HIPAA-compliant authorization forms continue to cause trouble for medical malpractice (now called “health care liability action” or ‘HCLA”) plaintiffs in Tennessee, with a recent plaintiff having his case dismissed due to his failure to fill in the portion of the form that lists who was authorized to make disclosures thereunder.
In Lawson v. Knoxville Dermatology Group, P.C., No. E2017-00077-COA-R3-CV (Tenn. Ct. App. Aug. 1, 2017), plaintiff filed suit against “a dermatology practice and a certified physician’s assistant employed by the practice.” The underlying injury occurred when plaintiff fell off an allegedly improperly secured examination table. Defendants filed motions to dismiss, asserting that plaintiff had failed to substantially comply with Tenn. Code Ann. § 29-26-121(a)(2)(E), the HCLA provision that requires that pre-suit notice include a HIPAA-compliant authorization. Specifically, defendants pointed out that plaintiff’s “authorization form did not list which individual(s) or organization(s) were authorized to make disclosures of the specified medical records.”
The trial court granted the motions to dismiss and entered an order dismissing all of plaintiff’s claims without prejudice. Plaintiff appealed the dismissal only as to the dermatology group, which the Court of Appeals affirmed.
On appeal, defendant pointed out that “the name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure” is listed as a “core element of the authorization” by the Code of Federal Regulations. (citation omitted). Defendant asserted that because this “core element” was left blank, plaintiff did not substantially comply with the HCLA requirements and dismissal was appropriate. According to defendant, “the medical authorization provided by [plaintiff] was insufficient to allow [defendant] to access relevant medical records to mount a defense.”