                   IN THE SUPREME COURT OF TENNESSEE
                               AT JACKSON
                       February 8, 2017 Session Heard at Nashville

                    DEBORAH BRAY v. RADWAN R. KHURI, M.D.

                     Appeal by Permission from the Court of Appeals
                            Circuit Court for Shelby County
                       No. CT-004039     Donna M. Fields, Judge


                    No. W2015-00397-SC-R11-CV – Filed July 5, 2017


Tennessee Code Annotated section 29-26-121(a)(2)(E) requires a person who asserts a
potential claim for healthcare liability to include with pre-suit notice a
HIPAA-compliant1 medical authorization permitting the healthcare provider who
receives the notice to obtain complete medical records “from each other provider being
sent the notice.” Tenn. Code Ann. § 29-26-121(a)(2)(E). Here, the plaintiff sent pre-suit
notice of her claim to a single healthcare provider and included a medical authorization.
After the plaintiff filed suit, the defendant healthcare provider moved to dismiss,
asserting the plaintiff had failed to provide a HIPAA-compliant medical authorization.
The trial court granted the motion, and the Court of Appeals affirmed. We hold that a
prospective plaintiff who provides pre-suit notice to one potential defendant is not
required under Tennessee Code Annotated section 29-26-121(a)(2)(E) to provide the
single potential defendant with a HIPAA-compliant medical authorization. We reverse
the judgments of the trial court and the Court of Appeals and remand this case to the trial
court for further proceedings.

  Tenn. R. App. P. 11 Appeal by Permission; Judgments of the Trial Court and the
                     Court of Appeals Reversed and Remanded

SHARON G. LEE, J., delivered the opinion of the Court, in which JEFFREY S. BIVINS, C.J.,
CORNELIA A. CLARK, HOLLY KIRBY, and ROGER A. PAGE, JJ., joined.



       1
          “HIPAA” is the acronym for the Health Insurance Portability and Accountability Act of 1996,
Pub. L. No. 104–191, 110 Stat. 1936 (codified as amended in scattered sections of 18, 26, 29, and 42
U.S.C.). Among other things, HIPAA requires healthcare providers to protect the confidentiality of
patients’ health information. In general, a healthcare provider may not disclose protected health
information without a patient’s express written authorization, with certain exceptions. 45 C.F.R.
§ 164.508(a)(1).


                                                -1-
Duncan E. Ragsdale, William R. Bruce, and Aaron L. Thomas, Memphis, Tennessee, for
the appellant, Deborah Bray.

James T. McColgan, III and Sherry S. Fernandez, Cordova, Tennessee, for the appellee,
Radwan R. Khuri, M.D.

W. Bryan Smith, Memphis, Tennessee; John Vail, Washington, D.C.; and Brian G.
Brooks, Greenbrier, Arkansas, for amicus curiae, Tennessee Association for Justice.

                                              OPINION

                                                   I.

       Between the evening of March 25 and the morning of March 26, 2003, Nigel Bray
committed suicide at Saint Francis Hospital in Memphis. Dr. Radwan Khuri provided
psychiatric care to Mr. Bray from the time of his hospital admission on March 20 until
his death less than a week later.

        In March 2004, Deborah Bray, Mr. Bray’s surviving spouse, filed a healthcare
liability case against Dr. Khuri alleging negligence in the care and treatment of Mr. Bray.
In May 2010, after the parties had engaged in pretrial discovery, Mrs. Bray voluntarily
dismissed the suit.

       In May 2011, Mrs. Bray sent Dr. Khuri pre-suit notice of her healthcare liability
claim as required by section 29-26-121(a)(1). The pre-suit notice letter advised Dr. Khuri
of a potential claim by Mrs. Bray for the wrongful death of her husband arising out of the
medical and psychiatric treatment Dr. Khuri provided to Mr. Bray at Saint Francis
Hospital. The notice, which included a medical authorization signed by Mrs. Bray, stated
that Dr. Khuri was the only healthcare provider receiving the notice.

      In September 2011, Mrs. Bray filed a healthcare liability suit against Dr. Khuri.
Dr. Khuri moved to dismiss the case, asserting that Mrs. Bray had failed to provide a
HIPAA-compliant medical authorization under section 29-26-121(a)(2)(E). Dr. Khuri
argued that because the authorization was incomplete and not HIPAA-compliant,2 he


      2
          HIPAA regulations require a medical authorization to include the following:

      (i) A description of the information to be used or disclosed that identifies the information
      in a specific and meaningful fashion.

      (ii) The name or other specific identification of the person(s), or class of persons,
      authorized to make the requested use or disclosure.



                                                   -2-
could not discuss Mr. Bray’s medical records with counsel to prepare a defense to the
potential claim. Mrs. Bray responded, in part, that no authorization was required under
section 29-26-121(a)(2)(E) because Dr. Khuri was the only healthcare provider to whom
she sent pre-suit notice.

       The trial court granted Dr. Khuri’s motion and dismissed the complaint, finding
that the authorization provided by Mrs. Bray did not comply with HIPAA and did not
substantially comply with the requirements of Tennessee Code Annotated section
29-26-121(a)(2)(E). Further, the trial court ruled that Dr. Khuri was prejudiced by Mrs.
Bray’s deficient authorization because he could not use Mr. Bray’s records to prepare a
defense. The trial court concluded that it was not determinative that Dr. Khuri was the
only defendant and may have had the records.

       The Court of Appeals affirmed, holding that Mrs. Bray was required to furnish a
HIPAA-compliant authorization with the pre-suit notice even though Dr. Khuri was the
only healthcare provider notified of the claim. Bray v. Khuri, No.
W2015-00397-COA-R3-CV, 2015 WL 7775316, at *3, *5 (Tenn. Ct. App. Dec. 3, 2015).
The Court of Appeals reasoned that the goal of section 29-26-121(a)(2)(E) is to allow a
defendant to gain early access to a plaintiff’s medical records to evaluate the substantive
merits of the claim. Id. at *3 (quoting Stevens ex rel. Stevens v. Hickman Cmty. Health
Care Servs., Inc., 418 S.W.3d 547, 555 (Tenn. 2013)). The Court of Appeals concluded
that even though Dr. Khuri may have physically possessed the decedent’s records, he
could not review them with counsel to evaluate the merits of the claim absent a
HIPAA-compliant authorization. Id. The Court of Appeals further held that the
authorization failed to substantially comply with HIPAA requirements. Id. at *3–4.

       We granted Mrs. Bray’s application for permission to appeal.




       (iii) The name or other specific identification of the person(s), or class of persons, to
       whom the covered entity may make the requested use or disclosure.

       (iv) A description of each purpose of the requested use or disclosure. . . .

       (v) An expiration date or an expiration event that relates to the individual or the purpose
       of the use or disclosure. . . .

       (vi) Signature of the individual and date. If the authorization is signed by a personal
       representative of the individual, a description of such representative’s authority to act for
       the individual must also be provided.

45 C.F.R. § 164.508(c)(1).


                                                    -3-
                                              II.

        This case involves an interpretation of Tennessee Code Annotated section
29-26-121(a)(2)(E), which is a question of law we review de novo. See Stevens, 418
S.W.3d at 553 (citing Pratcher v. Methodist Healthcare Memphis Hosps., 407 S.W.3d
727, 734 (Tenn. 2013)). “[O]ur role is to ascertain and effectuate the legislature’s intent.”
Id. (citing Sullivan ex rel. Hightower v. Edwards Oil Co., 141 S.W.3d 544, 547 (Tenn.
2004)). We do not broaden or restrict a statute’s intended meaning, and we presume that
the legislature intended to give each word of the statute its full effect. Id. (citing Garrison
v. Bickford, 377 S.W.3d 659, 663 (Tenn. 2012); In re Estate of Trigg, 368 S.W.3d 483,
490 (Tenn. 2012)). When statutory language is clear and unambiguous, we accord the
language its plain meaning, understood in its ordinary and accepted usage, without a
forced interpretation. Foster v. Chiles, 467 S.W.3d 911, 914 (Tenn. 2015) (citing Baker v.
State, 417 S.W.3d 428, 433 (Tenn. 2013)); Stevens, 418 S.W.3d at 553 (citing Glassman,
Edwards, Wyatt, Tuttle & Cox, P.C. v. Wade, 404 S.W.3d 464, 467 (Tenn. 2013)).

       Tennessee Code Annotated section 29-26-121(a)(1) provides that a person
“asserting a potential claim for health care liability shall give written notice of the
potential claim to each health care provider that will be a named defendant at least sixty
(60) days before the filing of a complaint . . . .” Tenn. Code Ann. § 29-26-121(a)(1).
Tennessee Code Annotated section 29-26-121(a)(2)(E) states that the notice shall include
“[a] HIPAA compliant medical authorization permitting the provider receiving the notice
to obtain complete medical records from each other provider being sent a notice.” Id.
§ 29-26-121(a)(2)(E) (emphasis added).

        We hold that, based on the clear and unambiguous language of section
29-26-121(a)(2)(E), a plaintiff need not provide a HIPAA-compliant authorization when
a single healthcare provider is given pre-suit notice of a healthcare liability claim. The
authorization only allows a potential defendant to obtain the prospective plaintiff’s
medical records from any other healthcare provider also given notice and identified as a
potential defendant in the pre-suit notice. This authorization requirement is consistent
with section 29-26-121(d)(1), which specifies that all parties to a healthcare suit “shall be
entitled to obtain complete copies of the claimant’s medical records from any other
provider receiving notice” and that the claimant complies with this requirement by
providing a HIPAA-compliant medical authorization with pre-suit notice. Id.
§ 29-26-121(d)(1).

       Dr. Khuri argues that HIPAA prohibits the disclosure of a patient’s medical
records to counsel for evaluating the merits of a potential claim absent a valid medical
authorization. HIPAA, enacted in 1996, establishes requirements for protecting
confidential medical information by healthcare providers. As a general rule, HIPAA
prohibits a healthcare provider from using or disclosing protected health information
without a valid authorization. 45 C.F.R. § 164.508(a)(1). However, HIPAA regulations

                                              -4-
allow a healthcare provider to “use or disclose protected health information for treatment,
payment, or health care operations,” with some exceptions for certain uses or disclosure
requiring an authorization. 45 C.F.R. § 164.506(a) (emphasis added); see also id.
§ 164.506(c)(1). “Health care operations” include “[c]onducting or arranging for medical
review, legal services, and auditing functions.” Id. § 164.501 (emphasis added). The
United States Department of Health and Human Services (“HHS”), in its Frequently
Asked Questions (“FAQ”) for Professionals pages of its website, indicates that a
healthcare provider may use or disclose protected health information for litigation
“whether for judicial or administrative proceedings, . . . or as part of the covered entity’s
health care operations.”3 HHS further recognizes that “[i]n most cases, the covered entity
will share protected health information for litigation purposes with its lawyer, who is
either a workforce member or a business associate.”4 HIPAA regulations define a
“business associate” to include a person who provides legal services to or for a healthcare
provider. 45 C.F.R. § 160.103. HIPAA does not require Dr. Khuri to obtain a medical
authorization to use a patient’s medical records in his possession and consult with
counsel to evaluate the merits of a potential claim.

       Dr. Khuri argues that the HHS website indicates “health care operations” do not
include consultation with an attorney regarding a potential claim prior to the
commencement of a lawsuit. He emphasizes that the website refers to a “plaintiff or
defendant in a legal proceeding,” a “defendant in a malpractice action,” and “the course
of any judicial or administrative proceeding.” According to Dr. Khuri, this language
applies only to proceedings following the filing of a complaint.

       We disagree with Dr. Khuri’s narrow interpretation. Under HIPAA regulations,
“healthcare operations” include arranging for legal services. HHS has indicated that a
healthcare provider may share health information for “litigation purposes” with its
lawyer.5 HIPAA does not limit “legal services” and “litigation purposes” to pending
lawsuits. Although providing pre-suit notice does not commence a lawsuit, see Rajvongs
v. Wright, 432 S.W.3d 808, 811–12 (Tenn. 2013), pre-suit notice is a prerequisite to the
commencement of a healthcare liability claim and is provided to each healthcare provider
who “will be a named defendant” in the lawsuit.6 Mrs. Bray’s pre-suit notice was a

         3
          HIPAA for Professionals FAQ 704, HHS (Jan. 7, 2005), https://www.hhs.gov/hipaa/for-professionals/faq/704/may-
a-covered-entity-use-protected-health-information-for-litigation/index.html (citations omitted); HIPAA for Professionals
FAQ 705, HHS (Jan. 7, 2005), https://www.hhs.gov/hipaa/for-professionals/faq/705/may-a-covered-entity-in-a-legal-
proceeding-use-protected-health-information/index.html.
         4
             HIPAA for Professionals FAQ 705, supra note 3.
         5
             See HIPAA for Professionals FAQ 705, supra note 3.
         6
           See Tenn. Code Ann. § 29-26-121(a) (“Any person . . . asserting a potential claim for health
care liability shall give written notice of the potential claim to each health care provider that will be a


                                                          -5-
predicate to filing suit against Dr. Khuri. Mrs. Bray’s pre-suit notice to Dr. Khuri, as the
sole heathcare provider who would “be a named defendant,” sufficiently invoked the
regulatory exception to the general requirement of a HIPAA-compliant medical
authorization.

        Dr. Khuri relies on Roberts v. Prill, E2013-02202-COA-R3-CV, 2014 WL
2921930, at *6 (Tenn. Ct. App. June 26, 2014), no perm. app. filed, an unreported
decision, to support his argument that a HIPAA-compliant medical authorization was
required to enable him to use Mr. Bray’s medical records in his possession. Roberts,
however, is distinguishable. In Roberts, the plaintiff filed a healthcare liability suit
against the decedent’s treating oncologist and the specialty healthcare group that
employed the oncologist. Id. at *1. The trial court granted the defendants’ motions to
dismiss based on its finding that the plaintiff failed to provide a HIPAA-compliant
authorization and failed to attach a copy of the pre-suit notices to her complaint. The
Court of Appeals affirmed. Id. While Roberts and the case at bar are both healthcare
liability suits concerning incomplete medical authorizations, they are factually
distinguishable on a critical point: Roberts involved two defendants, whereas this case
involves a single defendant. Neither the trial court nor the Court of Appeals in Roberts
considered whether section 29-26-121(a)(2)(E) applies when a single healthcare provider
is named as a potential defendant.

       Last, Dr. Khuri argues that the Patient’s Privacy Protection Act, Tenn. Code Ann.
§§ 68-11-1501 to -1505, is more restrictive than HIPAA and bars the disclosure of
protected health information without proper authorization or a court order. Dr. Khuri also
argues that the protections afforded by Tennessee privacy laws are not preempted by
HIPAA or other federal laws. These arguments are without merit.

        The Patient’s Privacy Protection Act provides that “[e]very patient entering and
receiving care at a healthcare facility licensed by the board for licensing healthcare
facilities has the expectation of and right to privacy for care received at such facility.”
Tenn. Code Ann. § 68-11-1502. This statute applies only to healthcare facilities, not
physicians. More importantly, it authorizes a patient to recover damages for invasion of
privacy against a healthcare provider who publicly divulges the patient’s identifying
information. Id. § 68-11-1504. The healthcare liability act does not require a patient to
provide an authorization under this statute, and Mrs. Bray has not sued Dr. Khuri under
this statute. The Patient Privacy Protection Act does not support Dr. Khuri’s argument or
provide any basis for upholding the dismissal of Mrs. Bray’s claim.

      Because we conclude that Tennessee Code Annotated section 29-26-121(a)(2)(E)
does not apply here, where only a single healthcare provider received pre-suit notice as a

named defendant at least sixty (60) days before the filing of a complaint based upon health care liability
. . . .”) (emphasis added).


                                                   -6-
potential defendant, the issue of whether Mrs. Bray substantially complied with section
29-26-121(a)(2)(E) is pretermitted. The Patient’s Privacy Protection Act is also
inapplicable; therefore, we need not determine whether Tennessee’s privacy law conflicts
with or is preempted by HIPAA.

                                            III.

       After careful review, we hold that a HIPAA-compliant medical authorization was
not required under section 29-26-121(a)(2)(E) because Mrs. Bray’s pre-suit notice was
sent to a single provider. The judgments of the trial court and the Court of Appeals are
reversed, and this case is remanded to the trial court for further proceedings. The costs of
this appeal are taxed to Radwan R. Khuri, M.D., for which execution may issue if
necessary.




                                          SHARON G. LEE, JUSTICE




                                            -7-
