EMAIL TO A COLLEAGUE COMMENT

 

Failure to Include HIPAA Authorization with Pre-suit Notice


A Tennessee statute required that a health care liability plaintiff’s pre-suit notice include a Health Insurance Portability and Accountability Act (HIPAA) compliant medical authorization permitting the health care provider receiving the notice to obtain complete medical records from every other provider that was also being sent a notice. A HIPAA compliant authorization must contain the name or other specific identification of the person or class of persons to whom the covered entity may make the requested use or disclosure.

 

Before filing a complaint, the patient gave written notice to the dentist and the dental practice that employed the dentist of the health care liability claims against them. The notice included HIPAA authorizations that did not contain all of the required information. Specifically, the authorizations mentioned that the information would be used for litigation, but did not identify any particular person or class of persons to whom the covered entities could make the use or disclosure.

 

The patient filed a health care liability complaint against the dentist and the dental practice that employed the dentist.

 

The dentist and dental practice moved to dismiss the complaint based on noncompliance with the Tennessee statute. Based on this defect, the motion argued that the patient could not take advantage of the 120 day statutory extension to the statute of limitations provided by the Tennessee statute. Consequently, the complaint was time-barred.

 

After a hearing, the Circuit Court for Shelby County granted the motion to dismiss. The trial court concluded that the HIPAA authorizations provided by the patient were not HIPAA compliant and, therefore, the patient did not substantially comply with the statute.

 

The Court of Appeals of Tennessee affirmed the trial court’s dismissal of the patient’s claims against the dentist, reversed the trial court’s dismissal of the patient’s claims against the dental practice, and remanded for further proceedings. The court held that (1) the patient’s HIPAA authorizations were defective and not valid under the HIPAA regulations due to the omission of the identity of a particular person or class of persons to whom the covered entities could make the use or disclosure, (2) the factual situation did not fall within the single health care provider exception that would have excused the patient from providing a HIPAA authorization in the first place, (3) the dental practice was not prejudiced by its inability to utilize the HIPAA authorization provided by the plaintiff because the dental practice could use its records to evaluate the merits of the claim without the need for a HIPAA authorization, and (4) the dentist was prejudiced by the inability to utilize the HIPAA authorization provided by the plaintiff because the dentist could not access records from the dental practice without a HIPAA authorization.

 

The patient’s HIPAA authorizations were defective and not valid under the HIPAA regulations due to the omission of the identity of a particular person or class of persons to whom the covered entities could make disclosure. The court found that the patient’s omission was both substantive and significant. As a result of the failure to identify any authorized recipient of the records, the patient’s HIPAA authorizations did not permit the dentist and dental practice to receive the patient’s medical records. The court concluded that the trial court did not err in finding that the HIPAA authorizations were defective.

 

The factual situation did not fall within the single health care provider exception that would have excused the patient from providing a HIPAA authorization in the first place. The court explained that a plaintiff need not provide a HIPAA compliant authorization when a single health care provider is given pre-suit notice of a health care liability claim and a health care provider may use or disclose protected health information for its healthcare operations and does not need to obtain a medical authorization in order to use a patient’s medical records in its possession and consult with counsel to evaluate the merits a potential claim. The court reasoned that despite the employer employee relationship between the dentist and dental practice, the case involved multiple defendants, consequently the single health care provider exception did not apply.

 

The dental practice was not prejudiced by its inability to utilize the HIPAA authorization provided by the plaintiff because the dental practice could use its records to evaluate the merits of the claim without the need for a HIPAA authorization. At oral argument before the appellate court, counsel for the dentist and dental practice conceded that the dentist did not possess the records and the dental practice did possess the records. The court explained that HIPAA does not require a defendant health care provider to obtain a medical authorization in order to use the patient’s medical records in its possession and consult with counsel to evaluate the merits of a potential claim. It was not necessary for the dental practice to use the HIPAA authorization to obtain records from any other health care provider identified as a potential defendant. The dental practice was authorized to use the records in its possession to evaluate the merits of the patient’s claim without the HIPAA authorization. The court reasoned that because the dental practice suffered no prejudice as a result of the defective HIPAA authorization and the statutory goal of allowing a defendant to evaluate the merits of a claim with early access to medical records was satisfied, the patient substantially complied with the statute with regard to the dental practice. The court concluded that the trial court erred in dismissing the patient’s claim against the dental practice because the patient was entitled to the 120-day extension to the statute of limitations and, consequently, the claim against the dental practice was not time-barred.

 

The dentist was prejudiced by the inability to utilize the HIPAA authorization provided by the plaintiff because the dentist could not access records from the dental practice without the HIPAA authorization. The court held that the exception to the HIPAA authorization requirement that would allow the dental practice to disclose the patient’s records for the purposes of the dentist’s healthcare operations did not extend to the dentist’s conducting or arranging for legal services. The court found that the patient did not demonstrate that the dentist had another means of access to the records maintained by the dental practice that would have enabled the dentist to evaluate the patient’s claim. The court concluded that the dentist was prejudiced by the lack of a HIPAA compliant authorization. The court affirmed the trial court’s dismissal of the patient’s claim against the dentist because the patient’s failure to substantially comply with the statute within the original statute of limitations resulted in the complaint against the dentist being untimely filed.

 

The Court of Appeals of Tennessee affirmed the trial court’s dismissal of the patient’s claims against the dentist and reversed the trial court’s dismissal of the patient’s claims against the dental practice.

 

See: Wenzler v. Yu, 2018 WL 6077847 (Tenn.Ct.App., November 20, 2018) (not designated for publication).

 

See also Medical Law Perspectives Report: Liability for Electronic and Other Medical Record Information Disclosure

 

See also Medical Law Perspectives Report: Dental Procedures and Oral Surgery: Extracting Risks and Liabilities

 

 

REPRINTS & PERMISSIONS COMMENT