                                                                                           07/26/2018
                IN THE COURT OF APPEALS OF TENNESSEE
                           AT KNOXVILLE
                                  May 29, 2018 Session

KONAH EVANGELINE BUCKMAN, MOTHER AND NEXT OF KIN OF
EDWARD KOFI SASA LENOX BUCKMAN A/K/A EDWARD WELSELY,
  DECEASED v. MOUNTAIN STATES HEALTH ALLIANCE, ET AL.

                  Appeal from the Circuit Court for Washington County
                     No. 36257     James E. Lauderback, Judge


                             No. E2017-01766-COA-R3-CV


This is a healthcare liability case. Before filing the complaint, the plaintiff gave written
notice to the potential defendants of her healthcare liability claim against them.
Tennessee Code Annotated section 29-26-121(a)(2)(E) requires that a plaintiff’s pre-suit
notice include a HIPAA compliant medical authorization permitting the healthcare
provider receiving the notice to obtain complete medical records from every other
provider that is being sent a notice. After the plaintiff filed suit, the defendants moved to
dismiss the complaint based on noncompliance with the statute, as the defendants alleged
that the HIPAA authorization provided by the plaintiff had already expired when they
received it. The trial court granted the defendants’ motion to dismiss, concluding that the
HIPAA authorization was invalid due to the fact that the listed expiration date had
already passed when the authorization was provided to the defendants with pre-suit
notice. The plaintiff appeals. We affirm and remand for further proceedings.

Tenn. R. App. P. 3 Appeal as of Right; Judgment of the Circuit Court Affirmed and
                                    Remanded

BRANDON O. GIBSON, J., delivered the opinion of the court, in which CHARLES D.
SUSANO, JR., J., joined. D. MICHAEL SWINEY, C.J., filed a separate concurring opinion.

R. Wayne Culbertson, Kingsport, Tennessee, for the appellant, Konah Evangeline
Buckman.

Frank H. Anderson, Jr., Johnson City, Tennessee, for the appellees, Mountain States
Health Alliance, Individually, and Mountain States Health Alliance d/b/a Johnson City
Medical Center, and Mountain States Health Alliance d/b/a Niswonger Children’s
Hospital.
Charles Thaddeus Herndon, IV, and Charles Jason London, Johnson City, Tennessee, for
the appellees, Medical Education Assistance Corporation d/b/a ETSU Physicians &
Associates, Neil Kooy, M.D., and Demetrio Rebano Macariola, M.D.

                                                              OPINION

                                        I. FACTS & PROCEDURAL HISTORY

        On August 11, 2016, counsel for Konah Evangeline Buckman (“Plaintiff”) sent
letters to at least ten healthcare providers, notifying them of a potential healthcare
liability claim arising out of their care and treatment of Plaintiff’s son on August 15-16,
2015. The notice stated that counsel was enclosing a HIPAA compliant medical
authorization permitting each provider to obtain a complete copy of the child’s medical
records generated by the other providers.1 According to federal regulations, a HIPAA
compliant authorization must include six “core elements,” including,


        (v) An expiration date or an expiration event that relates to the individual or
        the purpose of the use or disclosure. The statement “end of the research
        study,” “none,” or similar language is sufficient if the authorization is for a
        use or disclosure of protected health information for research, including for
        the creation and maintenance of a research database or research repository.


45 C.F.R. § 164.508(c)(1). The HIPAA authorization sent by Plaintiff on August 11,
2016, provided, in part:
                                            HIPAA COMPLIANT
                            AUTHORIZATION FOR RELEASE OF MEDICAL INFORMATION

      Patient:
      Edward Koff Sasa Lenox Buckman aka Edward Welslev


      A. I hereby authorize any of the following listed providers to release information/ran my medical records to
         yourself and all other medical providers listed below:



     ....



1
 “HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Pub. L. No.
104–191, 110 Stat. 1936(codified as amended in scattered sections of 18 U.S.C., 26 U.S.C., 29 U.S.C., 42
U.S.C.).” Runions v. Jackson-Madison Cnty. Gen. Hosp. Dist., No. W2016-00901-SC-R11-CV, ---
S.W.3d ---, 2018 WL 2710948, at *1 n.3 (Tenn. June 6, 2018).
                                                  2
      B. For the following purpose: To be reviewed by said providers and his/her/their Attorneys, agents or
            representatives.

      C. For treatment dates: All treatment dates and all medical records

      D. Description of Information to be used:

      Copies of medical records regarding Edward Kali Sass Lenox Buckman aka Edward Welsley in the possession of
      the medical providers listed above in Part A, including but riot limited to, all medical records, meaning every page in the
      records, including but not limited to: office notes, fact sheets, history and physical, consultation notes, impatient,
      outpatient and emergency room treatment, all clinical charts, reports, order sheets, progress notes, nurse's notes. social




     worker records, clinic records, treatment plans, admission records, discharge summaries, requests for and reports of
     consultations, documents, correspondence, test results, statements, questionnaires/histories, correspondence,
     photographs, telephone messages, and records received by other medical providers. All physical, occupational and rehab
     requests, consultations and progress notes. All autopsy, laboratory, histology, cytology, pathology, immunohisto-
     chemistry records and specimens; radiology records and including CT scan, MR.I,!ARA,EMG,bone scan, myleograrn;
     nerve condition study, echocardiogram and cardiac catheterization results, videos/CDs/ films/reels and reports' All
     pharmacy/prescription records. All billing records including all statements.

     E.    I understand the information to be released or disclosed may include information relating to sexually transmitted
           diseases• acquired immunodeficiency syndrome (AIDS), or human immunodeficiency virus(HIV), and alcohol
           and drug abuse. I authorize the release or disclosure of this type of Information. This authorization is given in
           compliance with the federal consent requirements for release of alcohol or substance abuse records of 42 CFR
           2°31,the restrictions of which have been specifically considered and expressly waived"

     F. I understand the following:
              I. I have a right to revoke this authorization in writing at any time, except to the extent information has
                  been released in reliance upon this authorization'
              2. The information released in response to this authorization may here-disclosed to other parties'
              3. Trealment or payment for treatment cannot be conditioned on the signing of this authorization.
              4. The providers releasing the medical records are hereby released and discharged of any liability and I
                  will hold the facilities harmless for complying with this authorization for release of medical information.

     G. Any facsimile copy or photocopy of this authorization shall authorize the medical provider to release the records
          requested herein. This authorization shall be in force and effect until the conclusion of any litigation involving the
          providers listed above.

     H. This authorization shall expire on the following date-                               or (2 years from signature) or
          Event: O8/15/2015.

     I.   All medical records obtained pursuant to this authorization shall be copied by the recipient's office and a
          Bates-numbered copy shall he furnished to my counsel, R. Wayne CulbertRin, Mama at Law 119 W. Market
          Street. Kinesport,IN 37660 within five (5)days after the records are obtained by recipient.




Plaintiff filed her healthcare liability complaint on December 1, 2016.

       On January 30, 2017, some of the defendants jointly filed a motion to dismiss
asserting that they were provided with an expired and therefore invalid HIPPA
authorization, and consequently, Plaintiff had failed to substantially comply with
Tennessee Code Annotated section 29-26-121(a)(2)(E). These defendants argued in their
motion that they were unable to obtain copies of the patient’s medical records as a result.
Plaintiff filed a response, arguing that the expiration date was sufficient but that even if it
was deficient, the HIPAA authorization substantially complied with the statute. Plaintiff
                                                                           3
argued that the defendants had failed to demonstrate any prejudice as a result of the
alleged deficiency in the form.


       Additional defendants filed a motion to dismiss on the same ground, asserting that
the HIPAA authorization provided to them was likewise expired and therefore Plaintiff
did not substantially comply with the pre-suit notice requirement of Tennessee Code
Annotated section 29-26-121(a)(2)(E). These defendants argued that they were forbidden
from using or disclosing the patient’s protected health information without a valid
HIPAA authorization and that releasing, obtaining, or using the records pursuant to the
expired HIPAA authorization would have constituted a violation of HIPAA by both the
party releasing the records and the recipient or user of the records.


       After a hearing, the trial court entered an order of dismissal granting the motion to
dismiss that was filed first. Noting the “core elements” of a HIPAA authorization
required by federal regulations, the trial court concluded that Plaintiff’s HIPAA
authorization was expired and “thereby invalid for use by the defendants” at the time it
was received. The trial court found that the defendants were prejudiced by the invalid
HIPAA release in that they were unable to obtain medical records from healthcare
providers. The trial court added, “see Exhibit 1, Refusal Notice received by Defendants
in response to request for medical records, on the basis of an invalid HIPAA release,” but
no exhibit is attached to the order in the appellate record. Because the defendants were
unable to lawfully use the HIPAA authorizations provided by Plaintiff, the trial court
concluded that Plaintiff failed to substantially comply with Tennessee Code Annotated
section 29-26-121(a)(2)(E) and dismissed the claims against these defendants without
prejudice. The order of dismissal was entered on August 22, 2017.


        On September 7, 2017, the trial court entered a second order resolving the second
motion to dismiss that was filed by additional defendants. The order noted that the
identical issue had been raised and previously addressed with regard to other defendants.
Specifically, the order referenced the court’s previous ruling that Plaintiff’s HIPAA
authorization had expired by its terms and was therefore invalid for use by the defendants
at the time of receipt, preventing them from obtaining the patient’s medical records. The
trial court attached a transcript of its prior ruling to the order and granted the second
motion to dismiss filed by the additional defendants. Plaintiff timely filed a notice of
appeal.




                                             4
                                 II. ISSUES PRESENTED

        As we perceive it, Plaintiff presents the following issue for review on appeal:
whether the trial court misinterpreted Plaintiff’s HIPAA authorization by concluding that
it listed an expiration date that preceded the execution of the document and erred in
finding that the authorization was not HIPAA-compliant. For the following reasons, we
affirm the trial court’s decision and remand for further proceedings.


                              III. STANDARD OF REVIEW

      According to the Tennessee Supreme Court,

              The proper way for a defendant to challenge a complaint’s
      compliance with Tennessee Code Annotated section 29-26-121 and
      Tennessee Code Annotated section 29-26-122 is to file a Tennessee Rule of
      Procedure 12.02 motion to dismiss. In the motion, the defendant should
      state how the plaintiff has failed to comply with the statutory requirements
      by referencing specific omissions in the complaint and/or by submitting
      affidavits or other proof. Once the defendant makes a properly supported
      motion under this rule, the burden shifts to the plaintiff to show either that
      it complied with the statutes or that it had extraordinary cause for failing to
      do so. Based on the complaint and any other relevant evidence submitted
      by the parties, the trial court must determine whether the plaintiff has
      complied with the statutes. If the trial court determines that the plaintiff has
      not complied with the statutes, then the trial court may consider whether the
      plaintiff has demonstrated extraordinary cause for its noncompliance. If the
      defendant prevails and the complaint is dismissed, the plaintiff is entitled to
      an appeal of right under Tennessee Rule of Appellate Procedure 3 using the
      standards of review in Tennessee Rule of Appellate Procedure 13.

Myers v. AMISUB (SFH), Inc., 382 S.W.3d 300, 307 (Tenn. 2012). Because the trial
court’s decision on the motion “involves a question of law, our review is de novo with no
presumption of correctness.” Id. (citing Graham v. Caples, 325 S.W.3d 578, 581 (Tenn.
2010)).




                                             5
                                   IV. DISCUSSION

      In Tennessee, a claimant must provide written pre-suit notice to a potential
defendant before filing a complaint alleging healthcare liability:


      Any person, or that person’s authorized agent, asserting a potential claim
      for health care liability shall give written notice of the potential claim to
      each health care provider that will be a named defendant at least sixty (60)
      days before the filing of a complaint based upon health care liability in any
      court of this state.


Tenn. Code Ann. § 29-26-121(a)(1). By statute, the pre-suit notice must include “[a]
HIPAA compliant medical authorization permitting the provider receiving the notice to
obtain complete medical records from each other provider being sent a notice.” Tenn.
Code Ann. § 29-26-121(a)(2)(E).


       HIPAA “establishes requirements for protecting confidential medical information
by healthcare providers” and generally “prohibits a healthcare provider from using or
disclosing protected health information without a valid authorization.” Bray v. Khuri,
523 S.W.3d 619, 622 (Tenn. 2017) (citing 45 C.F.R. § 164.508(a)(1)). The specific
requirements for a HIPAA compliant medical authorization are set forth in 45 C.F.R. §
164.508, which provides:


      (a) Standard: Authorizations for uses and disclosures
      (1) Authorization required: General rule. Except as otherwise permitted or
      required by this subchapter, a covered entity may not use or disclose
      protected health information without an authorization that is valid under
      this section. . . .
      ....
      (c) Implementation specifications: Core elements and requirements—
      (1) Core elements. A valid authorization under this section must contain at
      least the following elements:
      (i) A description of the information to be used or disclosed that identifies
      the information in a specific and meaningful fashion.

                                           6
      (ii) The name or other specific identification of the person(s), or class of
      persons, authorized to make the requested use or disclosure.
      (iii) The name or other specific identification of the person(s), or class of
      persons, to whom the covered entity may make the requested use or
      disclosure.
      (iv) A description of each purpose of the requested use or disclosure. The
      statement “at the request of the individual” is a sufficient description of the
      purpose when an individual initiates the authorization and does not, or
      elects not to, provide a statement of the purpose.
      (v) An expiration date or an expiration event that relates to the individual
      or the purpose of the use or disclosure. The statement “end of the research
      study,” “none,” or similar language is sufficient if the authorization is for a
      use or disclosure of protected health information for research, including for
      the creation and maintenance of a research database or research repository.
      (vi) Signature of the individual and date. If the authorization is signed by a
      personal representative of the individual, a description of such
      representative’s authority to act for the individual must also be provided.


(Emphasis added.) The regulation further provides:


      (2) Defective authorizations. An authorization is not valid, if the document
      submitted has any of the following defects:
      (i) The expiration date has passed or the expiration event is known by the
      covered entity to have occurred[.]


45 C.F.R. § 164.508(b)(2). Finally, the regulation contains a “[p]lain language
requirement,” which provides that “[t]he authorization must be written in plain
language.” 45 C.F.R. § 164.508(c)(3).


       In the case before us, the HIPAA authorization sent by Plaintiff on August 11,
2016, provided the following, all of which was type-written:


      This authorization shall expire on the following date: __________ or (2
      years from signature) or Event: 08/15/2015.



                                            7
(Emphasis in original.) Plaintiff argues that the trial court and the defendants unilaterally
misinterpreted this provision as providing an expiration date of “8/15/2015” when,
according to Plaintiff, it provided an expiration date of two years from the date of
signature. In her brief on appeal, Plaintiff argues:


        The CFR set forth above clearly refers to two different ways to establish the
        expiration of the HIPAA agreement. The first is by a date, or the second
        way is by an event that relates to the individual or the purpose of the use or
        disclosure. Plaintiff submits that a date is straight forward but blank in this
        agreement. Instead the plaintiff chose to use an event, which is the
        expiration of two years from her signature.2


We simply cannot agree with Plaintiff’s strained interpretation of the HIPAA
authorization. First of all, the authorization clearly lists “Event: 08/15/2015,” which
refutes Plaintiff’s argument that she chose to designate an “Event” of “two years from her
signature.” The pre-printed blank beside the “date” was left blank. Plaintiff entered
“08/15/2015” in the second blank and emphasized it with bold font, as she did when
answering other questions on the form, such as, “For treatment dates: All treatment
dates and all medical records.” The phrase “2 years from signature” only appears
parenthetically in the provision, without bold emphasis, and would appear to be a default
parenthetical that appeared on the original form beside the blank for the date. Although
the provision as a whole is not a model of clarity, the most reasonable interpretation of it
is that the HIPAA authorization would expire on “08/15/2015.” Plaintiff certainly did not
specify any other expiration date or event in the “plain language” required by federal
regulations. See 45 C.F.R. § 164.508(c)(3).


       Plaintiff suggests on appeal that she listed “08/15/2015” simply in order “to assist
the defendants in their search for records” because that was the date of “the negligent
event,” but again, we find such an interpretation unreasonable. The form clearly states,
“This authorization shall expire on the following date: __________ or (2 years from
signature) or Event: 08/15/2015.” (Italics added.) Regardless of Plaintiff’s unexpressed
intention, the provision contains nothing to convey to a healthcare provider receiving the
form that 08/15/2015 was not really intended to signify the expiration of the
authorization. As the appellees note on appeal, medical providers are “not at liberty to
disregard [a plaintiff’s] explicitly designated expiration date just because it happened to
coincide with the date of injury,” nor can they be expected to effectively rewrite a release
to correct a perceived error. Compare J.A.C. by & through Carter v. Methodist
2
Although Plaintiff suggests on appeal that she made a deliberate choice to complete the form in this
manner, at the hearing before the trial court, her attorney suggested that the form contained “a typo.”
                                                       8
Healthcare Memphis Hosps., 542 S.W.3d 502, 515 (Tenn. Ct. App. 2016), perm. app.
denied (Tenn. Mar. 9, 2017) (rejecting the argument that a healthcare provider could have
used information from the pre-suit notice letters and attachments to “customize”
incomplete medical authorizations); Roberts v. Prill, No. E2013-02202-COA-R3-CV,
2014 WL 2921930, at *6 (Tenn. Ct. App. June 26, 2014) (rejecting the suggestion that
defendants should be required to complete an inadequate form). Defendant providers
owe no duty to plaintiffs to help them achieve compliance with the requirements of the
statute. J.A.C., 542 S.W.3d at 516.


        Our research has revealed another Tennessee case involving the sufficiency of an
already-passed expiration date on a HIPAA authorization. In Byrge v. Parkwest Medical
Center, 442 S.W.3d 245, 246 (Tenn. Ct. App. 2014), the plaintiff sent pre-suit notice
along with a HIPAA authorization on September 20, 2010, but the HIPAA authorization
listed an expiration date of October 4, 2009, nearly one year prior to its mailing. (This
was the date of the patient’s death.) After the defendant filed a motion to dismiss, the
plaintiff took a nonsuit and refiled his claim. Id. The trial court granted a motion to
dismiss the second complaint on the basis that the first complaint was not timely filed
because the plaintiff failed to comply with Tennessee Code Annotated section 29-26-121.
Id. at 247. On appeal, this Court considered whether the first lawsuit was timely filed
and found it undisputed that the plaintiff did not comply with Tennessee Code Annotated
section 29-26-121 in his first suit. Id. at 251. “Specifically,” we said, “the medical
authorization form Plaintiff sent to Parkwest was deficient because it did not authorize
release of information to Parkwest and because it contained an expiration date that pre-
dated the cover letter accompanying the medical authorization form by almost one year.”
Id. (emphasis added).


       The same defect exists in this case. Having concluded that Plaintiff’s pre-suit
notice included an expired HIPAA authorization, we now consider the effect of such an
error. The Tennessee Supreme Court provided guidance on that issue in Stevens ex rel.
Stevens v. Hickman Community Health Care Services, Inc., 418 S.W.3d 547 (Tenn.
2013). In that case, the pre-suit notice provided by the plaintiff included a HIPAA
medical authorization that only permitted the release of medical records to plaintiff’s
counsel, not to the providers being sent notice, and it also failed to contain other required
information. Id. at 551-52. The defendants moved to dismiss the complaint based on
noncompliance with Tennessee Code Annotated section 29-26-121(a)(2)(E). Id. at 552.
The trial court denied the motion, and the case eventually made its way to the Tennessee
Supreme Court. Id. at 553. The supreme court explained that the HIPAA authorization
requirement of section 29-26-121(a)(2)(E) serves “an investigatory function, equipping
defendants with the actual means to evaluate the substantive merits of a plaintiff’s claim
by enabling early discovery of potential co-defendants and early access to a plaintiff’s
                                             9
medical records.” Id. at 554. The court explained that Tennessee Code Annotated
section 29-26-121(d)(1) “creates a statutory entitlement to the records governed by § 29-
26-121(a)(2)(E),” as the statute provides that all parties “shall be entitled to obtain
complete copies of the claimant’s medical records from any other provider receiving
notice.” Id. at 555 (emphasis in original). According to the court,


       Because HIPAA itself prohibits medical providers from using or disclosing
       a plaintiff's medical records without a fully compliant authorization form, it
       is a threshold requirement of the statute that the plaintiff’s medical
       authorization must be sufficient to enable defendants to obtain and review a
       plaintiff’s relevant medical records. See 45 C.F.R. § 164.508(a)(1) (“a
       covered entity may not use or disclose protected health information without
       an authorization that is valid under this section”). . . .
             A plaintiff’s less-than-perfect compliance with Tenn. Code Ann. §
       29-26-121(a)(2)(E), however, should not derail a healthcare liability claim.
       Non-substantive errors and omissions will not always prejudice defendants
       by preventing them from obtaining a plaintiff’s relevant medical records.
       Thus, we hold that a plaintiff must substantially comply, rather than strictly
       comply, with the requirements of Tenn. Code Ann. § 29-26-121(a)(2)(E).


Id. (emphasis added). Next, the court considered the sufficiency of the medical
authorization provided in that case to determine whether it substantially satisfied the
requirements of the statute. Id. After noting the six core elements required by federal
regulations, the supreme court concluded that the authorization at issue was not HIPAA
compliant. Id. at 556. “First, and most importantly,” the court said, “by permitting
disclosure only to Plaintiff’s counsel, Plaintiff’s medical authorization failed to satisfy the
express requirement of Tenn. Code Ann. § 29-26-121(a)(2)(E) that a plaintiff’s medical
authorization ‘permit[ ] the provider receiving the notice to obtain complete medical
records from each other provider being sent a notice.’” Id. Secondly, the court found
that the authorization failed to satisfy at least three of the six compliance requirements
mandated by HIPAA. Id. The court continued,


       In determining whether a plaintiff has substantially complied with a
       statutory requirement, a reviewing court should consider the extent and
       significance of the plaintiff’s errors and omissions and whether the
       defendant was prejudiced by the plaintiff’s noncompliance. Not every non-
       compliant HIPAA medical authorization will result in prejudice. But in this
       case, the medical authorization submitted by Plaintiff was woefully
       deficient. The errors and omissions were numerous and significant. Due to
                                              10
      Plaintiff's material non-compliance, Defendants were not authorized to
      receive any of the Plaintiff’s records. As a result of multiple errors,
      Plaintiff failed to substantially comply with the requirements of Tenn. Code
      Ann. § 29-26-121(a)(2)(E).


Id. (emphasis added). In a later case, the supreme court summarized Stevens as holding
that “non-substantive errors and omissions and a plaintiff's less-than-perfect compliance
with subsection 29-26-121(a)(2)(E) will not derail a healthcare liability claim so long as
the medical authorization provided is sufficient to enable defendants to obtain and review
a plaintiff’s relevant medical records.” Thurmond v. Mid-Cumberland Infectious Disease
Consultants, PLC, 433 S.W.3d 512, 519-20 (Tenn. 2014) (quotations and bracketing
omitted).


        In sum, “there is no bright line rule that determines whether a party has
substantially complied with the requirements of Tenn. Code Ann. § 29-26-
121(a)(2)(E)[.]” Rush v. Jackson Surgical Assocs. PA, No. W2016-01289-COA-R3-CV,
2017 WL 564887, at *4 (Tenn. Ct. App. Feb. 13, 2017), perm. app. denied (Tenn. June 8,
2017). However, in order to substantially comply with the statute, a plaintiff must
provide a defendant with a HIPAA compliant medical authorization form that is
sufficient to allow the defendant to obtain the plaintiff’s medical records from the other
providers being sent the notice. Brookins v. Tabor, No. W2017-00576-COA-R3-CV,
2018 WL 2106652, at *5 (Tenn. Ct. App. May 8, 2018); Travis v. Cookeville Reg’l Med.
Ctr., No. M2015-01989-COA-R3-CV, 2016 WL 5266554, at *7 (Tenn. Ct. App. Sept.
21, 2016); see also Riley v. Methodist Healthcare Memphis Hosps., No. 17-5621, 2018
WL 2059524, at *8 (6th Cir. May 2, 2018) (gleaning from Tennessee cases that
“substantial compliance requires that the noncomplying features of the authorization do
not render it insufficient to authorize access and use of the records”). In this context,
substantial compliance refers to “a degree of compliance that provides the defendant with
the ability to access and use the medical records for the purpose of mounting a defense.”
Lawson v. Knoxville Dermatology Grp., P.C., 544 S.W.3d 704, 711 (Tenn. Ct. App.
2017), perm. app. denied (Tenn. Nov. 16, 2017).


       Applying these principles to the case before us, we agree with the trial court’s
conclusion that Plaintiff failed to substantially comply with section 29-26-121(a)(2)(E)
by providing the defendants with an expired and therefore invalid HIPAA authorization
form. Considering first “the extent and significance of the plaintiff’s errors and
omissions,” as instructed by Stevens, 418 S.W.3d at 556, we find that the HIPAA
authorization was expressly invalid under HIPAA regulations:

                                           11
        (2) Defective authorizations. An authorization is not valid, if the document
        submitted has any of the following defects:
        (i) The expiration date has passed or the expiration event is known by the
        covered entity to have occurred[.]


45 C.F.R. § 164.508(b)(2). Thus, the error in the form was both substantive and
significant. As a result of the expiration date having passed, the defendants were not
authorized to receive any of the patient’s medical records. See 45 C.F.R. § 164.508(a)(1)
(“a covered entity may not use or disclose protected health information without an
authorization that is valid under this section”).


       We further conclude that the defendants were prejudiced by Plaintiff’s
noncompliance with the statute. “‘Defendants are clearly prejudiced when unable, due to
a form procedural error, to obtain medical records needed for their legal defense.’”
Lawson v. Knoxville Dermatology Grp., P.C., 544 S.W.3d 704, 709-10 (Tenn. Ct. App.
2017), perm. app. denied (Tenn. Nov. 16, 2017)3 (quoting Hamilton v. Abercrombie
Radiological Consultants, Inc., 487 S.W.3d 114, 120 (Tenn. Ct. App. 2014)). At this
juncture, we note that the trial court referenced an exhibit to its order entitled, “Exhibit 1,
Refusal Notice received by Defendants in response to request for medical records, on the
basis of an invalid HIPAA release,” but no such exhibit is attached to the order in the
appellate record. However, the absence of such a “refusal notice” does not lead us to
conclude that the defendants were not prejudiced. As a result of the invalid and expired
HIPAA authorization, the defendants could not lawfully request the patient’s medical
records, whether they attempted to do so or not.


        “Because the penalties imposed on entities that wrongfully disclose or obtain
private health information in violation of HIPAA are severe, the sufficiency of the
plaintiffs’ medical authorizations is imperative.” Woodruff by & through Cockrell v.
Walker, 542 S.W.3d 486, 499 (Tenn. Ct. App. 2017), perm. app. denied (Tenn. Oct. 6,
2017). The penalties for wrongfully disclosing or obtaining private health information in
violation of HIPAA are “extremely severe, with such entities facing punishment of up to

3
 In Lawson, for example, the Court found no substantial compliance where a core element of the
plaintiff’s HIPAA authorization, designating who was authorized to make the requested use or disclosure,
was left blank. Lawson, 544 S.W.3d at 712. The Court explained that “health care providers presented
with a medical authorization missing the identification of those authorized to release information would
have no way of knowing that they were the providers for which the authorization was intended or that
they were allowed to release medical records.” Id. As such, we concluded that the omitted core element
was “a necessary element” to the defendants’ legal authorization to use the pertinent medical records. Id.
                                                   12
$50,000 per offense and/or imprisonment of up to one year for non-compliance.”
Stevens, 418 S.W.3d at 555 n.6 (citing 42 U.S.C.A. § 1320d–6).


        “Several Tennessee decisions have rejected the proposition that a health care
liability defendant has a duty to assist a plaintiff achieve compliance or to test whether an
obviously deficient HIPAA form would allow the release of records.” J.A.C., 542
S.W.3d at 514; see, e.g., Dolman v. Donovan, No. W2015-00392-COA-R3-CV, 2015
WL 9315565, at *5 (Tenn. Ct. App. Dec. 23, 2015), perm. app. denied (Tenn. May 6,
2016) (rejecting the plaintiffs’ argument that the medical providers could not have been
prejudiced because they never attempted to obtain medical records with the deficient
medical authorization provided); Roberts, 2014 WL 2921930, at *6 (rejecting the
argument that the onus should be placed on the defendants to test the sufficiency of the
form and finding dismissal warranted even in the absence of evidence of any “failed
attempt” to obtain records); see also Riley, 2018 WL 2059524, at *10 (wherein the Sixth
Circuit concluded from Tennessee caselaw that “where the authorizations do not permit
access and use, the defendant-providers need not affirmatively show that they sought and
were denied medical records in order to establish prejudice”). The healthcare liability
plaintiff is the party responsible for complying with the requirements of Tennessee Code
Annotated section 29-26-121(a)(2)(E), not the defendants. Stevens, 418 S.W.3d at 559.4


      Ultimately, the statute requires pre-suit notice to include “[a] HIPAA compliant
medical authorization permitting the provider receiving the notice to obtain complete

4
 When discussing the issue of prejudice and finding that prejudice occurred in the Stevens case, the
supreme court said,

        In determining whether a plaintiff has substantially complied with a statutory
        requirement, a reviewing court should consider the extent and significance of the
        plaintiff’s errors and omissions and whether the defendant was prejudiced by the
        plaintiff's noncompliance. Not every non-compliant HIPAA medical authorization will
        result in prejudice. But in this case, the medical authorization submitted by Plaintiff was
        woefully deficient. The errors and omissions were numerous and significant. Due to
        Plaintiff's material non-compliance, Defendants were not authorized to receive any of the
        Plaintiff's records.

Stevens, 418 S.W.3d at 556 (emphasis added). There was no mention of a failed attempt to obtain
records. In fact, the dissent argued that the complaint should not have been dismissed because “the
Defendants have not demonstrated any prejudice caused by the deficiency in the medical authorization
form.” Id. at 561. The dissent criticized the majority as essentially holding that the defendants were
“effectively prevented access to the medical records” and “presumptively prejudiced” by the inadequate
form. Id. at 564-65. So, while Stevens requires us to consider whether the defendant was prejudiced, we
do not read Stevens as also requiring that a provider affirmatively prove that it requested and was denied
access to records.
                                                    13
medical records from each other provider being sent a notice.” Tenn. Code Ann. § 29-
26-121(a)(2)(E). The expired and invalid HIPAA authorization provided in this case
failed to meet the “threshold requirement of the statute that the plaintiff’s medical
authorization must be sufficient to enable defendants to obtain and review [the] relevant
medical records.” See Stevens, 418 S.W.3d at 555. We therefore affirm the trial court’s
order of dismissal without prejudice.


       On appeal, the appellees attempt to raise an additional issue regarding “[w]hether
Plaintiff is barred from re-filing her case by the interaction of the Statute of Limitations
and the failure to comply with Tenn. Code Ann. § 29-26-121, which Plaintiff utilized to
extend the filing deadline by one hundred and twenty (120) days.” At the conclusion of
the hearing on the motion to dismiss, the trial judge stated that he would dismiss the case
without prejudice due to noncompliance with Tennessee Code Annotated section 29-26-
121, but he also recognized that “the effect . . . would be a dismissal with prejudice
because you were relying on the 120 day extension of the statute by giving the pre-suit
notice.” To the extent that this could be construed as a ruling on this issue, it was not
challenged on appeal by Plaintiff. In fact, Plaintiff’s counsel conceded during oral
argument that if we concluded that his HIPAA authorization was non-compliant, he was
not entitled to the 120-day extension. We will not address the issue further in this
opinion.


                                     V. CONCLUSION


       For the aforementioned reasons, the decision of the circuit court is hereby affirmed
and remanded for further proceedings. All other issues are pretermitted. Costs of this
appeal are taxed to the appellant, Konah Evangeline Buckman, and her surety, for which
execution may issue if necessary.

                                                 _________________________________
                                                 BRANDON O. GIBSON, JUDGE




                                            14
