No HIPAA Form Required in Single Defendant Medical Negligence Case

In an important turn in medical malpractice (now know as health care liability) law, the Tennessee Supreme Court has held that “a prospective plaintiff who provides pre-suit notice to one potential defendant is not required under Tennessee Code Annotated section 29-26-121(a)(2)(E) to provide the single potential defendant with a HIPAA-compliant medical authorization.”

In Bray v. Khuri, No. W2015 -00397-SC-R11-CV (Tenn. July 5, 2017), plaintiff filed an HCLA claim against a single physician under whose care her husband was at the time he committed suicide. Prior to filing suit, plaintiff sent pre-suit notice to the single defendant, including a medical authorization signed by plaintiff.

After the complaint was filed, defendant moved to dismiss based on the medical authorization not being HIPAA compliant. The trial court granted the dismissal, ruling that the lack of a HIPAA compliant authorization meant that defendant “could not use [decedent’s] records to prepare a defense,” and that the fact that there was a single defendant was “not determinative.” The Court of Appeals affirmed the dismissal, but the Supreme Court reversed.

In its analysis, the Court first looked directly at the language requiring the HIPAA-compliant form in HCLA cases, noting that Tenn. Code Ann. § 29-26-121(a)(2)(E) says that a pre-suit notice shall include “a HIPAA compliant medical authorization permitting the provider receiving the notice to obtain complete medical records from each other provider being sent a notice.” Based on this statute, the Court stated:

We hold that, based on the clear and unambiguous language of section 29-26-121(a)(2)(E), a plaintiff need not provide a HIPAA-compliant authorization when a single healthcare provider is given pre-suit notice of a healthcare liability claim. The authorization only allows a potential defendant to obtain the prospective plaintiff’s medical records from any other healthcare provider also given notice and identified as a potential defendant in the pre-suit notice.

Defendant argued that HIPAA prohibited the disclosure of medical records to legal counsel, but the Court disagreed. The Court noted that HIPAA includes a provision allowing disclosure for “health care operations,” and “health care operations” is defined to include “conducting or arranging for…legal services[.]” (internal citation omitted). The Court further pointed out that the U.S. Health and Human Services’ FAQ page includes a statement that “a healthcare provider may use or disclose protected health information for litigation ‘whether for judicial or administrative proceedings…or as part of the covered entity’s health care operations.’” Accordingly, the Court determined that “HIPAA does not require [defendant] to obtain a medical authorization to use a patient’s medical records in his possession and consult with counsel to evaluate the merits of a potential claim.”

Next, defendant argued that the HIPAA language quoted by the Court allowing the use of protected information only applied once a complaint had been filed, not during the time period between receiving pre-suit notice and the filing of the actual suit. The Court also rejected this assertion, finding that “[u]nder HIPAA regulations, ‘healthcare operations’ include arranging for legal services,” and that “HIPAA does not limit ‘legal services’ and ‘litigation purposes’ to pending lawsuits.” The Court held that plaintiff’s “pre-suit notice to [defendant], as the sole healthcare provider who would be a named defendant, sufficiently invoked the regulatory exception to the general requirement of a HIPAA-compliant medical authorization.”

Third, defendant argued that Roberts v. Prill, E2013-02202-COA-R3-CV, 2014 WL 2921930 (Tenn. Ct. App. June 26, 2014) controlled here. In Roberts, plaintiff served an oncologist and the group that employed him with pre-suit notice. The complaint was eventually dismissed due to the fact that plaintiff failed to provide a HIPAA-compliant authorization. Defendant asserted that the factual scenario here was the same, but the Court found that while both cases concerned an incomplete HIPAA authorization, the two cases were “factually distinguishable on a critical point: Roberts involved two defendants, whereas this case involves a single defendant.”

Finally, defendant asserted that the Patient’s Privacy Protection Act, a state law, was “more restrictive than HIPAA and bars the disclosure of protected health information without proper authorization or a court order.” The Court, though, noted that the Act “applies only to healthcare facilities, not physicians,” and that “[t]he healthcare liability act does not require a patient to provide an authorization under this statute.” The Court found that the Act “does not support [defendant’s] argument or provide any basis for upholding dismissal of [plaintiff’s] claim.” Accordingly, dismissal was reversed.

The Supreme Court clearly got this case right. When there is one defendant in an HCLA case, and that defendant thus already has all the relevant medical records, it makes no sense to dismiss the case due to the failure to provide a HIPAA – compliant authorization. Where no additional medical records can be sought from other defendants because there are no other defendants, a plaintiff certainly should not lose her day in court due to a technicality – a technicality that has absolutely no impact on the defendant’s ability to assess or defend the potential claim.