v.
Dr. Xiao Yu
11/20/2018 IN THE COURT OF APPEALS OF TENNESSEE AT JACKSON October 9, 2018 Session
MARY WENZLER v. DR. XIAO YU, ET AL.
Appeal from the Circuit Court for Shelby County No. CT-003652-17 Mary L. Wagner, Judge ___________________________________
No. W2018-00369-COA-R3-CV ___________________________________
This is a health care liability case filed against a dentist and the dental practice that employed him. Before filing the complaint, the plaintiff gave written notice to the two potential defendants of her health care liability claims against them. Tennessee Code Annotated section 29-26-121(a)(2)(E) requires that a plaintiff’s pre-suit notice include a HIPAA compliant medical authorization permitting the health care provider receiving the notice to obtain complete medical records from every other provider that is being sent a notice. After the plaintiff filed suit, the defendants moved to dismiss the complaint based on noncompliance with the statute, as the defendants alleged that the HIPAA authorizations provided by the plaintiff did not contain all of the required information and were therefore invalid. After a hearing, the trial court granted the motion to dismiss, concluding that the authorizations provided by the plaintiff were not HIPAA compliant and therefore the plaintiff did not substantially comply with the statute. The plaintiff appeals. We affirm in part, reverse in part, and remand for further proceedings.
Tenn. R. App. P. 3 Appeal as of Right; Judgment of the Circuit Court Affirmed in Part, Reversed in Part, and Remanded
BRANDON O. GIBSON, J., delivered the opinion of the court, in which J. STEVEN STAFFORD, P.J., W.S., and ARNOLD B. GOLDIN, J., joined.
Kathleen L. Caldwell, Memphis, Tennessee, for the appellant, Mary Wenzler.
Laura L. Deakins, Memphis, Tennessee, and Lucas A. Davidson, Nashville, Tennessee, for the appellees, Xiao Yu, and American Family Dentistry of Memphis, PC.
OPINION
I. FACTS & PROCEDURAL HISTORY
On June 8, 2017, Plaintiff Mary Wenzler sent pre-suit notice letters to two potential defendants – Dr. Xiao Yu and American Family Dentistry of Memphis, PC – notifying them of potential health care liability claims arising out of their care and treatment of Mrs. Wenzler on June 13, 2016. The pre-suit notice letters stated that Plaintiff was attaching HIPAA compliant medical authorizations authorizing each potential defendant to obtain complete medical records relating to her care and treatment from the other medical provider receiving the notice.[1] According to federal regulations, a HIPAA compliant authorization must, at a minimum, contain six “core elements,” including,
(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
45 C.F.R. § 164.508(c)(1). The HIPAA authorizations sent by Plaintiff mentioned that the information would be used for litigation but did not identify any particular person or class of persons to whom the covered entities could make the use or disclosure.
Plaintiff filed her complaint for health care liability on September 1, 2017, and named as defendants Dr. Xiao Yu and American Family Dentistry of Memphis, PC.[2] The defendants filed a motion to dismiss on October 2, 2017, asserting that Plaintiff failed to provide HIPAA compliant medical authorizations with her pre-suit notice letters as required by Tennessee Code Annotated section 29-26-121(a)(2)(E). Specifically, the defendants noted that the authorization forms failed to identify the person or entity that was authorized to receive the disclosure pursuant to the release. Based on this defect, the defendants argued that Plaintiff could not take advantage of the 120-day statutory extension to the statute of limitations provided by Tennessee Code Annotated section 29- 26-121(c), and as a result, her complaint was time-barred.[3] In response to the motion to dismiss, Plaintiff raised two arguments. First, she argued that her HIPAA authorization forms met or exceeded the statutory requirements. But alternatively, Plaintiff argued that even though there were “two named defendant medical providers: Dr. Yu and American Family Dentistry of Memphis, P.C. (Dr. Yu’s employer),” there was no “other” medical provider from whom records would be needed, so the defendants were not prejudiced.
[*2]After a hearing, the trial court entered an order granting the defendants’ motion to dismiss. The trial court found that Plaintiff’s authorizations were not HIPAA compliant, as they did not identify any person or entity that could receive the protected information. Because of this omission, the trial court concluded that Plaintiff did not substantially comply with Tennessee Code Annotated section 29-26-121(a)(2)(E). The trial court rejected Plaintiff’s argument that a HIPAA authorization was unnecessary in the event that only one set of medical records existed, stating, “[t]he current case law is clear that where there are two or more defendants, the plaintiff must provide HIPAA compliant authorizations to all defendants,” “even when the defendants stand in an employee- employer relationship.” Because Plaintiff was not entitled to rely on the 120-day extension of the statute of limitations, the trial court dismissed Plaintiff’s complaint as time-barred. Plaintiff timely filed a notice of appeal.
II. ISSUES PRESENTED
On appeal, Plaintiff asks this Court to consider “whether Plaintiff[] failed to provide a HIPAA compliant medical authorization with the[] pre-suit notice as required by Tennessee Code Annotated § 29-26-121(a)(2)(E).”4 Specifically, Plaintiff argues that she substantially complied with the statute despite her failure to identify the intended recipient of the medical records. Alternatively, she contends that a HIPAA authorization was not needed because “in essence the instant case involves a single health care provider.” For the following reasons, we affirm the decision of the circuit court in part,
section 121, she did not receive the 120 day extension, which made her [] Complaint time- barred”); J.A.C. by & through Carter v. Methodist Healthcare Memphis Hosps., 542 S.W.3d 502, 514 (Tenn. Ct. App. 2016) (“Due to the Plaintiffs’ substantial noncompliance, the trial court was correct in determining that the 120-day extension of the statute of limitations [] provided by Tennessee Code Annotated section 29-26-121(c) was unavailable.”) reverse in part, and remand for further proceedings.
[*3]III. STANDARD OF REVIEW
According to the Tennessee Supreme Court, The proper way for a defendant to challenge a complaint’s compliance with Tennessee Code Annotated section 29-26-121 [] is to file a Tennessee Rule of Procedure 12.02 motion to dismiss. In the motion, the defendant should state how the plaintiff has failed to comply with the statutory requirements by referencing specific omissions in the complaint and/or by submitting affidavits or other proof. Once the defendant makes a properly supported motion under this rule, the burden shifts to the plaintiff to show either that it complied with the statutes or that it had extraordinary cause for failing to do so. Based on the complaint and any other relevant evidence submitted by the parties, the trial court must determine whether the plaintiff has complied with the statutes. If the trial court determines that the plaintiff has not complied with the statutes, then the trial court may consider whether the plaintiff has demonstrated extraordinary cause for its noncompliance. If the defendant prevails and the complaint is dismissed, the plaintiff is entitled to an appeal of right under Tennessee Rule of Appellate Procedure 3 using the standards of review in Tennessee Rule of Appellate Procedure 13.
Myers v. AMISUB (SFH), Inc., 382 S.W.3d 300, 307 (Tenn. 2012). Because the trial court’s decision on the motion “involves a question of law, our review is de novo with no presumption of correctness.” Id. (citing Graham v. Caples, 325 S.W.3d 578, 581 (Tenn. 2010)).
IV. DISCUSSION
Under Tennessee law, a claimant must provide written pre-suit notice to a potential defendant before filing a complaint alleging health care liability:
Any person, or that person’s authorized agent, asserting a potential claim for health care liability shall give written notice of the potential claim to each health care provider that will be a named defendant at least sixty (60) days before the filing of a complaint based upon health care liability in any court of this state.
[*4]Tenn. Code Ann. § 29-26-121(a)(1). Pursuant to the statute, the pre-suit notice must include “[a] HIPAA compliant medical authorization permitting the provider receiving the notice to obtain complete medical records from each other provider being sent a notice.” Tenn. Code Ann. § 29-26-121(a)(2)(E) (emphasis added).
“Because the penalties imposed on entities that wrongfully disclose or obtain private health information in violation of HIPAA are severe, the sufficiency of the plaintiffs’ medical authorizations is imperative.” Woodruff by & through Cockrell v. Walker, 542 S.W.3d 486, 499 (Tenn. Ct. App. 2017). The specific requirements for a HIPAA compliant medical authorization are set forth in 45 C.F.R. § 164.508:
(a) Standard: Authorizations for uses and disclosures (1) Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. . . . .... (c) Implementation specifications: Core elements and requirements— (1) Core elements. A valid authorization under this section must contain at least the following elements: (i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. (ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure. (iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. (iv) A description of each purpose of the requested use or disclosure. . . . (v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. . . . (vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.
(Emphasis added). “Under the plain language of the regulation,” with respect to subsection (iii), “a name is not required so long as there is specific identification of the entity, person, or class of persons authorized to receive the protected health records.”
[*5]Rush v. Jackson Surgical Assocs. PA, No. W2016-01289-COA-R3-CV, 2017 WL 564887, at *4 (Tenn. Ct. App. Feb. [13], 2017) perm. app. denied (Tenn. June 8, 2017). For example, a valid authorization may authorize disclosure to a designated class of persons, “such as the employees of XYZ division of ABC insurance company,” so long as the class is specifically identified. Id. On the other hand, an authorization simply listing the term “bearer” does not satisfy the specificity requirement, and such a form is not HIPAA compliant. Id. Additionally, the HIPAA regulation expressly provides:
Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects: .... (ii) The authorization has not been filled out completely, with respect to an element described by paragraph (c) of this section, if applicable[.]
45 C.F.R. § 164.508(b)(2). Thus, “HIPAA deems authorizations defective if not filled out completely.” Smith v. Wellmont Health Sys., No. E2017-00850-COA-R9-CV, 2018 WL 3343591, at *4 (Tenn. Ct. App. July 9, 2018).
As previously noted, the authorizations provided by Plaintiff in this case omitted information regarding element (iii), failing to identify any person or class of persons to whom the covered entity could make the requested use or disclosure. We now consider the effect of such an error under Tennessee law. The Tennessee Supreme Court provided guidance on that issue in Stevens ex rel. Stevens v. Hickman Community Health Care Services, Inc., 418 S.W.3d 547 (Tenn. 2013). In that case, the pre-suit notice provided by the plaintiff included a HIPAA authorization that only permitted the release of medical records to plaintiff’s counsel and lacked other required information. Id. at 552. The defendants moved to dismiss the complaint based on noncompliance with Tennessee Code Annotated section 29-26-121(a)(2)(E). Id. The trial court denied the motion, and the case eventually made its way to the Tennessee Supreme Court. Id. at 553. The supreme court recognized that “[h]ealthcare liability defendants have a right to receive medical records to defend themselves against civil liability,” and section 29-26- 121(a)(2)(E) requires a plaintiff to complete a HIPAA authorization “as a pre-condition of filing suit.” Id. at 557-58. The supreme court explained that the statute’s HIPAA authorization requirement serves “an investigatory function, equipping defendants with the actual means to evaluate the substantive merits of a plaintiff’s claim by enabling . . . early access to a plaintiff’s medical records.” Id. at 554. According to the court,
Because HIPAA itself prohibits medical providers from using or disclosing a plaintiff’s medical records without a fully compliant authorization form, it is a threshold requirement of the statute that the plaintiff’s medical authorization must be sufficient to enable defendants to obtain and review a plaintiff’s relevant medical records. See 45 C.F.R. § 164.508(a)(1) (“a covered entity may not use or disclose protected health information without an authorization that is valid under this section”). Tenn. Code Ann. § 29- 26-121(d)(1) creates a statutory entitlement to the records governed by § 29-26-121(a)(2)(E). See Tenn. Code Ann. § 29-26-121(d)(1) (“All parties in an action covered by this section shall be entitled to obtain complete copies of the claimant’s medical records from any other provider receiving notice ...”) (emphasis added). . . . . A plaintiff’s less-than-perfect compliance with Tenn. Code Ann. § 29-26-121(a)(2)(E), however, should not derail a healthcare liability claim. Non-substantive errors and omissions will not always prejudice defendants by preventing them from obtaining a plaintiff’s relevant medical records. Thus, we hold that a plaintiff must substantially comply, rather than strictly comply, with the requirements of Tenn. Code Ann. § 29-26-121(a)(2)(E).
[*6]Id. at 555 (emphasis in original).
Next, the court considered the sufficiency of the HIPAA authorization provided in that case to determine whether it substantially satisfied the requirements of the statute. Id. After noting the six core elements required by federal regulations, the supreme court concluded that the authorization at issue was not HIPAA compliant. Id. at 556. “First, and most importantly,” the court said, “by permitting disclosure only to Plaintiff’s counsel, Plaintiff’s medical authorization failed to satisfy the express requirement of Tenn. Code Ann. § 29-26-121(a)(2)(E) that a plaintiff’s medical authorization ‘permit[ ] the provider receiving the notice to obtain complete medical records from each other provider being sent a notice.’” Id. Secondly, the court found that the authorization failed to satisfy at least three of the six compliance requirements mandated by HIPAA. Id. The court continued,
In determining whether a plaintiff has substantially complied with a statutory requirement, a reviewing court should consider the extent and significance of the plaintiff’s errors and omissions and whether the defendant was prejudiced by the plaintiff’s noncompliance. Not every non- compliant HIPAA medical authorization will result in prejudice. But in this case, the medical authorization submitted by Plaintiff was woefully deficient. The errors and omissions were numerous and significant. Due to Plaintiff's material non-compliance, Defendants were not authorized to receive any of the Plaintiff’s records. As a result of multiple errors, Plaintiff failed to substantially comply with the requirements of Tenn. Code Ann. § 29-26-121(a)(2)(E).
[*7]Id. (emphasis added). In a later case, the supreme court summarized Stevens as holding that “non-substantive errors and omissions and a plaintiff's less-than-perfect compliance with subsection 29-26-121(a)(2)(E) will not derail a healthcare liability claim so long as the medical authorization provided is sufficient to enable defendants to obtain and review a plaintiff’s relevant medical records.” Thurmond v. Mid-Cumberland Infectious Disease Consultants, PLC, 433 S.W.3d 512, 519-20 (Tenn. 2014) (quotations and bracketing omitted).
In sum, “there is no bright line rule that determines whether a party has substantially complied with the requirements of Tenn. Code Ann. § 29-26- 121(a)(2)(E)[.]” Rush, 2017 WL 564887, at *4. However, in order to substantially comply with the statute, a plaintiff must provide a defendant with a HIPAA compliant medical authorization form that is sufficient to allow the defendant to obtain the plaintiff’s medical records from the other providers being sent the notice. Brookins v. Tabor, No. W2017-00576-COA-R3-CV, 2018 WL 2106652, at *5 (Tenn. Ct. App. May 8, 2018); Travis v. Cookeville Reg’l Med. Ctr., No. M2015-01989-COA-R3-CV, 2016 WL 5266554, at *7 (Tenn. Ct. App. Sept. 21, 2016). In this context, substantial compliance requires “a degree of compliance that provides the defendant with the ability to access and use the medical records for the purpose of mounting a defense.” Lawson v. Knoxville Dermatology Grp., P.C., 544 S.W.3d 704, 711 (Tenn. Ct. App. 2017).
Applying these principles, we consider whether Plaintiff failed to substantially comply with section 29-26-121(a)(2)(E) by providing each defendant with an incomplete HIPAA authorization form that failed to identify to whom the covered entity could make the requested use or disclosure. Considering first “the extent and significance of the plaintiff’s errors and omissions,” as instructed by Stevens, 418 S.W.3d at 556, we note that these HIPAA authorizations were “defective” and “not valid” under HIPAA regulations due to Plaintiff’s omission. 45 C.F.R. § 164.508(b)(2)(ii). Her omission was both substantive and significant. As a result of Plaintiff’s failure to identify any authorized recipient of the records, her HIPAA authorizations did not permit the defendants to receive Plaintiff’s medical records.
In Lawson, 544 S.W.3d at 712, this Court found no substantial compliance where a similar core element of the plaintiff’s HIPAA authorization, designating who was authorized to make the requested use or disclosure, was left blank. Id. We explained that “health care providers presented with a medical authorization missing the identification of those authorized to release information would have no way of knowing that they were the providers for which the authorization was intended or that they were allowed to release medical records.” Id. As such, we concluded that the single omitted core element was “a necessary element” to the defendants’ legal authorization to use the medical records. Id.
[*8]In Riley v. Methodist Healthcare Memphis Hospitals, 731 F. App’x 481 (6th Cir. 2018), the Sixth Circuit considered a HIPAA authorization with the same omission as the one before us in the context of a diversity jurisdiction case alleging health care liability. Specifically, the plaintiffs in Riley left blank the section where they were supposed to list the persons to whom each provider could disclose the patient’s records. Id. at 488 (citing C.F.R. § 145.608(c)(1)(iii)). Applying Tennessee law and federal HIPAA regulations, the district court deemed the authorization defective, rejecting the plaintiff’s argument that the forms were HIPAA compliant and would effectively permit each defendant to share records with anyone it wished. Id. at 489. Instead, the district court concluded, because of the omission in the form, the defendants were permitted to disclose records to no one. Id. The Sixth Circuit found no error in this decision. Id. at 490. After reviewing Tennessee caselaw, the court concluded that “substantial compliance requires that the noncomplying features of the authorization do not render it insufficient to authorize access and use of the records,” and the form at issue in Riley “did not permit that access and use.” Id. at 491-92; see also Rush, 2017 WL 564887, at *4 (concluding that an authorization that failed to identify with specificity a person or class of persons able to receive the records but instead listing “bearer” was not HIPAA compliant).
Despite the deficiencies in Plaintiff’s HIPAA authorization, Plaintiff argues that “in essence the instant case involves a single health care provider,” and therefore, no HIPAA authorization was necessary in the first place. According to Plaintiff’s complaint, Dr. Yu was “a health care provider” who was “practicing dentistry at the dental clinic owned and operated by American Family Dentistry of Memphis, P.C.,” and Dr. Yu either “worked at, was employed by, or had an ownership interest in” American Family Dentistry.[5] Plaintiff argues that the Tennessee Supreme Court’s holding in Bray v. Khuri, 523 S.W.3d 619 (Tenn. 2017) is “directly on point” and no HIPAA authorization needed to be provided under these circumstances.
In Bray, the plaintiff filed suit against one physician – a single “health care provider” within the meaning of HIPAA and the Tennessee Health Care Liability Act.[6] Id. at 620. The Tennessee Supreme Court examined the text of Tennessee Code Annotated section 29-26-121(a)(2)(E), which requires a person who asserts a potential claim for health care liability to provide with pre-suit notice a HIPAA compliant authorization “permitting the provider receiving the notice to obtain complete medical records from each other provider being sent a notice.” Tenn. Code Ann. § 29-26- 121(a)(2)(E). Considering the plain language of the statute, the Bray court concluded that “a prospective plaintiff who provides pre-suit notice to one potential defendant is not required under Tennessee Code Annotated section 29-26-121(a)(2)(E) to provide the single potential defendant with a HIPAA-compliant medical authorization.” Id. (emphasis added). In other words, “a plaintiff need not provide a HIPAA-compliant authorization when a single healthcare provider is given pre-suit notice of a healthcare liability claim.” Id. at 622 (emphasis added). According to the court, “The authorization only allows a potential defendant to obtain the prospective plaintiff’s medical records from any other healthcare provider also given notice and identified as a potential defendant in the pre-suit notice.” Id. (emphasis added).
[*9]The intermediate appellate court in Bray had concluded that even though the sole defendant-physician may have physically possessed the patient’s records, he could not review them with counsel to evaluate the merits of the claim absent a HIPAA compliant authorization. Id. at 621. Thus, on appeal, the physician maintained that a HIPAA authorization would be necessary because HIPAA would prohibit him from disclosing medical records already in his possession to his own counsel. Id. The supreme court recognized the “general rule” that “HIPAA prohibits a healthcare provider from using or disclosing protected health information without a valid authorization.” Id. (citing 45 C.F.R. § 164.508(a)(1)).7 However, examining HIPAA regulations, the supreme court found an applicable “regulatory exception to the general requirement of a HIPAA- compliant medical authorization.” Id. at 623. The court explained that HIPAA regulations permit a health care provider to use or disclose protected health information for its own “health care operations,” with some exceptions. Id. at 622 (citing 45 C.F.R. §
defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.” 45 C.F.R. § 160.103. Tennessee Code Annotated section 29-26-101(a)(2) defines a “health care provider” as “[a] health care practitioner licensed, authorized, certified, registered, or regulated under any chapter of title 63 or title 68 . . . .”