No magic words required to make HIPAA authorization compliant

Where a HIPAA authorization included with HCLA pre-suit notice “permits a defendant to obtain medical records in actual fact but simply does not include the word ‘obtain,’ it is still compliant.”

In Combs v. Milligan, No. E2019-00485-COA-R3-CV (Tenn. Ct. App. May 1, 2020), plaintiffs filed a health care liability suit against several defendants based on a surgically inserted port that became infected and caused permanent injuries. Before filing their complaint, plaintiffs sent the defendants pre-suit notice and included a HIPAA authorization as required by the HCLA. The authorization was accompanied by a letter that stated: “Attached please find a list of providers to whom a substantially similar notice is being sent…[Plaintiff] has executed a HIPAA-compliant medical authorization authorizing you to obtain complete medical records from [same list of providers].”

Defendants filed motions to dismiss on the basis of insufficient HIPAA authorizations, arguing that the releases provided “did not authorize them to obtain or use the medical records of any of the other noticed providers,” but that “each provider [was] only [authorized] to disclose and use his own records.” The trial court granted the motions to dismiss, but before that order was entered, counsel for three of the defendants “notified the court and all parties that a third-party claims administrator had obtained a separate authorization from [plaintiff] and had obtained the medical records on behalf of these three defendants.” A second order was thus entered setting aside the dismissal as to those three defendants. These three defendants were eventually granted summary judgment in a third order, after which time plaintiffs filed a notice of appeal. Plaintiffs voluntarily dismissed the three defendants who were granted summary judgment from the appeal, leaving only the defendants who were dismissed based on the allegedly insufficient HIPAA authorizations at issue in this opinion.

The Court of Appeals first rejected defendants’ argument that it did not have jurisdiction over this appeal because plaintiffs waited too long after the entry of the first order to file their notice of appeal. The Court noted that neither the first nor second order was a final order in this case, and found that plaintiffs “timely appealed” from the third order which was “the true final judgment in this case.”

Regarding the HIPAA authorizations, the Court of Appeals agreed with plaintiffs that they substantially complied with the HCLA requirements. The second paragraph of the authorizations at issue listed the provider “authorized to make the disclosure.” The fifth paragraph stated that the health care provider’s records “’may be disclosed to and used by’ all of the noticed providers.” Plaintiffs asserted that their authorizations fulfilled all the requirements of the federal regulations, and that “because each provider was authorized to disclose to each other provider, the authorization does in fact permit the providers to obtain all medical records from each other provider receiving notice.” Plaintiffs argued that the HCLA does not require the use of specific language, and that the authorizations they sent “allow[ed] the providers to share records with each other,” thus substantially complying with Tenn. Code Ann. § 29-26-121(a)(2)(E). Defendants, on the other hand, asserted that “the medical authorization only permitted them ‘to disclose’ their own medical records to other providers,” not to obtain medical records. Defendants’ argument was centered on plaintiffs’ failure to include the word “obtain” in the authorizations.

In its analysis of this issue, the Court noted that “it remains a threshold requirement of the statute that the plaintiff’s medical authorization be sufficient to enable defendants to obtain and review a plaintiff’s relevant medical records.” (internal citation omitted). Plaintiffs argued that the authorizations provided would have enabled defendants to obtain all relevant records and that defendants had shown no prejudice here, and the Court of Appeals agreed. The Court reasoned:

If, as here, an authorization permits a defendant to obtain medical records in actual fact but simply does not include the word ‘obtain,’ it is still compliant. Here, the authorization allowed each provider to share [plaintiff’s] medical records with every other provider receiving a notice. Had [defendants] requested records from the other providers, each of whom received their own similar authorization, they would have rece ived the records. Here, substantial compliance with the statute exists because [defendants] could get all of [plaintiff’s] medical records from the other medical providers. To obtain the records, all they had to do was ask. While their decision not to ask is understandable as a tactical matter, [defendants] were not prejudiced in the least by plaintiffs’ authorization.

Because plaintiffs substantially complied with the pre-suit notice requirements, dismissal was reversed.

The Court made the right decision here. The authorizations provided enabled defendants to get all the relevant records, and failure to use the word “obtain” did not change that result. Interestingly, the Court of Appeals noted that the trial court judge stated that he was granting the dismissal “regrettably” and that he “hate[d] to do that…I truly do, but it is what it is,” as he apparently felt constrained by previous cases interpreting the HIPAA authorization requirement.


NOTE:  this opinion was six and one-half months after oral argument.

Contact Information