantially comply with this requirement, “[s]ubstantial compliance still requires that medical authorizations must be sufficient to enable defendants to obtain and review relevant medical records.” (internal citations omitted).

Here, the form provided by plaintiffs only authorized disclosures to plaintiffs’ counsel. “No other parties were given authorization to make requests of protected private health information.” The Court of Appeals agreed that, based on these facts, plaintiffs failed to substantially comply with the statutory requirements. The Court explained that “the errant Authorizations prevented Defendants from obtaining records for investigatory purposes prior to the action’s start,” and that defendants were accordingly prejudiced.

Plaintiffs argued that a HIPAA authorization was not necessary here “because Defendants are all subsidiaries of one parent organization.” While the Tennessee Supreme Court made a ruling about single provider cases in Bray v. Khuri, 523 S.W.3d 619 (Tenn. 2017), the Court found that this case was distinguishable, as the reasoning in Bray applies “when a plaintiff sends pre-suit notice to only one provider…” Here, plaintiff sent notice to 45 providers, each of whom “holds individual licenses from the appropriate boards, and each provider records medical documents related only to their specific care of the patient.” The Court also rejected plaintiffs’ argument that because defendants were all covered by the Privacy Notice of Covenant Health, the single-provider rule should apply. The Court pointed out that several defendants were not Covenant Health entities and that the “Privacy Notice at issue does not permit one with the health care Notice to use the records of another health care provider for legal services.” (internal quotations omitted).

In addition, the Court rejected plaintiffs’ assertion that their noncompliance should be excused for extraordinary cause. The Court pointed out that “extraordinary cause” has been narrowly defined in Tennessee, and it ruled that the trial court did not abuse its discretion by refusing such a finding here.

Accordingly, dismissal was affirmed.

HIPAA authorizations continue to be one of the most litigated and troublesome portions of the HCLA pre-suit notice requirements for plaintiffs. Special care should be taken to ensure that HIPAA authorizations comply with the statute, as many plaintiffs run into problems based on these forms.

NOTE: this opinion was released almost eight months after oral argument.


Contact Information