                         NOT RECOMMENDED FOR PUBLICATION
                                 File Name: 18a0228n.06

                                              No. 17-5621

                            UNITED STATES COURT OF APPEALS
                                 FOR THE SIXTH CIRCUIT

                                                                                         FILED
CHRISTOPHER RILEY; LYNN RILEY,                )                                   May 02, 2018
                                              )                               DEBORAH S. HUNT, Clerk
     Plaintiffs-Appellants,                   )
                                              )
v.                                            )                    ON APPEAL FROM THE
                                              )                    UNITED STATES DISTRICT
METHODIST        HEALTHCARE       MEMPHIS )                        COURT FOR THE WESTERN
HOSPITALS, aka Methodist University Hospital; )                    DISTRICT OF TENNESSEE
SEMMES MURPHEY CLINIC, P.C.; L. )
MADISON MICHAEL; JOHN DOES 1–25,              )
                                              )
     Defendants-Appellees.



BEFORE: BATCHELDER, SUTTON, and WHITE, Circuit Judges.

        HELENE N. WHITE, Circuit Judge.                  In this diversity-jurisdiction case alleging

medical-malpractice claims, Plaintiffs appeal the district court’s grant of Defendants’ motions to

dismiss and for judgment on the pleadings, asserting that the district court erred 1) in

determining that Plaintiffs’ pre-suit notice letter did not substantially comply with § 29-26-

121(a)(2)(E) of Tennessee’s Health Care Liability Act (HCLA)1 and the core elements of the

Health Insurance Portability and Accountability Act (HIPAA), and 2) by failing to support its

finding that Defendants suffered prejudice as a result of any deficiencies in Plaintiffs’ HIPAA

authorization forms. We AFFIRM.


1
 “In 2011, pursuant to the Tennessee Civil Justice Act of 2011, Tennessee Code Annotated sections 29–
26–115 through 122 and 202 of the Medical Malpractice Act were amended to replace the term ‘medical
malpractice’ with the term ‘health care liability.’ Tennessee Civil Justice Act of 2011, ch. 510 § 9, 2011
Tenn. Pub Acts 1505.” Ellithorpe v. Weismark, 479 S.W.3d 818, 824 n.6 (Tenn. 2015).
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


                                                    I.

        Plaintiffs Christopher and Lynn Riley (Mrs. Riley) are married. Plaintiffs’ complaint

alleges that Christopher Riley (Riley) was admitted to Defendant Methodist Healthcare Memphis

Hospitals (Methodist) on October 2, 2014; Defendant Dr. L. Madison Michael, a physician at

Semmes Murphey Clinic (Semmes Murphey) who practices at Methodist and supervised Riley’s

care at Methodist, performed a biopsy of a small mass on Riley’s pituitary gland; when

Dr. Michael discharged Riley on October 9, 2014, spinal fluid was visibly leaking from the

drilled opening in his skull; Dr. Michael and Methodist nursing staff were aware of the leak and

should not have discharged him; once home, Riley suffered an excruciating headache, Mrs. Riley

contacted Dr. Michael, and Dr. Michael advised that she simply apply pressure to the opening in

Riley’s skull; Riley became incoherent on October 12 and was re-admitted to Methodist’s

intensive care unit, having developed bacterial meningitis;2 Riley was discharged twelve days

later and received in-home care for two weeks. PID 4-5. Plaintiffs’ complaint alleges that Dr.

Michael was negligent in discharging Riley on October 9, 2014, while fluid was visibly draining

from his skull, that Semmes-Murphey is vicariously liable for Dr. Michael’s negligent acts, and

that Methodist is vicariously liable through its employees for their failure to take the requisite

steps to ensure that Riley was not discharged on that date, and for failing to keep adequate

records of Riley’s care and failing to document the drainage from his skull. PID 5. Plaintiffs

allege that as a result of this negligence, Riley contracted bacterial meningitis, had to be re-

admitted to the hospital, and required in-home care after his second discharge. PID 5. Plaintiffs

further allege that Riley continues to “experience negative impacts on his daily life, including but

2
  According to the Centers for Disease Control and Prevention, “Bacterial meningitis is very serious and
can be deadly. Death can occur in as little as a few hours. Most people recover from meningitis.
However, permanent disabilities (such as brain damage, hearing loss, and learning disabilities) can result
from the infection.” https://www.cdc.gov/meningitis/bacterial.html.

                                                    2
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


not limited to: headaches, a change in his personality, deficient memory, and other symptoms,”

and that his employment was negatively impacted. PID 8.

       Pursuant to HCLA § 29-26-121(a)(1), which requires that pre-suit written notice be given

to each healthcare provider that will be a named defendant at least sixty days before a health-

care-liability action is filed, Plaintiffs sent a pre-suit notice letter to the three Defendants on

September 30, 2015. PID 13-23. Plaintiffs filed their complaint on January 28, 2016, alleging

negligence, gross negligence, and loss of consortium, and attached to their complaint the pre-suit

notice letter and two HIPAA authorization forms, one addressed to Methodist and the other to

Semmes Murphey. PID 24-27; see also PID 320/Dist. Ct. Op.

       Methodist filed a motion to dismiss under Rule 12(b)(6), PID 50, in which Dr. Michael

and Semmes Murphey joined, arguing that Plaintiffs’ pre-suit notice was deficient in four ways:

1) it failed to enclose HIPAA-compliant authorizations allowing all providers “receiving the

notice to obtain complete medical records from each other provider being sent a notice,” as

required by HCLA § 29-26-121(a)(2)(E); 2) it failed to complete the portion of the HIPAA

authorization form that specifies who is entitled to receive the records from the provider as

required by 45 C.F.R. § 164.508(c)(1)(iii), and was thus not HIPAA compliant as required by

§ 29-16-121(a)(2)(E); 3) it failed to provide the address of the claimant authorizing notice as

required by § 29-26-121(a)(2)(B); and 4) it was served by mail only to Methodist’s agent for

service of process, and not also to Methodist’s current business address, as required by § 29-26-

121(a)(3)(B)(ii).   PID 53, 55-66.       Defendants argued that Plaintiffs demonstrated no

extraordinary cause to excuse compliance with the HCLA’s pre-suit notice requirements, PID

66-67, and that Plaintiffs’ claims were time barred under Tennessee’s one-year statute of




                                                3
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


limitations applicable to health-care-liability actions.3 PID 67-71. In response, Plaintiffs argued

that they substantially complied with HCLA § 29-26-121 and that Defendants had not shown

prejudice. PID 182-85; PID 138-51.

       The district court concluded that the first two deficiencies prevented Plaintiffs’ pre-suit

notice from substantially complying with the HCLA, and that Defendants were prejudiced by

Plaintiffs’ noncompliance because they were prevented from lawfully disclosing Riley’s medical

records to one another. PID 335/Order Granting Defs. Mos. The district court dismissed

Plaintiffs’ complaint with prejudice after determining that Plaintiffs’ claims are time barred

because they accrued, at the latest, on October 12, 2014, when Riley was re-admitted to

Methodist, and the statute had not been extended by the faulty pre-suit notice. See supra n.3;

PID 335-37/Dist. Ct. Order Granting Defs. Mos., PID 339/J.

       Plaintiffs moved to alter or amend the judgment under Fed. R. Civ. P. 59(e) or for relief

from judgment under Rule 60(b), asserting that they had substantially complied with § 29-26-

121(a)(2)(E) and that the district court erred by not considering whether Defendants suffered

prejudice as a result of the alleged deficiencies in the HIPAA authorization forms. PID 350-

54/Mo. to Alter or Amend J. The district court denied Plaintiffs’ motion and they appealed. PID

460-89/Order Denying Mo.




3
 Actions for “injuries to the person” “shall be commenced within one (1) year after the cause of action
accrued.” Tenn. Code Ann. § 28-3-104(a)(1)(A).
Tolling is permitted under HCLA § 29-26-121:
       (c) When notice is given to a provider as provided in this section, the applicable statutes
       of limitations and repose shall be extended for a period of one hundred twenty (120) days
       from the date of expiration of the statute of limitations and statute of repose applicable to
       that provider . . . .
Tenn. Code Ann. § 29-26-121(c).
                                                    4
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


                                                 II.

       We review de novo a district court’s grant of a motion to dismiss under Rule 12(b)(6),

Buck v. Thomas M. Cooley Law School, 597 F.3d. 812, 816 (6th Cir. 2010), and a motion for

judgment on the pleadings under Rule 12(c), Fortney & Weygandt, Inc. v. Am. Mfrs. Mut. Ins.

Co., 595 F.3d 308, 310 (6th Cir. 2010).

       Tennessee substantive law and federal procedural law apply in this diversity-jurisdiction

case. Shady Grove Orthopedic Assocs., P.A. v. Allstate Ins. Co., 559 U.S. 393, 417 (2010)

(Stevens, J., concurring in part and concurring in the judgment). When deciding issues of

substantive law, we apply the law of the state’s highest court. Saab Auto. AB v. Gen. Motors

Co., 770 F.3d 436, 440 (6th Cir. 2014). If the state’s highest court has not decided the applicable

law, we must ascertain the state law “‘from all relevant data,’ which includes the state’s appellate

court decisions.” Id. (quoting Garden City Osteopathic Hosp. v. HBE Corp., 55 F.3d 1126, 1130

(6th Cir. 1995)).

                                                 A.

       HCLA § 29-26-121 provides in pertinent part:

       (a)(1) Any person, or that person’s authorized agent, asserting a potential claim
       for health care liability shall give written notice of the potential claim to each
       health care provider that will be a named defendant at least sixty (60) days before
       the filing of a complaint based upon health care liability in any court of this state.

               (2) The notice shall include:
       ....
               (E) A HIPAA compliant medical authorization permitting the provider
                  receiving the notice to obtain complete medical records from each
                  other provider being sent a notice.
       ....
       (b) If a complaint is filed in any court alleging a claim for health care liability, the
       pleadings shall state whether each party has complied with subsection (a) and
       shall provide the documentation specified in subdivision (a)(2). The court may
       require additional evidence of compliance to determine if the provisions of this


                                                  5
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


       section have been met. The court has discretion to excuse compliance with this
       section only for extraordinary cause shown.
       (d)(1) All parties in an action covered by this section shall be entitled to obtain
       complete copies of the claimant’s medical records from any other provider
       receiving notice. A party shall provide a copy of the specified portions of the
       claimant’s medical records as of the date of the receipt of a legally authorized
       written request for the records within thirty (30) days thereafter. The claimant
       complies with this requirement by providing the providers with the authorized
       HIPAA compliant medical authorization required to accompany the notice . . . .

Tenn. Code Ann. § 29-26-121(a)(2)(E), (b), & (d)(1).

       The elements of HIPAA-compliant medical authorizations are set forth in 45 C.F.R.

§ 164.508, titled “Uses and disclosures for which an authorization is required:”

       (a) Standard: Authorizations for uses and disclosures
               (1) Authorization required: General rule. Except as otherwise permitted
       or required by this subchapter, a covered entity may not use or disclose protected
       health information without an authorization that is valid under this section. When
       a covered entity obtains or receives a valid authorization for its use or disclosure
       of protected health information, such use or disclosure must be consistent with
       such authorization.
       ....
       (b) Implementation specifications: general requirements—
       ....
               (2) Defective authorizations. An authorization is not valid, if the
       document submitted has any of the following defects:
       ....
                      (ii) The authorization has not been filled out completely, with
               respect to an element described by paragraph (c) of this section, if
               applicable;
       ....
       (c) Implementation specifications: Core elements and requirements—

                (1) Core elements. A valid authorization under this section must contain
       at least the following elements:
                        (i) A description of the information to be used or disclosed that
                identifies the information in a specific and meaningful fashion.
                        (ii) The name or other specific identification of the person(s), or
                class of persons, authorized to make the requested use or disclosure.




                                                6
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


                      (iii) The name or other specific identification of the person(s), or
              class of persons, to whom the covered entity may make the requested use
              or disclosure.
       ....

45 C.F.R. § 164.508.

                                               B.

       Under Tennessee law, a plaintiff must substantially comply with the requirements of

HCLA § 29-26-121(a)(2)(E). Stevens v. Hickman Comm. Health Care Servs., Inc., 418 S.W.3d

547, 555 (Tenn. 2013) (“A plaintiff’s less-than-perfect compliance with [] § 29-26-121(a)(2)(E) .

. . should not derail a healthcare liability claim. Non-substantive errors and omissions will not

always prejudice defendants by preventing them from obtaining a plaintiff’s relevant medical

records.”); see also Thurmond v. Mid-Cumberland Infectious Disease Consultants, PLC, 433

S.W.3d 512, 519–20 (Tenn. 2014).        “In determining whether a plaintiff has substantially

complied with a statutory requirement, a reviewing court should consider the extent and

significance of the plaintiff’s errors and omissions and whether the defendant was prejudiced by

the plaintiff’s noncompliance.” Stevens, 418 S.W.3d at 556; see also Arden v. Kozawa, 466

S.W.3d 758, 763 (Tenn. 2015); Thurmond, 433 S.W.3d at 513–14.

       The Tennessee Supreme Court in Stevens emphasized that “it is a threshold requirement

of [HCLA § 29-26-121(a)(2)(E)] that the plaintiff’s medical authorization must be sufficient to

enable defendants to obtain and review a plaintiff’s relevant medical records.” 418 S.W.3d at

555 (emphasis added).

       [T]he purpose of Tenn. Code Ann. § 29-26-121(a)(2)(E) is not to provide
       defendants with notice of a potential claim. Instead Tenn. Code Ann. § 29-26-
       121(a)(2)(E) serves to equip defendants with the actual means to evaluate the
       substantive merits of a plaintiff’s claim by enabling early access to a plaintiff’s
       medical records. Because HIPAA itself prohibits medical providers from using or
       disclosing a plaintiff’s medical records without a fully compliant authorization
       form, it is a threshold requirement of the statute that the plaintiff’s medical

                                               7
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


       authorization must be sufficient to enable defendants to obtain and review a
       plaintiff’s medical records. See 45 C.F.R. § 164.508(a)(1) (“a covered entity may
       not use or disclose protected health information without an authorization that is
       valid under this section”). Tenn. Code Ann. § 29-26-121(d)(1) creates a statutory
       entitlement to the records governed by § 29-26-121(a)(2)(E). See Tenn. Code
       Ann. § 29-26-121(d)(1) (“All parties in an action covered by this section shall be
       entitled to obtain complete copies of the claimant’s medical records from any
       other provider receiving notice . . .”).

Stevens, 418 S.W.3d at 555 (emphasis in original, footnote omitted). The Tennessee Supreme

Court clarified in Thurmond:

       [W]e held [in Stevens] that “[n]on-substantive errors and omissions” and “[a]
       plaintiff’s less-than-perfect compliance” with [subsection] 29-26-121(a)(2)(E)
       will “not derail a healthcare liability claim” so long as the medical authorization
       provided is “sufficient to enable defendants to obtain and review a plaintiff’s
       relevant medical records.” Id. [Stevens, 418 S.W.3d at 555.]

Thurmond, 433 S.W.3d at 519–20 (emphasis added).

III. WHETHER PLAINTIFFS’ HIPAA AUTHORIZATIONS SUBSTANTIALLY
COMPLIED WITH HCLA § 29-26-121(a)(2)(E) and CORE HIPAA ELEMENTS


       Plaintiffs assert that their pre-suit notice substantially complied with the core elements of

HIPAA, see C.F.R. § 164.508(c)(1) quoted supra at 6-7, and therefore with HCLA § 29-26-

121(a)(2)(E).

       Plaintiffs attached to their pre-suit notice letter two HIPAA authorizations, one addressed

to Semmes Murphey and the other to Methodist; Plaintiffs failed to include a separate form for

Dr. Michael. The HIPAA authorizations attached to Plaintiffs’ pre-suit notice letter are titled

“HIPAA Compliant Authorization for the Release of Patient Information Pursuant to 45 C.F.R.

§ 164.508,” and left blank the four lines in the section that provides:




                                                  8
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


           You are authorized to release the above records to the following representatives in
           the above-entitled matter who have agreed to pay reasonable charges made by you
           to supply copies of such records:

           __________________________________________________________________
           Name of Representative

           Representative Capacity (e.g., attorney, records requestor, agent, etc.)

           Street Address

           City, State and Zip Code

See PID 125, 27.4
                                                    A.

           Citing the order denying their motion to amend or alter the judgment, PID 460, Plaintiffs

assert that the district court “was confused as to the blanks” in their HIPAA authorizations and

“believed that the HIPAA release did not allow the co-defendants to obtain the records of the

others,” when, in fact, the blank in the HIPAA release “was for the person receiving the notice to

complete with his or her own authorized representative, not the information of any other

Defendant.” Appellants Br. 19-20. However, the district court was not confused; it observed

that Plaintiffs left blank the sections where they “were to list the persons to whom each provider

could disclose Mr. Riley’s records.” See C.F.R. § 145.608(c)(1)(iii) (“The name or other specific


4
    Plaintiffs’ counsel explained that he left this section blank:
           in order for the medical providers to be able to send the same to the specified member of
           their entity they wished. The Plaintiffs could have no way of knowing the identity of the
           exact person to whom the Defendants wished the records be disclosed. In an effort to be
           as accommodating as possible and to ensure that the Defendants could each obtain the
           relevant records and have them sent to whomever they wished, the Plaintiffs allowed the
           Defendants to complete the recipient section themselves. This gives credence to the
           proverb that no good deed goes unpunished. Had the Plaintiffs completed the form to
           include the name of a specific person within the Defendant’s organization, given their
           current complaints, it is all but certain that the Defendant would have argued that the
           Plaintiffs had handcuffed them by entering the “incorrect” person’s name and would have
           then sough[t] dismissal on that ground. This is a “catch-22” situation in all its glory.
PID 144/Pls. Mem. in Opp. to Def. Methodist’s Mo. to Dismiss; see also Appellants Br. 10.

                                                         9
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


identification of the person(s), or class of persons, to whom the covered entity may make the

requested use or disclosure.”); PID 467/Order Denying Pls. Mo. to Alter or Amend J. Plaintiffs’

argument goes to the purported reasons they sent partially completed HIPAA authorizations, not

whether the authorizations substantially complied with the statutory requirement.

           Plaintiffs also assert that the pre-suit notice letter accompanying the HIPAA

authorizations narrowed the HIPAA release “by allowing the respective Defendants to provide

the information as to whom in their organizations were to receive Plaintiff’s medical records.”

Appellants Br. 24-25. According to Plaintiffs, the district court “seems to have incorrectly

concluded that the letter served to expand the HIPAA release when it, in fact, served to narrow it,

as allowed.” Id. at 25. We surmise that Plaintiffs are referring to the language advising

Defendants that HIPAA authorizations are attached and explaining their purpose5; but Plaintiffs

point to no particular language in the pre-suit notice letter to support this argument. Rather,

Plaintiffs assert that the HIPAA authorizations

           did not need to be expanded, for anyone whose name was included by the
           Defendant organization could have theoretically received the records. The
           HIPAA release was as expansive as it could have possibly been . . . . What the
           HIPAA needed was the specific information as to the actual recipient of the
           medical records within or on behalf of the Defendant organization: in other
           words, a narrowing of the release.[6]


5
    Plaintiffs’ pre-suit notice letter states in pertinent part:
           E. A HIPAA-compliant Medical Authorization permitting the provider receiving the
           notice to obtain complete medical records from each of the other providers being sent
           notice is enclosed . . . .
           ....
           As required by Tennessee Code Annotated § 29-26-121, Mr. Riley has executed a
           HIPAA-compliant medical authorization (enclosed herein) that authorizes you to obtain
           Mr. Riley’s complete medical records . . . .
PID 21-22.
6
    Appellants Br. 25. Plaintiffs rely on a “frequently asked question” regarding HIPAA on HHS’s website:


                                                           10
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


       As explained in its order denying Plaintiffs’ motion to alter or amend the judgment, the

district court did not incorrectly conclude that Plaintiffs’ notice letter served to expand the

HIPAA releases:

       In the Dismissal Order, the Court addressed Plaintiffs’ argument that, according
       to guidance provided by HHS’s website, cover letters can supplement HIPAA
       authorizations for purposes of permitting provider-defendants to share a patient’s
       medical records with one another. (ECF No. 55 at PageID 329-30.) Assuming
       without deciding that the HHS website’s guidance was legal authority the Court
       could consider in its substantial-compliance determination under § 29-26-
       121(a)(2)(E), the Court noted that the HHS webpage instructed that cover letters
       can be used only to narrow a request, not to expand it. The Court noted that a
       Tennessee court had opined that a cover letter may be used to cure a blank portion
       of a HIPAA authorization form only if the letter explicitly authorizes the
       defendant to make any additions or changes to the authorization. (Id. (citing Bray
       [v. Khuri, No. W2015-00397-COA-R3-CV, 2015 WL 7775316, at *4 (Tenn. Ct.
       App. Dec. 3, 2015), rev’d on other grounds 523 S.W.3d 619 (Tenn. 2017)[7]]).
       The Court concluded that Plaintiffs’ notice letter did not give Defendants explicit
       authority to make additions or changes to Plaintiffs’ HIPAA Authorizations.
       (Id.).

       Plaintiffs argue that, by leaving blank the portion of the HIPAA Authorizations
       designating to whom each Defendant could release Mr. Riley’s records, the
       permission to release conferred by the Authorizations was maximally expansive,
       and the cover letter narrowed that permission to each of the three Defendants.
       (ECF No. 57-1 at PageID 359.) That argument assumes that the Authorizations

       Can an authorization be used together with other written instructions from the intended
       recipient of the information?
       Answer: A transmittal or cover letter can be used to narrow or provide specifics about a
       request for protected health information as described in an Authorization, but it cannot
       expand the scope of the Authorization.
       For example, if an individual has authorized the disclosure of “all medical records” to an
       insurance company, the insurance company could by cover letter narrow the request to
       the medical records for the last 12 months. The cover letter could also specify a
       particular employee or address for the “class of persons” designated in the Authorization
       to receive the information. By contrast, an insurance company could not by cover letter
       extend the expiration date of an Authorization, or expand the scope of information set
       forth in the Authorization.
See http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/479.html.
7
 In reversing the Tennessee Court of Appeals, the Tennessee Supreme Court did not mention the Court of
Appeals’s discussion of whether the plaintiffs’ notice letter gave the defendants authority to make
additions or changes to the plaintiffs’ HIPAA authorizations. See Bray v. Khuri, 523 S.W.3d 619, 621
(Tenn. 2017).

                                                  11
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


        were actually HIPAA-compliant and permitted each Defendant to share Mr.
        Riley’s records with anyone it wished. As discussed above, however, because of
        the omissions in the Authorizations, Defendants were permitted to disclose the
        records to no one. Plaintiffs cite no authority that a cover letter can make a
        noncompliant HIPAA authorization compliant. Because a cover letter can only
        narrow a request, not expand it, it could not make Plaintiffs’ noncompliant
        HIPAA Authorizations compliant.
        In construing § 29-26-121(a)(2)(E), the Tennessee Supreme Court has recognized
        that the “penalties imposed upon covered entities that wrongfully disclose or
        obtain private health information in violation of HIPAA are . . . extremely
        severe.” Stevens, 418 S.W.3d at 555 n.6. As the Dismissal Order recognized,
        Tennessee law protects provider-defendants by sparing them the risk inherent in
        testing the sufficiency of a HIPAA authorization and by placing the burden of
        satisfying the THCLA’s pre-suit notice requirements on plaintiffs. (ECF No. 55
        at PageID 332, 334 (citing Stevens, 418 S.W.3d at 559).)
        Plaintiffs’ arguments that the Court misapplied HHS guidance or otherwise gave
        too little weight to language in the cover letter in its substantial-compliance
        determination are not well taken.

PID 474-76/Order Denying Pls. Mo. to Amend or Alter J. (emphasis in original).8

        Thus, we find no error in the district court’s conclusion that the cover letter did not render

the incomplete HIPAA authorization forms compliant.




8
  We note that the district court’s reasoning is supported by Lawson v. Knoxville Dermatology Group,
P.C., __S.W.3d __; No. E201700077COAR3CV, 2017 WL 3268535 (Tenn. Ct. App. Aug. 1, 2017),
perm. app. denied (Tenn. Nov. 16, 2017), which was decided during the pendency of this appeal and is
discussed infra at 17-18. In Lawson, the Tennessee Court of Appeals rejected the plaintiffs’ argument
that the list of health care providers attached to their pre-suit notice could supplement their HIPAA
authorization to satisfy a core element of HIPAA, specifically, 45 C.F.R. § 164.508(c)(1)(ii):
        [T]he Code of Federal Regulations, with certain exceptions not applicable here,
        specifically prohibits compound authorizations. See 45 C.F.R. § 164.508(b)(3) (“An
        authorization for use or disclosure of protected health information may not be combined
        with any other document to create a compound authorization . . . .”). This Court has
        previously “rejected the Plaintiffs’ contention that the authorization forms were sufficient
        when considered alongside the pre-suit notice letters that accompanied the forms.”
        See J.A.C. v. Methodist Healthcare Memphis Hosps., No. W2016-00024-COA-R3-CV,
        __ S.W.3d __, 2016 WL 6493229, at *8 (Nov. 2, 2016), perm. app. denied (Tenn. Mar. 9,
        2017). Therefore, the Lawsons could not combine their attached list of health care
        providers with the medical authorization in order to achieve substantial compliance.
Id. at *7. J.A.C. v. Methodist Healthcare, cited in Lawson, was decided after the district court granted
Defendants’ motions but before it denied Plaintiffs’ motion to amend or alter the judgment.

                                                    12
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


                                                 B.

        Plaintiffs argue that the district court gave too much weight to Roberts v. Prill, No.

E2013-02202-COA-R3-CV, 2014 WL 2921930 (Tenn. Ct. App. June 26, 2014), which is

factually distinguishable because there were three errors in that HIPAA form, including that

Roberts’s counsel was the only person authorized to receive the records. However, the district

court in the instant case simply cited Roberts to support that leaving blank the section in the

HIPAA authorizations where Plaintiffs were to fill in the persons to whom each provider could

disclose records “is more than a ‘minor omission’ because Defendants were not authorized to

disclose records to one another.”          See Thurmond v. Mid–Cumberland Infectious Disease

Consultants, PLC, 433 S.W.3d at 5209; Lawson v. Knoxville Dermatology Group, P.C.,

__S.W.3d__; No. E201700077COAR3CV, 2017 WL 3268535, at *1, 3–4 (Tenn. Ct. App. Aug.

1, 2017), perm. app. denied (Tenn. Nov. 16, 2017) (holding that the plaintiffs did not

substantially comply with HCLA’s pre-suit notice requirement where their HIPAA

authorizations omitted the “name or other specific identification of the person(s), or class of

persons authorized to make the requested use or disclosure,” as 45 C.F.R. § 164.508(c)(1)(ii)

requires, noting, “Defendants are clearly prejudiced when unable, due to a form procedural error,

to obtain medical records needed for their legal defense.”). 2017 WL 3468535, at *1, 3–4.

        Plaintiffs further assert that Hargrow v. Shelby County, Tennessee, No. 13-2770, 2014

WL 3891651 (W.D. Tenn. Aug. 7, 2014), which held that there was substantial compliance with


9
  In Thurmond, the Tennessee Supreme Court reversed the Tennessee Court of Appeals’ dismissal of the
plaintiff’s complaint for failure to file with his complaint an affidavit of the party mailing the pre-suit
notice establishing that the specified notice was timely mailed by certified mail, see HCLA § 29-26-
121(a)(4), noting that “[t]he defendants did not allege that the lack of the affidavit resulted in prejudice.
Instead, the defendants contended that the pre-suit notice statute demands strict compliance with all its
requirements and that dismissal is the mandatory remedy for noncompliance.” Thurmond held that “the
statutory requirement of an affidavit of the person who sent pre-suit notice by certified mail may be
satisfied by substantial compliance,” and that the plaintiff substantially complied with the statute.

                                                      13
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


the HCLA, is on point. Appellants Br. 17. But as the district court observed, Hargrow is

distinguishable because it involved only one medical provider. Although the plaintiff’s HIPAA

authorizations failed to provide the name and address of the provider releasing the records as

well as the contact information for the intended recipient, the district court in Hargrow

concluded that “those omissions did not prejudice CCS because CCS was the sole medical

provider” and the plaintiff “provided CCS sufficient notice to obtain the medical records

necessary for its defense.” Id. at *6.

       Plaintiffs next assert that Hamilton v. Abercrombie Radiological Consultants, Inc.,

487 S.W.3d 114 (Tenn. Ct. App. 2014), perm. app. denied (Tenn. May 15, 2015), closely mirrors

the facts here because the HIPAA authorizations in both cases had only “one blank field.”

Appellants Br. 18; Reply Br. 6-7. But the only omission in the HIPAA form in Hamilton was

that it was missing the date on which the plaintiff signed it. Hamilton, 487 S.W.3d at 120. The

Tennessee Court of Appeals held that the plaintiff substantially complied with the HCLA,

emphasizing that the HIPAA form “allowed disclosure” to the defendants:

       [D]espite the trial court’s holding that Appellees were prejudiced by failure to
       obtain the medical records due to the non-compliant HIPAA release, no evidence
       was adduced to support this finding. In addition, here, as in Roberts, the
       decedent’s medical records may, in fact, be held by the defendant, ARC, and may
       be accessible to Dr. Culhane by virtue of her employment with ARC. In Roberts,
       this Court rejected the argument that because the pertinent medical records were
       already in the defendants’ possession, this fact should result in a holding excusing
       full compliance with the statutory requirements. However, in Roberts, the
       HIPAA release only permitted use or disclosure of the medical records to
       plaintiff’s counsel. In the instant case, the medical release included no such
       limitation. While the release had an open date line, it allowed disclosure to the
       Appellees, which is a critical distinction between this case and Roberts.
       We read the Roberts holding in light of the particular shortcomings in the Roberts
       HIPAA form, which, as discussed above, were more substantive and substantial
       than the omitted date on the HIPAA form in the instant case. The relatively minor
       omission on Appellant’s HIPAA form, coupled with the lack of evidence that
       Appellees were prejudiced or otherwise denied access to medical records as a
       result of the missing date, leads us to conclude that the trial court applied the

                                               14
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


       Stevens holding too harshly in this case. While we concede that it is not good
       practice to omit any of the C.F.R. criteria from a HIPAA form, we conclude that
       the relatively minor shortcoming in the HIPAA form here is not fatal to the
       Appellant’s cause of action. The Appellant substantially complied with § 29-26-
       121(a)(2)(E) because she provided Appellees sufficient notice to obtain the
       relevant medical records. Hargrow, 2014 WL 3891651, at *6 (citing Stevens, 418
       S.W.3d at 555).

Hamilton, 487 S.W.3d at 122. We glean from these cases that substantial compliance requires

that the noncomplying features of the authorization do not render it insufficient to authorize

access and use of the records. The trial court did not err in concluding that the authorizations

here did not permit that access and use.

                                                C.

       Plaintiffs’ remaining arguments go to the question whether defendant-providers must

show actual prejudice, i.e., must show that they were in fact denied access to medical records.

       Plaintiffs first assert that the district court gave Stevens too much weight because, unlike

in Stevens, Defendants here were not prejudiced by the omission in the HIPAA authorizations.

Appellants Br. 12-15. Relying on Justice Wade’s partial dissent in Stevens, Plaintiffs urge that

the question should be whether the purpose of pre-suit notice requirements has been frustrated,

that is, whether Defendants in fact were unable to procure the medical records to which they

were entitled. See Stevens, 418 S.W.3d at 564 (Wade, C.J., dissenting in part). Justice Wade

noted that the defendants “could easily have recognized the inadequacy of the medical

authorization,” and could have asked the plaintiff for a HIPAA compliant authorization, sought

the court’s assistance in ordering the plaintiff to provide medical records, or done nothing,

“making no effort to obtain the authorization needed to fully investigate the claim and

strategically lying in wait for the optimal moment to seek a dismissal.” Id. By doing nothing,

Justice Wade concluded, the defendants forfeited any claim of prejudice. Id. at 565.


                                                15
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


          To the extent that Plaintiffs argue that Defendants had a duty to notify them of

deficiencies in the HIPAA authorizations, Stevens rejected that argument, 418 S.W.3d at 559,

and the Tennessee Supreme Court again rejected that argument in an order denying an

application for permission to appeal where the Plaintiff’s HIPAA authorization form, as in the

instant case, failed to comply with HCLA § 29-26-121(a)(2)(E):

          We note that the medical authorization Mr. Vaughn provided to the defendants
          before filing his original complaint was not HIPAA compliant, as required by
          Tenn. Code Ann. § 29-26-121(a)(2)(E). Among the issues raised in his pending
          application in this Court, Mr. Vaughn asserts that “the Defendants had a duty to
          inform the Plaintiff of the defective HIPAA authorization so that a HIPAA-
          compliant authorization could be provided to allow the Defendants to obtain the
          Plaintiff’s deceased wife’s medical records[.]” We explicitly rejected the same
          argument in Stevens v. Hickman Community Health Care Services, Inc.,
          418 S.W.3d 547, 559 (Tenn. 2013), and our holding in Stevens therefore would be
          dispositive of this issue raised by Mr. Vaughn. Moreover, the resolution of that
          issue would pretermit the other issues raised in Mr. Vaughn’s application for
          permission to appeal.

Vaughn v. Mt. States Health Alliance, No. E2012-01042-SC-R11-CV, 2014 Tenn. LEXIS 409

(Tenn. May 15, 2014).

          Plaintiffs read Hamilton and Hughes v. Henry County Medical Center, No. W2014-

01973-COA-R3-CV, 2015 WL 3562733 (Tenn. Ct. App. 2015), as supporting their view that

defendant-providers must affirmatively show that they were denied access to medical records in

order to establish prejudice.10        There is language in both cases suggesting as much.   See

Hamilton, 487 S.W.3d at 120 (“[T]here is no indication in the record that the Appellees were

denied access to any medical records sought as a result of the HIPAA form provided by the

Appellant.”); Hughes, at *3 (“The touchstone of this [substantial-compliance] analysis is whether

a party’s procedural error resulted in actual prejudice to an opposing party.”). However, these

cases are distinguishable and must be read together with the other Tennessee cases.

10
     See Appellants Br. 26-28; Reply Br. 8-11.

                                                  16
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


       In Hamilton, where the only omission in the HIPAA authorization form was the signature

date, the court reversed the trial court’s dismissal of the plaintiffs’ complaint, concluding that the

trial court had interpreted Stevens too strictly and had improperly held that the defendant-

providers were prejudiced by failure to obtain the medical records due to the absence of the

signature date where there was no evidence to support that finding. 487 S.W.3d at 121–22. The

Hamilton court quoted the well-established proposition from Stevens,

       [b]ecause HIPAA itself prohibits medical providers from using or disclosing a
       plaintiff’s medical records without a fully compliant authorization form, it is a
       threshold requirement of the statute that the plaintiff’s medical authorization must
       be sufficient to enable defendants to obtain and review a plaintiff’s relevant
       medical records. See 45 C.F.R. § 164.508(a)(1) (“a covered entity may not use or
       disclose protected health information without an authorization that is valid under
       this section”.

Hamilton, 487 S.W.3d at 120 (quoting Stevens, 418 S.W.3d at 555). However, because of the

nature of the deficit in Hamilton, the court was not prepared to assume that defendants were

unable to obtain the records. In contrast, the authorizations here did not authorize Defendant to

obtain and use the records.

       The Tennessee Court of Appeals’ recent decision in Lawson, __S.W.3d__; 2017 WL

3268535, see supra n.8, involved an authorization that, unlike the Hamilton authorization, was

not substantially compliant. In Lawson, the defendants, a dermatology practice and a certified

physician’s assistant employed by the practice, moved to dismiss the complaint for failure to

comply with HCLA § 29-26-121(a)(2)(E) because the HIPAA authorizations omitted the “name

or other specific identification of the person(s), or class of persons authorized to make the

requested use or disclosure,” see 45 C.F.R. § 164.508(c)(1)(ii). Lawson, 2017 WL 3468535, at

*1, 3–4. The Tennessee Court of Appeals held that the plaintiffs had not substantially complied

with the HCLA, noting that, “[b]ecause HIPAA itself prohibits medical providers from using or


                                                 17
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


disclosing a plaintiff’s medical records without a fully compliant authorization form, it is a

threshold requirement of the statute that the plaintiff’s medical authorization must be sufficient

to enable defendants to obtain and review a plaintiff’s relevant medical records.” Lawson, id. at

*4 (quoting Stevens, 418 S.W.3d at 555). The court in Lawson determined that the defendants

were prejudiced by the inadequacy of the HIPAA authorizations because the defendants would

not be allowed to obtain or use the plaintiff’s medical records to mount a defense, Lawson, id. at

*7, indicating that where the authorizations do not permit access and use, the defendant-

providers need not affirmatively show that they sought and were denied medical records in order

to establish prejudice, as Plaintiffs argue.

        In Hughes, due to a clerical error, the relevant HIPAA authorization form did not permit

the medical-center defendant to obtain the records of the physician provider. It was undisputed

that the physician treated the decedent at the medical center’s facility and had no records

independent of the medical-center’s records. The trial court refused to consider the absence of

prejudice, concluding instead that the failure to substantially comply with HIPAA was

conclusive. The Court of Appeals reviewed the cases sustaining and reversing dismissals for

failure to provide adequate authorizations, rejected the trial court’s refusal to consider the evident

lack of prejudice, and emphasized Stevens’ core holding that the statute

        serves to equip defendants with the actual means to evaluate the substantive
        merits of a plaintiff’s claim by enabling early access to a plaintiff’s medical
        records. Because HIPAA itself prohibits medical providers from using or
        disclosing a plaintiff's medical records without a fully compliant authorization
        form, it is a threshold requirement of the statute that the plaintiff's medical
        authorization must be sufficient to enable defendants to obtain and review a
        plaintiff's relevant medical records.

The court concluded that the goals were clearly satisfied because the medical center had both

notice and access to all the records, and “admittedly suffered no prejudice as a result of the


                                                 18
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


medical authorization provided by Appellants.” Hughes, 2015 WL 3562733 at *5. Hughes does

indeed support that where there is no prejudice resulting from an authorization’s failure to

substantially comply with HIPAA, dismissal is improper.11 It does not follow, however, that a

provider given pre-suit authorizations that are inadequate to authorize access must affirmatively

show that it had no other means of access where there is no showing that another means of

access was in fact available.

        Plaintiffs argue that the instant case is analogous to Hughes, asserting that Defendants

were not prejudiced by Plaintiffs’ failure to substantially comply with HIPAA’s requirements

because Defendants had access to the relevant records without need for HIPAA authorizations.

Plaintiffs first asserted this argument in their motion to amend or alter judgment, attaching

answers to interrogatories by Dr. Michael and Methodist, which they asserted showed that the

three Defendants had full access to Riley’s records prior to the filing of the suit. PID 354-

57/Mo. to Alter or Amend J.; PID 373 # 20 (Dr. Michael’s Answers to Interrogatories); PID 404-

05 #19 (Methodist’s Answers to Interrogatories). The district court determined that Plaintiffs’

“new factual argument” was not properly before the court because Plaintiffs had failed to raise it

in response to Defendants’ motions, and Plaintiffs had received all of Defendants’ interrogatory

responses weeks before the court ruled on Defendants’ motions, but failed to supplement the

record or otherwise notify the district court of the new evidence. PID 479-80. Under the

circumstances, it was well within the district court’s discretion to decline to consider Plaintiff’s

new argument.



11
  This is consistent with the language in Hamilton raising the possibility that substantial compliance
might be excused where the defendants have access to each other’s records by virtue of their relationship,
without regard to any HIPAA authorizations: “the decedent’s medical records may, in fact, be held by the
defendant ARC, and may be accessible to Dr. Culhane by virtue of her employment with ARC.” 487
S.W.3d at 122.

                                                   19
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


          The district court also determined that “the interrogatory responses do not clearly

establish that no Defendant suffered prejudice,” noting that “Methodist may have had access to

some of Mr. Riley’s relevant records, but Methodist’s interrogatory responses do not establish

that it had access to any relevant records that might have been in the Semmes Murphey

Defendants’ possession.” Defendants’ answers to interrogatories reveal that Riley had visited

Semmes Murphey Clinic both before and after his surgery at Methodist. Thus, Plaintiffs failed

to adequately raise and establish that although the authorizations did not substantially comply

with HIPAA, Defendants suffered no prejudice because they already had full access to the

records.

                                                   C.

          Plaintiffs’ final argument is that this case “is essentially a one-provider case” because all

alleged negligence occurred during Riley’s hospitalization at Methodist after Dr. Michael

performed the biopsy, and all records would be held by Methodist and accessible by Dr. Michael,

as a healthcare provider who rendered care to Riley at Methodist. This argument is somewhat

different from the one just addressed. Plaintiffs rely on Bray v. Khuri, 523 S.W.3d 619 (Tenn.

2017),12 which was decided after the district court granted Defendants’ motions and denied

Plaintiffs’ motion to alter or amend the judgment. But Bray is a statutory interpretation case, not

a prejudice case. Bray held that the HIPAA authorization requirement applies only where more

than one healthcare provider is given pre-suit notice. The Tennessee Supreme Court explained:

          based on the clear and unambiguous language of section 29-26-121(a)(2)(E), a
          plaintiff need not provide a HIPAA-compliant authorization when a single
          healthcare provider is given pre-suit notice of a healthcare liability claim. The
          authorization only allows a potential defendant to obtain the prospective
          plaintiff’s medical records from any other healthcare provider also given notice
          and identified as a potential defendant in the pre-suit notice. This authorization

12
     Appellants Br. 31-33; Reply Br. 11-12.

                                                   20
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.


       requirement is consistent with section 29-26-121(d)(1), which specifies that all
       parties to a healthcare suit “shall be entitled to obtain complete copies of the
       claimant’s medical records from any other provider receiving notice” and that the
       claimant complies with this requirement by providing a HIPAA-compliant
       medical authorization with pre-suit notice. Id. § 29-26-121(d)(1).

Bray, 523 S.W.3d at 622. Given that Plaintiffs sent pre-suit notice to three healthcare providers,

Bray is inapposite.

                                               IV.

       We conclude that the district court committed no error in interpreting and applying

Tennessee law and AFFIRM.




                                               21
