Notice letter could not cure deficiencies in HIPAA authorization.

Where plaintiff failed to include one of the core elements in the HIPAA authorizations sent with her HCLA pre-suit notice, she could not rely on her notice letter to “cure any deficiency on the authorization document.”

In Hancock v. BJR Enterprises, LLC, No. E2019-01158-COA-R3-CV (Tenn. Ct. App. May 14, 2020), plaintiff sued defendants as power of attorney for patient, who allegedly suffered skin problems, pressure sores, and severe sepsis after his treatment by defendants. Plaintiff sent a timely pre-suit notice “packet” to defendants, which included a cover letter directed to each provider, an attached list of the names and addresses of all providers being sent notice, and a HIPAA authorization.

Defendants filed motions to dismiss, arguing that the HIPAA authorizations did not substantially comply with the HCLA requirements because the “lines on the authorization form as to who was authorized to receive the patient’s records from the medical providers and others receiving notice” were blank. The trial court agreed and granted defendants’ motions to dismiss, and the Court of Appeals affirmed.

Tenn. Code Ann. § 29-26-121(a)(2)(E) requires that an HCLA plaintiff’s pre-suit notice include a “HIPAA compliant medical authorization permitting the provider receiving notice to obtain complete medical records from each other provider being sent notice.” Because this subsection serves an “investigatory function,” only substantial compliance is required. (internal citation omitted).

Here, there was no dispute that the authorizations sent by plaintiff failed to identify “the name or other specific identification of the person, or class of persons, to whom the covered entity may make the requested use or disclosure,” and that such information is one of the core elements listed in the federal regulations for HIPAA compliant medical authorizations. (internal citation omitted). Plaintiff argued, however, that the “materials in the pre-suit notice packet may be construed as one document” and thus cure this defect in the authorization. Plaintiff alleged that when the notice packet was looked at as a whole, it contained all the required information. Plaintiff also argued that “Defendants were not prejudiced because there was no proof in the record of any failed attempt to gain the records of Patient.” Further, plaintiff asserted that the “notes on the website of the Department of Health and Human Services” supported her argument that the notice letter was to be construed together with the HIPAA authorization. The Court of Appeals rejected all of plaintiff’s arguments.

In its analysis, the Court reviewed several other cases addressing the requirements of HIPAA authorizations, including one that was “almost directly on point” and held that “leaving a medical authorization blank as to who can receive records from a covered entity renders the authorization ineffective.” (see Wenzler v. Xiao Yu, 2018 WL 6077847 (Tenn. Ct. App. Nov. 20, 2018)). The Court explained:

Tennessee decisions have rejected the proposition that a healthcare liability defendant has a duty to assist a plaintiff achieve compliance or to test whether an obviously deficient HIPAA form would allow the release of records. … [A previous opinion] noted that the list of providers attached to the pre-suit notice letter did not supplement the HIPAA authorization to satisfy the requirement provided in [the federal regulation] because the federal regulations specifically prohibit compound authorizations. In the case before us, [plaintiff] failed to identify on the medical authorization the identity of the individual authorized to receive Patient’s records. …[W]e conclude that this is an essential element. A medical authorization lacking a core element is not valid. When a pre-suit medical authorization is facially invalid, the recipient is per se prejudiced and bears no burden to use or correct the form.

(internal citations and quotations omitted).

Because the pre-suit notice was held to be insufficient, plaintiff was not given the benefit of the 120-day extension of the statute of limitations. The suit was thus filed outside the statute of limitations and dismissal with prejudice was affirmed.

Chief Judge Swiney filed a one paragraph concurring opinion in this case, stating that he “continue[s] to adhere to the position [stated in a previous dissent] that if a medical authorization form along with other information provided to the healthcare providers is sufficient to enable them to obtain a plaintiff’s records simply by asking, then there is substantial compliance with Tenn. Code Ann. § 29-26-121(a)(2)(E).”

The HIPAA authorization continues to be the most troublesome portion of HCLA pre-suit notice for plaintiffs. Many cases never get the chance to be heard on their merits due to defects in the HIPAA forms sent with otherwise timely notices.

NOTE:  this opinion was released just under four months after oral argument.

Contact Information