Non-Compliant HIPAA Release Prejudiced Only One Defendant

Where plaintiff gave pre-suit notice of an HCLA suit to two defendants related by employment, but her HIPAA authorization failed to identify to whom medical records could be disclosed, the Court of Appeals analyzed whether each defendant was individually prejudiced by the lack of compliance. The Court ultimately concluded that the employer defendant who was in possession of all the records was not prejudiced and the suit could continue against it, but that the employee defendant who did not possess the records was prejudiced.

In Wenzler v. Yu, No. W2018-00369-COA-R3-CV (Tenn. Ct. App. Nov. 20, 2018), plaintiff filed a health care liability case against a dentist and the practice for which he worked. She sent pre-suit notice with a HIPAA authorization attached, but while the HIPAA authorization “mentioned that the information would be used for litigation,” it “failed to identify the person or entity that was authorized to receive the disclosure pursuant to the release.” The trial court found that the HIPAA authorizations did not substantially comply with the statutory requirements and that plaintiff was therefore not entitled to the 120-day extension of the statute of limitations, and thus dismissed the complaint as time-barred. The Court of Appeals affirmed as to the dentist but reversed as to the dental practice.

On appeal, plaintiff advanced two arguments: first, that she had substantially complied with the statutory requirements, and alternatively that “a HIPAA authorization was not needed because in essence the instant case involve[d] a single health care provider.”

The Court of Appeals first rejected the argument that the forms were compliant despite plaintiff’s failure to identify persons to whom disclosures could be made. The Court noted that “in order to substantially comply with the statute, a plaintiff must provide a defendant with a HIPAA compliant medical authorization form that is sufficient to allow the defendant to obtain the plaintiff’s medical records from the other providers being sent the notice.” Here, the failure to name persons to whom disclosures could be made was deemed “substantive and significant,” and the Court found that plaintiff’s “HIPAA authorizations did not permit the defendants to receive Plaintiff’s medical records.”

Second, the Court analyzed plaintiff’s argument that this case was essentially a single defendant case. In Bray v. Khuri, 523 S.W.3d 619 (Tenn. 2017), the Tennessee Supreme Court held that “a prospective plaintiff who provides pre-suit notice to one potential defendant is not required under Tennessee Code Annotated section 29-26-121(a)(2)(E) to provide the single potential defendant with a HIPAA-compliant medical authorization.” Plaintiff argued that because defendant dentist was working at and employed by defendant practice, the Bray reasoning should apply. The Court quickly rejected this argument, though, pointing out previous case law and stating that this “factual situation…does not fall within the ‘single healthcare provider’ exception recognized in Bray that would have excused Plaintiff from providing a HIPAA authorization in the first place.”

The Court’s analysis, however, did not stop there. The Court recognized a second holding from Bray, that “a health care provider may use or disclose protected medical information for its health care operations and does not need to obtain a medical authorization in order to use a patient’s medical records in its possession and consult with counsel to evaluate the merits of a potential claim.” With this context in mind, the Court stated that “to the extent that Plaintiff is attempting to argue a lack of prejudice in light of the two defendants’ employment relationship, we find it necessary to consider the issue of prejudice separately with respect to each defendant.”

In this case, the defendants had admitted that defendant dentist did not have any medical records, and that all medical records were possessed and maintained by the practice. Accordingly, the Court found that “it was not necessary for [the practice] to utilize the HIPAA authorization to obtain records from any other health care provider identified as a potential defendant,” and the practice was able to use the relevant records in its possession. The Court ruled:

[W]e simply conclude that our decision is controlled by the Bray decision and its conclusion regarding the use of records that are already in the possession of a health care provider. Discerning no prejudice to [defendant dentistry practice] due to Plaintiff’s failure to provide it with a HIPAA compliant release, we conclude that Plaintiff substantially complied with [the statute], she was entitled to the 120-day extension to the statute of limitations, and her claim against [the practice] was not time-barred.

With respect to the dentist, however, the Court affirmed the dismissal. While plaintiff argued that it was “incomprehensible” that the dentist did not have access to the practice’s records, the Court noted that “HIPAA distinguishes between uses or disclosures for purposes of treatment and those for purposes of health care operations.” The HIPAA exception that allows a health care provider to use records in its possession for litigation “would not permit [the practice] to disclose records to [the dentist] for purposes of [the dentist’s] health care operations,” and thus the dentist was prejudiced by plaintiff’s failure to provide a compliant release.

Accordingly, dismissal as to the dentist was affirmed, and dismissal as to the practice was reversed.

This case presents a more nuanced, defendant-specific approach to analyzing HIPAA authorization compliance than we are accustomed to seeing. The 2017 Bray case opened the door for this type of analysis, and it will be interesting to see how the concept of lack of prejudice continues to develop.