Day on Torts
Where a HIPAA authorization had blanks beside the names of all the providers listed under who was authorized to make disclosures, but none of the blanks were marked or checked, the HIPAA authorization was not compliant with the HCLA requirements.
In Crenshaw v. Methodist Healthcare- Memphis Hospitals, No. W2024-00682-COA-R3-CV (Tenn. Ct. App. May 7, 2025), the plaintiff filed a health care liability suit on behalf of her deceased mother. Per the HCLA statutory requirements, the plaintiff included a HIPAA authorization for the release of the decedent’s medical records with her pre-suit notice. Under the heading “The following individual or organization is authorized to make the disclosure,” the plaintiff listed thirteen providers. Beside each provider’s name there was a small blank. On the authorizations sent with the pre-suit notice, none of the small blanks were checked or marked in any way.
The defendants filed motions to dismiss asserting, among other arguments, that the HIPAA authorizations did not substantially comply with the HCLA statute. The trial court agreed and dismissed the plaintiff’s claims, and the Court of Appeals affirmed.
In affirming dismissal, the Court explained that “HIPAA deems authorizations defective if not filled out completely.” (internal citation omitted). It noted that it had “previously found that a plaintiff who left unmarked spaces next to the type of medical records to be disclosed made the authorization non-compliant and thus pre-suit notice ineffective.” (internal citation omitted). Applying the same logic to the present case, the Court wrote that the “authorization does not permit the named providers to disclose or receive [the decedent’s] records.”
The Court wrote:
By placing blank spaces next to the names of the various providers but failing to mark those spaces, Ms. Crenshaw has failed to indicate which persons and entities listed were permitted to receive or disclose Ms. Murphy’s medical records. Logic dictates that those entities permitted to disclose and receive information would be denoted by a mark placed in the blank space beside the entity’s respective name, as there is no other reason to have a blank space next to the names. Because the authorization does not contain the identifying information of each person or entity able to receive and disclose Ms. Murphy’s medical information, the authorization is incomplete and ineffective. While a non-substantive omission could be overlooked and the authorization still be substantially compliant, the failure to properly identify and authorize the persons permitted to disclose and receive records renders the authorization not substantially compliant.
(internal citation omitted).
The Court rejected the plaintiff’s assertion that the defendants should have tried to use the authorizations or should have checked the blanks themselves. The Court stated that the authorization’s incompleteness was “apparent on the face of the document,” and that “due to the apparent errors present on the authorizations, the providers were not required to test what were incomplete, and facially defective forms.” Further, the defendants “had no duty to bring the forms into compliance by marking the blank spaces.”
Because the HIPAA authorizations were non-compliant, the plaintiff was not entitled to the 120-day extension of the statute of limitations provided by the HCLA. Her suit was therefore time-barred, and dismissal was affirmed.
This case shows an HCLA plaintiff once again failing to get to the merits of her claim due to insufficient HIPAA authorizations. These authorizations continue to trip-up health care plaintiffs, and attention must be paid to them.
This opinion was released four months after oral arguments in this case.