                                                                                          11/20/2018
               IN THE COURT OF APPEALS OF TENNESSEE
                            AT JACKSON
                                October 9, 2018 Session

                   MARY WENZLER v. DR. XIAO YU, ET AL.

                  Appeal from the Circuit Court for Shelby County
                   No. CT-003652-17     Mary L. Wagner, Judge
                     ___________________________________

                           No. W2018-00369-COA-R3-CV
                       ___________________________________

This is a health care liability case filed against a dentist and the dental practice that
employed him. Before filing the complaint, the plaintiff gave written notice to the two
potential defendants of her health care liability claims against them. Tennessee Code
Annotated section 29-26-121(a)(2)(E) requires that a plaintiff’s pre-suit notice include a
HIPAA compliant medical authorization permitting the health care provider receiving the
notice to obtain complete medical records from every other provider that is being sent a
notice. After the plaintiff filed suit, the defendants moved to dismiss the complaint based
on noncompliance with the statute, as the defendants alleged that the HIPAA
authorizations provided by the plaintiff did not contain all of the required information and
were therefore invalid. After a hearing, the trial court granted the motion to dismiss,
concluding that the authorizations provided by the plaintiff were not HIPAA compliant
and therefore the plaintiff did not substantially comply with the statute. The plaintiff
appeals. We affirm in part, reverse in part, and remand for further proceedings.

 Tenn. R. App. P. 3 Appeal as of Right; Judgment of the Circuit Court Affirmed in
                      Part, Reversed in Part, and Remanded

BRANDON O. GIBSON, J., delivered the opinion of the court, in which J. STEVEN
STAFFORD, P.J., W.S., and ARNOLD B. GOLDIN, J., joined.

Kathleen L. Caldwell, Memphis, Tennessee, for the appellant, Mary Wenzler.

Laura L. Deakins, Memphis, Tennessee, and Lucas A. Davidson, Nashville, Tennessee,
for the appellees, Xiao Yu, and American Family Dentistry of Memphis, PC.

                                        OPINION

                          I.   FACTS & PROCEDURAL HISTORY
       On June 8, 2017, Plaintiff Mary Wenzler sent pre-suit notice letters to two
potential defendants – Dr. Xiao Yu and American Family Dentistry of Memphis, PC –
notifying them of potential health care liability claims arising out of their care and
treatment of Mrs. Wenzler on June 13, 2016. The pre-suit notice letters stated that
Plaintiff was attaching HIPAA compliant medical authorizations authorizing each
potential defendant to obtain complete medical records relating to her care and treatment
from the other medical provider receiving the notice.1 According to federal regulations, a
HIPAA compliant authorization must, at a minimum, contain six “core elements,”
including,

       (iii) The name or other specific identification of the person(s), or class of
       persons, to whom the covered entity may make the requested use or
       disclosure.

45 C.F.R. § 164.508(c)(1). The HIPAA authorizations sent by Plaintiff mentioned that
the information would be used for litigation but did not identify any particular person or
class of persons to whom the covered entities could make the use or disclosure.

       Plaintiff filed her complaint for health care liability on September 1, 2017, and
named as defendants Dr. Xiao Yu and American Family Dentistry of Memphis, PC.2 The
defendants filed a motion to dismiss on October 2, 2017, asserting that Plaintiff failed to
provide HIPAA compliant medical authorizations with her pre-suit notice letters as
required by Tennessee Code Annotated section 29-26-121(a)(2)(E). Specifically, the
defendants noted that the authorization forms failed to identify the person or entity that
was authorized to receive the disclosure pursuant to the release. Based on this defect, the
defendants argued that Plaintiff could not take advantage of the 120-day statutory
extension to the statute of limitations provided by Tennessee Code Annotated section 29-
26-121(c), and as a result, her complaint was time-barred.3

       1
         “HIPAA is an acronym for the Health Insurance Portability and Accountability Act of
1996, Pub. L. No. 104–191, 110 Stat. 1936 (codified as amended in scattered sections of 18
U.S.C., 26 U.S.C., 29 U.S.C., 42 U.S.C.).” Runions v. Jackson-Madison Cnty. Gen. Hosp. Dist.,
549 S.W.3d 77, 80 n.3 (Tenn. 2018).
       2
         The complaint also included a loss of consortium claim filed by Plaintiff’s husband.
However, the trial court ultimately dismissed his claim, and Plaintiff’s husband was not listed on
the notice of appeal to this Court. Accordingly, we limit our review on appeal to Plaintiff’s
claim.
       3
         “When a plaintiff gives pre-suit notice to a health care provider under Tennessee Code
Annotated section 29-26-121, the one-year statute of limitations is extended by 120 days.”
Runions, 549 S.W.3d at 86 (citing Tenn. Code Ann. § 29-26-121(c)). However, the pre-suit
notice must comply with the statute in order for the plaintiff to receive the 120-day extension.
Byrge v. Parkwest Med. Ctr., 442 S.W.3d 245, 249-50 (Tenn. Ct. App. 2014); see, e.g., Dortch v.
Methodist Healthcare Memphis Hosps., No. W2017-01121-COA-R3-CV, 2018 WL 706767, at
*3 (Tenn. Ct. App. Feb. 5, 2018) (“because Ms. Dortch did not comply with the provisions of
                                              -2-
       In response to the motion to dismiss, Plaintiff raised two arguments. First, she
argued that her HIPAA authorization forms met or exceeded the statutory requirements.
But alternatively, Plaintiff argued that even though there were “two named defendant
medical providers: Dr. Yu and American Family Dentistry of Memphis, P.C. (Dr. Yu’s
employer),” there was no “other” medical provider from whom records would be needed,
so the defendants were not prejudiced.

       After a hearing, the trial court entered an order granting the defendants’ motion to
dismiss. The trial court found that Plaintiff’s authorizations were not HIPAA compliant,
as they did not identify any person or entity that could receive the protected information.
Because of this omission, the trial court concluded that Plaintiff did not substantially
comply with Tennessee Code Annotated section 29-26-121(a)(2)(E). The trial court
rejected Plaintiff’s argument that a HIPAA authorization was unnecessary in the event
that only one set of medical records existed, stating, “[t]he current case law is clear that
where there are two or more defendants, the plaintiff must provide HIPAA compliant
authorizations to all defendants,” “even when the defendants stand in an employee-
employer relationship.” Because Plaintiff was not entitled to rely on the 120-day
extension of the statute of limitations, the trial court dismissed Plaintiff’s complaint as
time-barred. Plaintiff timely filed a notice of appeal.

                                     II.   ISSUES PRESENTED

       On appeal, Plaintiff asks this Court to consider “whether Plaintiff[] failed to
provide a HIPAA compliant medical authorization with the[] pre-suit notice as required
by Tennessee Code Annotated § 29-26-121(a)(2)(E).”4 Specifically, Plaintiff argues that
she substantially complied with the statute despite her failure to identify the intended
recipient of the medical records. Alternatively, she contends that a HIPAA authorization
was not needed because “in essence the instant case involves a single health care
provider.” For the following reasons, we affirm the decision of the circuit court in part,

section 121, she did not receive the 120 day extension, which made her [] Complaint time-
barred”); J.A.C. by & through Carter v. Methodist Healthcare Memphis Hosps., 542 S.W.3d 502,
514 (Tenn. Ct. App. 2016) (“Due to the Plaintiffs’ substantial noncompliance, the trial court was
correct in determining that the 120-day extension of the statute of limitations [] provided by
Tennessee Code Annotated section 29-26-121(c) was unavailable.”)
        4
          We note the defendants’ argument that this Court should dismiss the appeal due to
deficiencies in Plaintiff’s brief. Plaintiff failed to include a section in her brief listing the issues
presented for review and failed to include proper citations to the relevant pages of the record.
Instead, the cover page of Plaintiff’s brief states, “The nature of the proceedings: whether
Plaintiffs failed to provide a HIPAA compliant medical authorization with their pre-suit notice as
required by Tennessee Code Annotated § 29-26-121(02)(E),” and for citations to the record, she
included references such as “Complaint, ¶2” and “see Exhibit B-1 . . . to Complaint.” In light of
the limited issue resolved by the trial court and the small record on appeal, we will proceed to
address the merits of the appeal, and we decline the defendants’ request for attorney’s fees.
                                                 -3-
reverse in part, and remand for further proceedings.

                              III.   STANDARD OF REVIEW

      According to the Tennessee Supreme Court,

             The proper way for a defendant to challenge a complaint’s
      compliance with Tennessee Code Annotated section 29-26-121 [] is to file
      a Tennessee Rule of Procedure 12.02 motion to dismiss. In the motion, the
      defendant should state how the plaintiff has failed to comply with the
      statutory requirements by referencing specific omissions in the complaint
      and/or by submitting affidavits or other proof. Once the defendant makes a
      properly supported motion under this rule, the burden shifts to the plaintiff
      to show either that it complied with the statutes or that it had extraordinary
      cause for failing to do so. Based on the complaint and any other relevant
      evidence submitted by the parties, the trial court must determine whether
      the plaintiff has complied with the statutes. If the trial court determines that
      the plaintiff has not complied with the statutes, then the trial court may
      consider whether the plaintiff has demonstrated extraordinary cause for its
      noncompliance. If the defendant prevails and the complaint is dismissed,
      the plaintiff is entitled to an appeal of right under Tennessee Rule of
      Appellate Procedure 3 using the standards of review in Tennessee Rule of
      Appellate Procedure 13.

Myers v. AMISUB (SFH), Inc., 382 S.W.3d 300, 307 (Tenn. 2012). Because the trial
court’s decision on the motion “involves a question of law, our review is de novo with no
presumption of correctness.” Id. (citing Graham v. Caples, 325 S.W.3d 578, 581 (Tenn.
2010)).

                                     IV.   DISCUSSION

       Under Tennessee law, a claimant must provide written pre-suit notice to a
potential defendant before filing a complaint alleging health care liability:


      Any person, or that person’s authorized agent, asserting a potential claim
      for health care liability shall give written notice of the potential claim to
      each health care provider that will be a named defendant at least sixty (60)
      days before the filing of a complaint based upon health care liability in any
      court of this state.



                                            -4-
Tenn. Code Ann. § 29-26-121(a)(1). Pursuant to the statute, the pre-suit notice must
include “[a] HIPAA compliant medical authorization permitting the provider receiving
the notice to obtain complete medical records from each other provider being sent a
notice.” Tenn. Code Ann. § 29-26-121(a)(2)(E) (emphasis added).


        “Because the penalties imposed on entities that wrongfully disclose or obtain
private health information in violation of HIPAA are severe, the sufficiency of the
plaintiffs’ medical authorizations is imperative.” Woodruff by & through Cockrell v.
Walker, 542 S.W.3d 486, 499 (Tenn. Ct. App. 2017). The specific requirements for a
HIPAA compliant medical authorization are set forth in 45 C.F.R. § 164.508:


       (a) Standard: Authorizations for uses and disclosures
       (1) Authorization required: General rule. Except as otherwise permitted or
       required by this subchapter, a covered entity may not use or disclose
       protected health information without an authorization that is valid under
       this section. . . .
       ....
       (c) Implementation specifications: Core elements and requirements—
       (1) Core elements. A valid authorization under this section must contain at
       least the following elements:
       (i) A description of the information to be used or disclosed that identifies
       the information in a specific and meaningful fashion.
       (ii) The name or other specific identification of the person(s), or class of
       persons, authorized to make the requested use or disclosure.
       (iii) The name or other specific identification of the person(s), or class of
       persons, to whom the covered entity may make the requested use or
       disclosure.
       (iv) A description of each purpose of the requested use or disclosure. . . .
       (v) An expiration date or an expiration event that relates to the individual or
       the purpose of the use or disclosure. . . .
       (vi) Signature of the individual and date. If the authorization is signed by a
       personal representative of the individual, a description of such
       representative’s authority to act for the individual must also be provided.


(Emphasis added). “Under the plain language of the regulation,” with respect to
subsection (iii), “a name is not required so long as there is specific identification of the
entity, person, or class of persons authorized to receive the protected health records.”

                                            -5-
Rush v. Jackson Surgical Assocs. PA, No. W2016-01289-COA-R3-CV, 2017 WL
564887, at *4 (Tenn. Ct. App. Feb. 13, 2017) perm. app. denied (Tenn. June 8, 2017).
For example, a valid authorization may authorize disclosure to a designated class of
persons, “such as the employees of XYZ division of ABC insurance company,” so long
as the class is specifically identified. Id. On the other hand, an authorization simply
listing the term “bearer” does not satisfy the specificity requirement, and such a form is
not HIPAA compliant. Id. Additionally, the HIPAA regulation expressly provides:


       Defective authorizations. An authorization is not valid, if the document
       submitted has any of the following defects:
       ....
       (ii) The authorization has not been filled out completely, with respect to an
       element described by paragraph (c) of this section, if applicable[.]


45 C.F.R. § 164.508(b)(2). Thus, “HIPAA deems authorizations defective if not filled
out completely.” Smith v. Wellmont Health Sys., No. E2017-00850-COA-R9-CV, 2018
WL 3343591, at *4 (Tenn. Ct. App. July 9, 2018).


        As previously noted, the authorizations provided by Plaintiff in this case omitted
information regarding element (iii), failing to identify any person or class of persons to
whom the covered entity could make the requested use or disclosure. We now consider
the effect of such an error under Tennessee law. The Tennessee Supreme Court provided
guidance on that issue in Stevens ex rel. Stevens v. Hickman Community Health Care
Services, Inc., 418 S.W.3d 547 (Tenn. 2013). In that case, the pre-suit notice provided by
the plaintiff included a HIPAA authorization that only permitted the release of medical
records to plaintiff’s counsel and lacked other required information. Id. at 552. The
defendants moved to dismiss the complaint based on noncompliance with Tennessee
Code Annotated section 29-26-121(a)(2)(E). Id. The trial court denied the motion, and
the case eventually made its way to the Tennessee Supreme Court. Id. at 553. The
supreme court recognized that “[h]ealthcare liability defendants have a right to receive
medical records to defend themselves against civil liability,” and section 29-26-
121(a)(2)(E) requires a plaintiff to complete a HIPAA authorization “as a pre-condition
of filing suit.” Id. at 557-58. The supreme court explained that the statute’s HIPAA
authorization requirement serves “an investigatory function, equipping defendants with
the actual means to evaluate the substantive merits of a plaintiff’s claim by enabling . . .
early access to a plaintiff’s medical records.” Id. at 554. According to the court,


       Because HIPAA itself prohibits medical providers from using or disclosing
       a plaintiff’s medical records without a fully compliant authorization form, it

                                           -6-
       is a threshold requirement of the statute that the plaintiff’s medical
       authorization must be sufficient to enable defendants to obtain and review a
       plaintiff’s relevant medical records. See 45 C.F.R. § 164.508(a)(1) (“a
       covered entity may not use or disclose protected health information without
       an authorization that is valid under this section”). Tenn. Code Ann. § 29-
       26-121(d)(1) creates a statutory entitlement to the records governed by §
       29-26-121(a)(2)(E). See Tenn. Code Ann. § 29-26-121(d)(1) (“All parties
       in an action covered by this section shall be entitled to obtain complete
       copies of the claimant’s medical records from any other provider receiving
       notice ...”) (emphasis added). . . . .
             A plaintiff’s less-than-perfect compliance with Tenn. Code Ann. §
       29-26-121(a)(2)(E), however, should not derail a healthcare liability claim.
       Non-substantive errors and omissions will not always prejudice defendants
       by preventing them from obtaining a plaintiff’s relevant medical records.
       Thus, we hold that a plaintiff must substantially comply, rather than strictly
       comply, with the requirements of Tenn. Code Ann. § 29-26-121(a)(2)(E).


Id. at 555 (emphasis in original).


        Next, the court considered the sufficiency of the HIPAA authorization provided in
that case to determine whether it substantially satisfied the requirements of the statute.
Id. After noting the six core elements required by federal regulations, the supreme court
concluded that the authorization at issue was not HIPAA compliant. Id. at 556. “First,
and most importantly,” the court said, “by permitting disclosure only to Plaintiff’s
counsel, Plaintiff’s medical authorization failed to satisfy the express requirement of
Tenn. Code Ann. § 29-26-121(a)(2)(E) that a plaintiff’s medical authorization ‘permit[ ]
the provider receiving the notice to obtain complete medical records from each other
provider being sent a notice.’” Id. Secondly, the court found that the authorization failed
to satisfy at least three of the six compliance requirements mandated by HIPAA. Id. The
court continued,


       In determining whether a plaintiff has substantially complied with a
       statutory requirement, a reviewing court should consider the extent and
       significance of the plaintiff’s errors and omissions and whether the
       defendant was prejudiced by the plaintiff’s noncompliance. Not every non-
       compliant HIPAA medical authorization will result in prejudice. But in this
       case, the medical authorization submitted by Plaintiff was woefully
       deficient. The errors and omissions were numerous and significant. Due to
       Plaintiff's material non-compliance, Defendants were not authorized to
       receive any of the Plaintiff’s records. As a result of multiple errors,

                                           -7-
      Plaintiff failed to substantially comply with the requirements of Tenn. Code
      Ann. § 29-26-121(a)(2)(E).


Id. (emphasis added). In a later case, the supreme court summarized Stevens as holding
that “non-substantive errors and omissions and a plaintiff's less-than-perfect compliance
with subsection 29-26-121(a)(2)(E) will not derail a healthcare liability claim so long as
the medical authorization provided is sufficient to enable defendants to obtain and review
a plaintiff’s relevant medical records.” Thurmond v. Mid-Cumberland Infectious Disease
Consultants, PLC, 433 S.W.3d 512, 519-20 (Tenn. 2014) (quotations and bracketing
omitted).


        In sum, “there is no bright line rule that determines whether a party has
substantially complied with the requirements of Tenn. Code Ann. § 29-26-
121(a)(2)(E)[.]” Rush, 2017 WL 564887, at *4. However, in order to substantially
comply with the statute, a plaintiff must provide a defendant with a HIPAA compliant
medical authorization form that is sufficient to allow the defendant to obtain the
plaintiff’s medical records from the other providers being sent the notice. Brookins v.
Tabor, No. W2017-00576-COA-R3-CV, 2018 WL 2106652, at *5 (Tenn. Ct. App. May
8, 2018); Travis v. Cookeville Reg’l Med. Ctr., No. M2015-01989-COA-R3-CV, 2016
WL 5266554, at *7 (Tenn. Ct. App. Sept. 21, 2016). In this context, substantial
compliance requires “a degree of compliance that provides the defendant with the ability
to access and use the medical records for the purpose of mounting a defense.” Lawson v.
Knoxville Dermatology Grp., P.C., 544 S.W.3d 704, 711 (Tenn. Ct. App. 2017).


        Applying these principles, we consider whether Plaintiff failed to substantially
comply with section 29-26-121(a)(2)(E) by providing each defendant with an incomplete
HIPAA authorization form that failed to identify to whom the covered entity could make
the requested use or disclosure. Considering first “the extent and significance of the
plaintiff’s errors and omissions,” as instructed by Stevens, 418 S.W.3d at 556, we note
that these HIPAA authorizations were “defective” and “not valid” under HIPAA
regulations due to Plaintiff’s omission. 45 C.F.R. § 164.508(b)(2)(ii). Her omission was
both substantive and significant. As a result of Plaintiff’s failure to identify any
authorized recipient of the records, her HIPAA authorizations did not permit the
defendants to receive Plaintiff’s medical records.


       In Lawson, 544 S.W.3d at 712, this Court found no substantial compliance where
a similar core element of the plaintiff’s HIPAA authorization, designating who was
authorized to make the requested use or disclosure, was left blank. Id. We explained that
“health care providers presented with a medical authorization missing the identification
of those authorized to release information would have no way of knowing that they were
                                          -8-
the providers for which the authorization was intended or that they were allowed to
release medical records.” Id. As such, we concluded that the single omitted core element
was “a necessary element” to the defendants’ legal authorization to use the medical
records. Id.


       In Riley v. Methodist Healthcare Memphis Hospitals, 731 F. App’x 481 (6th Cir.
2018), the Sixth Circuit considered a HIPAA authorization with the same omission as the
one before us in the context of a diversity jurisdiction case alleging health care liability.
Specifically, the plaintiffs in Riley left blank the section where they were supposed to list
the persons to whom each provider could disclose the patient’s records. Id. at 488 (citing
C.F.R. § 145.608(c)(1)(iii)). Applying Tennessee law and federal HIPAA regulations,
the district court deemed the authorization defective, rejecting the plaintiff’s argument
that the forms were HIPAA compliant and would effectively permit each defendant to
share records with anyone it wished. Id. at 489. Instead, the district court concluded,
because of the omission in the form, the defendants were permitted to disclose records to
no one. Id. The Sixth Circuit found no error in this decision. Id. at 490. After reviewing
Tennessee caselaw, the court concluded that “substantial compliance requires that the
noncomplying features of the authorization do not render it insufficient to authorize
access and use of the records,” and the form at issue in Riley “did not permit that access
and use.” Id. at 491-92; see also Rush, 2017 WL 564887, at *4 (concluding that an
authorization that failed to identify with specificity a person or class of persons able to
receive the records but instead listing “bearer” was not HIPAA compliant).


       Despite the deficiencies in Plaintiff’s HIPAA authorization, Plaintiff argues that
“in essence the instant case involves a single health care provider,” and therefore, no
HIPAA authorization was necessary in the first place. According to Plaintiff’s complaint,
Dr. Yu was “a health care provider” who was “practicing dentistry at the dental clinic
owned and operated by American Family Dentistry of Memphis, P.C.,” and Dr. Yu either
“worked at, was employed by, or had an ownership interest in” American Family
Dentistry.5 Plaintiff argues that the Tennessee Supreme Court’s holding in Bray v. Khuri,
523 S.W.3d 619 (Tenn. 2017) is “directly on point” and no HIPAA authorization needed
to be provided under these circumstances.


      In Bray, the plaintiff filed suit against one physician – a single “health care
provider” within the meaning of HIPAA and the Tennessee Health Care Liability Act.6

       5
          Because we are reviewing the trial court’s decision on a Rule 12.02(6) motion to
dismiss, for purposes of this appeal, we presume that the allegations of fact in the complaint are
true. Stevens, 418 S.W.3d at 552 n.1.
        6
          Under HIPAA, a “health care provider” is defined as “a provider of services (as defined
in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as
                                              -9-
Id. at 620. The Tennessee Supreme Court examined the text of Tennessee Code
Annotated section 29-26-121(a)(2)(E), which requires a person who asserts a potential
claim for health care liability to provide with pre-suit notice a HIPAA compliant
authorization “permitting the provider receiving the notice to obtain complete medical
records from each other provider being sent a notice.” Tenn. Code Ann. § 29-26-
121(a)(2)(E). Considering the plain language of the statute, the Bray court concluded
that “a prospective plaintiff who provides pre-suit notice to one potential defendant is not
required under Tennessee Code Annotated section 29-26-121(a)(2)(E) to provide the
single potential defendant with a HIPAA-compliant medical authorization.” Id.
(emphasis added). In other words, “a plaintiff need not provide a HIPAA-compliant
authorization when a single healthcare provider is given pre-suit notice of a healthcare
liability claim.” Id. at 622 (emphasis added). According to the court, “The authorization
only allows a potential defendant to obtain the prospective plaintiff’s medical records
from any other healthcare provider also given notice and identified as a potential
defendant in the pre-suit notice.” Id. (emphasis added).


        The intermediate appellate court in Bray had concluded that even though the sole
defendant-physician may have physically possessed the patient’s records, he could not
review them with counsel to evaluate the merits of the claim absent a HIPAA compliant
authorization. Id. at 621. Thus, on appeal, the physician maintained that a HIPAA
authorization would be necessary because HIPAA would prohibit him from disclosing
medical records already in his possession to his own counsel. Id. The supreme court
recognized the “general rule” that “HIPAA prohibits a healthcare provider from using or
disclosing protected health information without a valid authorization.” Id. (citing 45
C.F.R. § 164.508(a)(1)).7 However, examining HIPAA regulations, the supreme court
found an applicable “regulatory exception to the general requirement of a HIPAA-
compliant medical authorization.” Id. at 623. The court explained that HIPAA
regulations permit a health care provider to use or disclose protected health information
for its own “health care operations,” with some exceptions. Id. at 622 (citing 45 C.F.R. §

defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization
who furnishes, bills, or is paid for health care in the normal course of business.” 45 C.F.R. §
160.103. Tennessee Code Annotated section 29-26-101(a)(2) defines a “health care provider” as
“[a] health care practitioner licensed, authorized, certified, registered, or regulated under any
chapter of title 63 or title 68 . . . .”
       7
         Specifically, section 164.508(a)(1) provides:

       (a) Standard: Authorizations for uses and disclosures
       (1) Authorization required: General rule. Except as otherwise permitted or
       required by this subchapter, a covered entity may not use or disclose protected
       health information without an authorization that is valid under this section.

45 C.F.R. § 164.508(a)(1) (emphasis added).
                                              - 10 -
164.506(a)). “Health care operations” include “[c]onducting or arranging for . . . legal
services,” and the website maintained by the United States Department of Health and
Human Services indicated that a health care provider may use or disclose protected health
information with its lawyer for litigation. Id. at 622-23. As such, the supreme court
concluded that “HIPAA does not require Dr. Khuri to obtain a medical authorization to
use a patient’s medical records in his possession and consult with counsel to evaluate the
merits of a potential claim.” Id. at 623 (emphasis added). Notably, the physician relied
on a previous decision from the Court of Appeals, Roberts v. Prill, E2013-02202-COA-
R3-CV, 2014 WL 2921930, at *6 (Tenn. Ct. App. June 26, 2014), to support his
argument that a HIPAA compliant medical authorization was required to enable him to
“use” medical records in his possession. Id. Without opining on the merits of the
Roberts decision, the supreme court found it “factually distinguishable on a critical point:
Roberts involved two defendants, whereas this case involves a single defendant.” Id.
Accordingly, the supreme court explained, Roberts did not consider the same issue –
“whether section 29-26-121(a)(2)(E) applies when a single healthcare provider is named
as a potential defendant.”8 Id.


       In summary, Bray established two points – (1) “a plaintiff need not provide a
HIPAA-compliant authorization when a single healthcare provider is given pre-suit
notice of a healthcare liability claim,” and (2) a health care provider may use or disclose
protected health information for its health care operations and does not need to obtain a
medical authorization in order “to use a patient’s medical records in [its] possession and
consult with counsel to evaluate the merits of a potential claim.” Id. at 622-23. Clearly,
the factual situation before us does not fall within the “single healthcare provider”
exception recognized in Bray that would have excused Plaintiff from providing a HIPAA
authorization in the first place. This Court rejected a similar argument in another case

       8
          The Roberts case was filed against an oncologist and the health care group that
employed the oncologist. Roberts, 2014 WL 2921930, at *1. The plaintiff claimed that the
defendants already had all of the relevant records in their possession. Id. at *6. The court of
appeals concluded that because the HIPAA authorizations provided by the plaintiff were
defective, the two defendants “were not legally authorized to use the pertinent medical records to
mount a defense, despite the fact that the records may have already been in their possession.” Id.
at *5. The court concluded that the “case did not fall within one of the limited circumstances
anticipated by HIPAA that would allow for the use of the records without authorization.” Id. at
*6. However, the only specific exception the court discussed was provided in 45 C.F.R. §
164.508(a)(2)(i)(C), which addresses the use of psychotherapy notes in a legal action. Id. We
did not mention the exception for health care operations that was later discussed by the supreme
court in Bray. Id.; see also Harmon v. Shore, No. M2014-01339-COA-R3-CV, 2015 WL
1881467, at *5 & n.3 (Tenn. Ct. App. Apr. 23, 2015) (relying on Roberts prior to Bray -- where
the plaintiff argued that a doctor and hospital already possessed the records -- and concluding
that the case did not fall within one of the limited circumstances that would allow for the “use”
of records without an authorization, but only discussing the psychotherapy exception).
                                              - 11 -
involving two defendant medical providers – a physician’s assistant and the dermatology
practice that employed her. Lawson, 544 S.W.3d at 710. Despite the employer-employee
relationship between the defendants, we ultimately concluded that the situation before us
involved multiple defendants, and therefore “the one-defendant exception articulated in
Bray [did] not apply[.]” Id. at 711-12.


        The Sixth Circuit also considered and rejected a similar argument in Riley, where
health care liability claims were filed against a physician in addition to the clinic and the
hospital where the physician practiced. 731 Fed. Appx. at 483. Like Plaintiff, the
appellants in Riley argued that this was “essentially a one-provider case” and suggested
that all of the records would be accessible by the physician as the health care provider
who rendered the care. Id. at 495. The Sixth Circuit rejected that argument, first
characterizing Bray as “a statutory interpretation case” that was “inapposite” given that
the case before it involved pre-suit notice sent to three health care providers. Id.
However, to the extent that the plaintiffs were suggesting a lack of prejudice on the part
of the defendants due to an alleged ability to access records without the need for a
HIPAA authorization, the court further held that the plaintiffs failed to adequately raise
and establish a lack of prejudice or that the defendants actually had “another means of
access” to the records. Id. at 494-95.


       Likewise, this is not a “single healthcare provider” case within the meaning of
Bray such that HIPAA authorizations were unnecessary. However, to the extent that
Plaintiff is attempting to argue a lack of prejudice in light of the two defendants’
employment relationship, we find it necessary to consider the issue of prejudice
separately with respect to each defendant. Again, Stevens requires us to consider whether
each defendant was prejudiced by Plaintiff’s failure to provide a HIPAA compliant
release. See Stevens, 418 S.W.3d at 556. Notably, at oral argument before this Court,
counsel for the defendants conceded that “[i]n this particular case, Dr. Yu does not
possess the records; American Family Dentistry possesses the records.” Therefore, we
begin by considering the issue of prejudice to American Family Dentistry, which already
had the records in its possession, resulting from its inability to utilize the HIPAA
authorization provided by Plaintiff.9


       According to the Tennessee Supreme Court’s decision in Bray, a HIPAA
authorization “only allows a potential defendant to obtain the prospective plaintiff’s
medical records from any other healthcare provider also given notice and identified as a

       9
           With regard to the issue of prejudice, we note that a defendant is not required to
attempt to use a medical authorization it believes to be defective, and “a defendant’s claim of
prejudice is not waived by failing to attempt to use or otherwise ‘test’ an allegedly defective
authorization.” Smith, 2018 WL 3343591, at *6.
                                            - 12 -
potential defendant in the pre-suit notice,” and HIPAA regulations allow a health care
provider to use or disclose protected health information in its possession for its own
health care operations. 523 S.W.3d at 622. For instance, in Bray, HIPAA did not require
the defendant-doctor to obtain a medical authorization in order to “use” the patient’s
medical records in his possession and consult with counsel to evaluate the merits of the
potential claim. Id. Here, according to the concession of defense counsel, Dr. Yu did not
possess any records. The records were maintained by American Family Dentistry.
Therefore, it was not necessary for American Family Dentistry to utilize the HIPAA
authorization to obtain records from any other health care provider identified as a
potential defendant, and American Family Dentistry was authorized to use the records in
its possession to evaluate the merits of Plaintiff’s claim without a HIPAA authorization.


       In this regard, this case is analogous to Hughes v. Henry County Medical Center,
No. W2014-01973-COA-R3-CV, 2015 WL 3562733 (Tenn. Ct. App. June 9, 2015). In
Hughes, the plaintiff filed a health care liability action against a hospital and a physician
(although the physician was not a party to the appeal). Id. at *1. A clerical error in the
medical authorization form provided to the hospital did not permit it to obtain medical
records from the physician. Id. However, counsel for the hospital conceded that the
physician saw the patient only at the hospital and had no records independent of the
hospital’s records. Id. at *2. This Court quoted the following pertinent language from
Stevens,


       [I]n determining whether a plaintiff has substantially complied with a
       statutory requirement, a reviewing court should consider the extent and
       significance of the plaintiff’s errors and omissions and whether the
       defendant was prejudiced by the plaintiff’s noncompliance. Not every non-
       compliant HIPAA medical authorization will result in prejudice.


Id. (citing 418 S.W.3d at 556). We noted the undisputed fact that the physician had no
medical records, and therefore, the validity of the release for the physician’s records had
no effect on the hospital’s ability to obtain “complete medical records” as contemplated
by the statute. Id. at *3. Rather, the hospital “was able to obtain all of the [patient’s]
relevant medical records, and evaluate the merits of the claim despite Appellants’
technical failure to include [the physician’s] records in its release.”10 Id. at *4. Because
the hospital admittedly suffered no prejudice as a result of the defective HIPAA
authorization and the statutory goal of allowing a defendant to evaluate the merits of a

       10
           Hughes was a pre-Bray decision. The Court of Appeals concluded that the hospital
was permitted to “use its own records” in light of the particular language of the defective HIPAA
release form, without discussing the exception for health care operations later discussed in Bray.
Id. at *1. However, we believe the result here is the same with respect to the issue of prejudice.
                                              - 13 -
claim with early access to medical records was satisfied, we concluded that Plaintiff
substantially complied with the statute. Id. at *5. See also Martin v. Rolling Hills Hosp.,
LLC, No. M2016-02214-COA-R3-CV, 2018 WL 3097231, at *8 (Tenn. Ct. App. June
22, 2018) (finding no prejudice to the defendants in a case where the plaintiffs argued
that the defendants already had possession of the relevant documents); but see Dolman v.
Donovan, No. W2015-00392-COA-R3-CV, 2015 WL 9315565, at *1 (Tenn. Ct. App.
Dec. 23, 2015) (declining to find no prejudice when eight separate providers were given
pre-suit notice, only one defendant-hospital actually had relevant records, but the
providers did not know this information during the pre-suit notice period and were unable
to use the defective authorizations to request whatever records might have existed).


       We recognize that our holding with regard to this issue seems to conflict with the
portion of the Lawson opinion analyzing the issue of prejudice when two defendants are
involved. Again, Lawson involved two defendant medical providers – a physician’s
assistant and the dermatology practice that employed her. Lawson, 544 S.W.3d at 705.
However, the plaintiffs only appealed the dismissal of the claim against the dermatology
practice. Id. On appeal, the plaintiffs argued that the defendant-practice was not
prejudiced by a defective HIPAA release because it “already had access to the medical
record it generated” when the plaintiff was treated and “was already in possession of the
only medical record relevant to the case at bar.” Id. at 710. We found the “one-
defendant exception” from Bray inapplicable and instead relied on the pre-Bray decision
in Roberts (which had only discussed the applicability of the HIPAA exception for
psychotherapy notes). Id. Applying Roberts, we concluded that the fact that the records
were already in the defendant’s possession did not excuse compliance with the HIPAA
authorization requirement because, in the absence of one of HIPAA’s limited exceptions,
HIPAA generally provides that a covered entity may not use protected health information
without a valid authorization. Id. As in Roberts, the only exception we referenced was
the one for psychotherapy notes. Id. We concluded that in light of the defective HIPAA
form, the defendant medical practice would not be allowed to consult with anyone about
the records and “would not be allowed to use Mr. Lawson’s medical records to mount a
defense.” Id. at 713.


       Essentially, in Lawson, we concluded that “the one-defendant exception
articulated in Bray [did] not apply” to excuse the plaintiffs from providing HIPAA
authorizations, but we did not discuss whether the “health care operations” exception to
HIPAA that was secondarily discussed in Bray would nevertheless permit the defendant-
practice to use the records in its possession. Id. at 711. Having carefully reviewed
Lawson, Roberts (and cases citing it), and the Tennessee Supreme Court’s decision in
Bray, we simply conclude that our decision is controlled by the Bray decision and its
conclusion regarding the use of records that are already in the possession of a health care
provider. Discerning no prejudice to American Family Dentistry due to Plaintiff’s failure

                                          - 14 -
to provide it with a HIPAA compliant release, we conclude that Plaintiff substantially
complied with Tennessee Code Annotated section 29-26-121(a)(2)(E), she was entitled to
the 120-day extension to the statute of limitations, and her claim against American
Family Dentistry was not time-barred. We reverse the trial court’s dismissal of Plaintiff’s
claim against American Family Dentistry.


      We now consider the existence of prejudice to Dr. Yu, who did not already
possess the records, resulting from his inability to utilize the HIPAA authorization
provided by Plaintiff. Before the trial court, counsel for the defendants acknowledged
that American Family Dentistry and Dr. Yu are “in an employer-employee relationship.”
Although Plaintiff does not cite any HIPAA regulations on appeal, she suggests that it is
incomprehensible that Dr. Yu would not have “free access” to obtain medical records
from American Family Dentistry when he continues to work at the clinic.


       We disagree. HIPAA distinguishes between uses or disclosures for purposes of
treatment and those for purposes of health care operations.11 The “health care
operations” exception to the general requirement of a HIPAA compliant authorization,
which was discussed in Bray, does not extend to the lengths implicitly urged by Plaintiff.
Keeping in mind that the purpose of American Family Dentistry providing these records
to Dr. Yu would be for Dr. Yu’s own health care operations, we look to the language of
the regulation:


       (c) Implementation specifications: Treatment, payment, or health care
       operations.
       (1) A covered entity may use or disclose protected health information for its
       own treatment, payment, or health care operations.
       ....
       (4) A covered entity may disclose protected health information to another
       covered entity for health care operations activities of the entity that receives
       the information, if each entity either has or had a relationship with the
       individual who is the subject of the protected health information being
       requested, the protected health information pertains to such relationship,
       and the disclosure is:
       (i) For a purpose listed in paragraph (1) or (2) of the definition of health
       care operations; or

       11
            “Treatment means the provision, coordination, or management of health care and
related services by one or more health care providers, including the coordination or management
of health care by a health care provider with a third party; consultation between health care
providers relating to a patient; or the referral of a patient for health care from one health care
provider to another.” 45 C.F.R. § 164.501.
                                              - 15 -
       (ii) For the purpose of health care fraud and abuse detection or compliance.

45 C.F.R. § 164.506(c) (emphasis added). The referenced purposes listed in paragraphs
(1) and (2) are for quality-related health care operations and do not include legal services,
which is separately addressed in paragraph (4).12 Accordingly, this exception to the
authorization requirement would not permit American Family Dentistry to disclose
records to Dr. Yu for the purposes of Dr. Yu’s health care operations (i.e., conducting or
arranging for legal services).

       “Requiring a HIPAA compliant medical authorization to accompany the pre-suit
notice was a policy decision by the General Assembly that ‘equip[s] defendants with the
actual means to evaluate the substantive merits of a plaintiff’s claim by enabling early
access to a plaintiff’s medical records.’”13 J.A.C. by & through Carter, 542 S.W.3d at

       12
                See https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-
treatment-payment-health-care-operations/index.html (characterizing paragraphs (1) and (2) as
“quality-related health care operations activity”). The definition of health care operations
provides:

       Health care operations means any of the following activities of the covered entity
       to the extent that the activities are related to covered functions:

       (1) Conducting quality assessment and improvement activities, including
       outcomes evaluation and development of clinical guidelines, provided that the
       obtaining of generalizable knowledge is not the primary purpose of any studies
       resulting from such activities; patient safety activities (as defined in 42 CFR
       3.20); population-based activities relating to improving health or reducing health
       care costs, protocol development, case management and care coordination,
       contacting of health care providers and patients with information about treatment
       alternatives; and related functions that do not include treatment;
       (2) Reviewing the competence or qualifications of health care professionals,
       evaluating practitioner and provider performance, health plan performance,
       conducting training programs in which students, trainees, or practitioners in areas
       of health care learn under supervision to practice or improve their skills as health
       care providers, training of non-health care professionals, accreditation,
       certification, licensing, or credentialing activities;
       ....
       (4) Conducting or arranging for medical review, legal services, and auditing
       functions, including fraud and abuse detection and compliance programs;

45 C.F.R. § 164.501.
       13
          We note that HIPAA also permits a covered entity to disclose protected health
information “in the course of any judicial or administrative proceeding” but only “[i]n response
to an order of a court or administrative tribunal” or “a subpoena, discovery request, or other
lawful process” and provided that other conditions are met. 45 C.F.R. § 164.512(e).
                                             - 16 -
521 (quoting Stevens, 418 S.W.3d at 555). In the case before us, the authorization
Plaintiff sent to Dr. Yu was not HIPAA-compliant, and Plaintiff has not demonstrated
that Dr. Yu had another means of access to the records maintained by American Family
Dentistry that would have enabled him to evaluate her claim. See Myers, 382 S.W.3d at
307 (“Once the defendant makes a properly supported motion under this rule, the burden
shifts to the plaintiff to show [] that it complied with the statutes . . . . Based on the
complaint and any other relevant evidence submitted by the parties, the trial court must
determine whether the plaintiff has complied with the statutes.”); Dolman, 2015 WL
9315565, at *4 (concluding that plaintiffs presented only sparse evidence regarding an
alleged affiliation between defendant entities that failed to reveal the extent of the
defendants’ access to records). We therefore conclude that Dr. Yu was prejudiced by the
lack of a HIPAA compliant authorization. “‘Defendants are clearly prejudiced when
unable, due to a form procedural error, to obtain medical records needed for their legal
defense.’” Hamilton v. Abercrombie Radiological Consultants, Inc., 487 S.W.3d 114,
120 (Tenn. Ct. App. 2014). Plaintiff failed to substantially comply with Tennessee Code
Annotated section 29-26-121(a)(2)(E) because her authorization would not allow Dr. Yu
to obtain medical records from the other health care provider receiving pre-suit notice.
Due to Plaintiff’s failure to substantially comply with the statute within the original
statute of limitations, Plaintiff did not receive the 120-day extension of the statute of
limitations, and her complaint against Dr. Yu was not timely filed. See Byrge, 442
S.W.3d at 250. We affirm the trial court’s dismissal of the claim against Dr. Yu.


                                   V.   CONCLUSION

       For the aforementioned reasons, we affirm the decision of the circuit court in part,
we reverse in part, and we remand this cause for further proceedings consistent with this
opinion. Costs of this appeal are taxed equally to the appellant, Mary Wenzler, and to
appellee American Family Dentistry, for which execution may issue if necessary.

                                                   _________________________________
                                                   BRANDON O. GIBSON, JUDGE




                                          - 17 -
