Riley v. Methodist Healthcare Memphis Hosps.

Full title: CHRISTOPHER RILEY; LYNN RILEY, Plaintiffs-Appellants, v. METHODIST…

Court: UNITED STATES COURT OF APPEALS FOR THE SIXTH CIRCUIT

Date published: May 2, 2018

No. 17-5621 (6th Cir. May. 2, 2018)

Opinion

No. 17-5621

05-02-2018

CHRISTOPHER RILEY; LYNN RILEY, Plaintiffs-Appellants, v. METHODIST HEALTHCARE MEMPHIS HOSPITALS, aka Methodist University Hospital; SEMMES MURPHEY CLINIC, P.C.; L. MADISON MICHAEL; JOHN DOES 1-25, Defendants-Appellees.

HELENE N. WHITE, Circuit Judge.

NOT RECOMMENDED FOR PUBLICATION
File Name: 18a0228n.06 ON APPEAL FROM THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF TENNESSEE BEFORE: BATCHELDER, SUTTON, and WHITE, Circuit Judges.

HELENE N. WHITE, Circuit Judge. In this diversity-jurisdiction case alleging medical-malpractice claims, Plaintiffs appeal the district court's grant of Defendants' motions to dismiss and for judgment on the pleadings, asserting that the district court erred 1) in determining that Plaintiffs' pre-suit notice letter did not substantially comply with § 29-26-121(a)(2)(E) of Tennessee's Health Care Liability Act (HCLA)¹ and the core elements of the Health Insurance Portability and Accountability Act (HIPAA), and 2) by failing to support its finding that Defendants suffered prejudice as a result of any deficiencies in Plaintiffs' HIPAA authorization forms. We AFFIRM.

1 "In 2011, pursuant to the Tennessee Civil Justice Act of 2011, Tennessee Code Annotated sections 29-26-115 through 122 and 202 of the Medical Malpractice Act were amended to replace the term 'medical malpractice' with the term 'health care liability.' Tennessee Civil Justice Act of 2011, ch. 510 § 9, 2011 Tenn. Pub Acts 1505." Ellithorpe v. Weismark, 479 S.W.3d 818, 824 n.6 (Tenn. 2015).

I.

Plaintiffs Christopher and Lynn Riley (Mrs. Riley) are married. Plaintiffs' complaint alleges that Christopher Riley (Riley) was admitted to Defendant Methodist Healthcare Memphis Hospitals (Methodist) on October 2, 2014; Defendant Dr. L. Madison Michael, a physician at Semmes Murphey Clinic (Semmes Murphey) who practices at Methodist and supervised Riley's care at Methodist, performed a biopsy of a small mass on Riley's pituitary gland; when Dr. Michael discharged Riley on October 9, 2014, spinal fluid was visibly leaking from the drilled opening in his skull; Dr. Michael and Methodist nursing staff were aware of the leak and should not have discharged him; once home, Riley suffered an excruciating headache, Mrs. Riley contacted Dr. Michael, and Dr. Michael advised that she simply apply pressure to the opening in Riley's skull; Riley became incoherent on October 12 and was re-admitted to Methodist's intensive care unit, having developed bacterial meningitis;² Riley was discharged twelve days later and received in-home care for two weeks. PID 4-5. Plaintiffs' complaint alleges that Dr. Michael was negligent in discharging Riley on October 9, 2014, while fluid was visibly draining from his skull, that Semmes-Murphey is vicariously liable for Dr. Michael's negligent acts, and that Methodist is vicariously liable through its employees for their failure to take the requisite steps to ensure that Riley was not discharged on that date, and for failing to keep adequate records of Riley's care and failing to document the drainage from his skull. PID 5. Plaintiffs allege that as a result of this negligence, Riley contracted bacterial meningitis, had to be re-admitted to the hospital, and required in-home care after his second discharge. PID 5. Plaintiffs further allege that Riley continues to "experience negative impacts on his daily life, including but not limited to: headaches, a change in his personality, deficient memory, and other symptoms," and that his employment was negatively impacted. PID 8.

2 According to the Centers for Disease Control and Prevention, "Bacterial meningitis is very serious and can be deadly. Death can occur in as little as a few hours. Most people recover from meningitis. However, permanent disabilities (such as brain damage, hearing loss, and learning disabilities) can result from the infection." https://www.cdc.gov/meningitis/bacterial.html.

Pursuant to HCLA § 29-26-121(a)(1), which requires that pre-suit written notice be given to each healthcare provider that will be a named defendant at least sixty days before a health-care-liability action is filed, Plaintiffs sent a pre-suit notice letter to the three Defendants on September 30, 2015. PID 13-23. Plaintiffs filed their complaint on January 28, 2016, alleging negligence, gross negligence, and loss of consortium, and attached to their complaint the pre-suit notice letter and two HIPAA authorization forms, one addressed to Methodist and the other to Semmes Murphey. PID 24-27; see also PID 320/Dist. Ct. Op.

Methodist filed a motion to dismiss under Rule 12(b)(6), PID 50, in which Dr. Michael and Semmes Murphey joined, arguing that Plaintiffs' pre-suit notice was deficient in four ways: 1) it failed to enclose HIPAA-compliant authorizations allowing all providers "receiving the notice to obtain complete medical records from each other provider being sent a notice," as required by HCLA § 29-26-121(a)(2)(E); 2) it failed to complete the portion of the HIPAA authorization form that specifies who is entitled to receive the records from the provider as required by 45 C.F.R. § 164.508(c)(1)(iii), and was thus not HIPAA compliant as required by § 29-16-121(a)(2)(E); 3) it failed to provide the address of the claimant authorizing notice as required by § 29-26-121(a)(2)(B); and 4) it was served by mail only to Methodist's agent for service of process, and not also to Methodist's current business address, as required by § 29-26-121(a)(3)(B)(ii). PID 53, 55-66. Defendants argued that Plaintiffs demonstrated no extraordinary cause to excuse compliance with the HCLA's pre-suit notice requirements, PID 66-67, and that Plaintiffs' claims were time barred under Tennessee's one-year statute of limitations applicable to health-care-liability actions.³ PID 67-71. In response, Plaintiffs argued that they substantially complied with HCLA § 29-26-121 and that Defendants had not shown prejudice. PID 182-85; PID 138-51.

3 Actions for "injuries to the person" "shall be commenced within one (1) year after the cause of action accrued." Tenn. Code Ann. § 28-3-104(a)(1)(A). Tolling is permitted under HCLA § 29-26-121:

(c) When notice is given to a provider as provided in this section, the applicable statutes of limitations and repose shall be extended for a period of one hundred twenty (120) days from the date of expiration of the statute of limitations and statute of repose applicable to that provider . . . .

Tenn. Code Ann. § 29-26-121(c).

The district court concluded that the first two deficiencies prevented Plaintiffs' pre-suit notice from substantially complying with the HCLA, and that Defendants were prejudiced by Plaintiffs' noncompliance because they were prevented from lawfully disclosing Riley's medical records to one another. PID 335/Order Granting Defs. Mos. The district court dismissed Plaintiffs' complaint with prejudice after determining that Plaintiffs' claims are time barred because they accrued, at the latest, on October 12, 2014, when Riley was re-admitted to Methodist, and the statute had not been extended by the faulty pre-suit notice. See supra n.3; PID 335-37/Dist. Ct. Order Granting Defs. Mos., PID 339/J.

Plaintiffs moved to alter or amend the judgment under Fed. R. Civ. P. 59(e) or for relief from judgment under Rule 60(b), asserting that they had substantially complied with § 29-26-121(a)(2)(E) and that the district court erred by not considering whether Defendants suffered prejudice as a result of the alleged deficiencies in the HIPAA authorization forms. PID 350-54/Mo. to Alter or Amend J. The district court denied Plaintiffs' motion and they appealed. PID 460-89/Order Denying Mo.

II.

We review de novo a district court's grant of a motion to dismiss under Rule 12(b)(6), Buck v. Thomas M. Cooley Law School, 597 F.3d. 812, 816 (6th Cir. 2010), and a motion for judgment on the pleadings under Rule 12(c), Fortney & Weygandt, Inc. v. Am. Mfrs. Mut. Ins. Co., 595 F.3d 308, 310 (6th Cir. 2010).

Tennessee substantive law and federal procedural law apply in this diversity-jurisdiction case. Shady Grove Orthopedic Assocs., P.A. v. Allstate Ins. Co., 559 U.S. 393, 417 (2010) (Stevens, J., concurring in part and concurring in the judgment). When deciding issues of substantive law, we apply the law of the state's highest court. Saab Auto. AB v. Gen. Motors Co., 770 F.3d 436, 440 (6th Cir. 2014). If the state's highest court has not decided the applicable law, we must ascertain the state law "'from all relevant data,' which includes the state's appellate court decisions." Id. (quoting Garden City Osteopathic Hosp. v. HBE Corp., 55 F.3d 1126, 1130 (6th Cir. 1995)).

A.

HCLA § 29-26-121 provides in pertinent part:

(a)(1) Any person, or that person's authorized agent, asserting a potential claim for health care liability shall give written notice of the potential claim to each health care provider that will be a named defendant at least sixty (60) days before the filing of a complaint based upon health care liability in any court of this state.

(2) The notice shall include:

. . . .

(E) A HIPAA compliant medical authorization permitting the provider receiving the notice to obtain complete medical records from each other provider being sent a notice.

. . . .
(b) If a complaint is filed in any court alleging a claim for health care liability, the pleadings shall state whether each party has complied with subsection (a) and shall provide the documentation specified in subdivision (a)(2). The court may require additional evidence of compliance to determine if the provisions of this

section have been met. The court has discretion to excuse compliance with this section only for extraordinary cause shown.
(d)(1) All parties in an action covered by this section shall be entitled to obtain complete copies of the claimant's medical records from any other provider receiving notice. A party shall provide a copy of the specified portions of the claimant's medical records as of the date of the receipt of a legally authorized written request for the records within thirty (30) days thereafter. The claimant complies with this requirement by providing the providers with the authorized HIPAA compliant medical authorization required to accompany the notice . . . .

Tenn. Code Ann. § 29-26-121(a)(2)(E), (b), & (d)(1).

The elements of HIPAA-compliant medical authorizations are set forth in 45 C.F.R. § 164.508, titled "Uses and disclosures for which an authorization is required:"

(a) Standard: Authorizations for uses and disclosures
(1) Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.
. . . .
(b) Implementation specifications: general requirements—
. . . .
(2) Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects:
. . . .

(ii) The authorization has not been filled out completely, with respect to an element described by paragraph (c) of this section, if applicable;

. . . .
(c) Implementation specifications: Core elements and requirements—

(1) Core elements. A valid authorization under this section must contain at least the following elements:

(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.

(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.

. . . .

45 C.F.R. § 164.508.

B.

Under Tennessee law, a plaintiff must substantially comply with the requirements of HCLA § 29-26-121(a)(2)(E). Stevens v. Hickman Comm. Health Care Servs., Inc., 418 S.W.3d 547, 555 (Tenn. 2013) ("A plaintiff's less-than-perfect compliance with [] § 29-26-121(a)(2)(E) . . . should not derail a healthcare liability claim. Non-substantive errors and omissions will not always prejudice defendants by preventing them from obtaining a plaintiff's relevant medical records."); see also Thurmond v. Mid-Cumberland Infectious Disease Consultants, PLC, 433 S.W.3d 512, 519-20 (Tenn. 2014). "In determining whether a plaintiff has substantially complied with a statutory requirement, a reviewing court should consider the extent and significance of the plaintiff's errors and omissions and whether the defendant was prejudiced by the plaintiff's noncompliance." Stevens, 418 S.W.3d at 556; see also Arden v. Kozawa, 466 S.W.3d 758, 763 (Tenn. 2015); Thurmond, 433 S.W.3d at 513-14.

The Tennessee Supreme Court in Stevens emphasized that "it is a threshold requirement of [HCLA § 29-26-121(a)(2)(E)] that the plaintiff's medical authorization must be sufficient to enable defendants to obtain and review a plaintiff's relevant medical records." 418 S.W.3d at 555 (emphasis added).

[T]he purpose of Tenn. Code Ann. § 29-26-121(a)(2)(E) is not to provide defendants with notice of a potential claim. Instead Tenn. Code Ann. § 29-26-121(a)(2)(E) serves to equip defendants with the actual means to evaluate the substantive merits of a plaintiff's claim by enabling early access to a plaintiff's medical records. Because HIPAA itself prohibits medical providers from using or disclosing a plaintiff's medical records without a fully compliant authorization form, it is a threshold requirement of the statute that the plaintiff's medical

authorization must be sufficient to enable defendants to obtain and review a plaintiff's medical records. See 45 C.F.R. § 164.508(a)(1) ("a covered entity may not use or disclose protected health information without an authorization that is valid under this section"). Tenn. Code Ann. § 29-26-121(d)(1) creates a statutory entitlement to the records governed by § 29-26-121(a)(2)(E). See Tenn. Code Ann. § 29-26-121(d)(1) ("All parties in an action covered by this section shall be entitled to obtain complete copies of the claimant's medical records from any other provider receiving notice . . .").

Stevens, 418 S.W.3d at 555 (emphasis in original, footnote omitted). The Tennessee Supreme Court clarified in Thurmond:

[W]e held [in Stevens] that "[n]on-substantive errors and omissions" and "[a] plaintiff's less-than-perfect compliance" with [subsection] 29-26-121(a)(2)(E) will "not derail a healthcare liability claim" so long as the medical authorization provided is "sufficient to enable defendants to obtain and review a plaintiff's relevant medical records." Id. [Stevens, 418 S.W.3d at 555.]

Thurmond, 433 S.W.3d at 519-20 (emphasis added).

III. WHETHER PLAINTIFFS' HIPAA AUTHORIZATIONS SUBSTANTIALLY COMPLIED WITH HCLA § 29-26-121(a)(2)(E) and CORE HIPAA ELEMENTS

Plaintiffs assert that their pre-suit notice substantially complied with the core elements of HIPAA, see C.F.R. § 164.508(c)(1) quoted supra at 6-7, and therefore with HCLA § 29-26-121(a)(2)(E).

Plaintiffs attached to their pre-suit notice letter two HIPAA authorizations, one addressed to Semmes Murphey and the other to Methodist; Plaintiffs failed to include a separate form for Dr. Michael. The HIPAA authorizations attached to Plaintiffs' pre-suit notice letter are titled "HIPAA Compliant Authorization for the Release of Patient Information Pursuant to 45 C.F.R. § 164.508," and left blank the four lines in the section that provides:

You are authorized to release the above records to the following representatives in the above-entitled matter who have agreed to pay reasonable charges made by you to supply copies of such records:

__________
Name of Representative

__________
Representative Capacity (e.g., attorney, records requestor, agent, etc.)

__________
Street Address

__________
City, State and Zip Code

See PID 125, 27.⁴

4 Plaintiffs' counsel explained that he left this section blank:

in order for the medical providers to be able to send the same to the specified member of their entity they wished. The Plaintiffs could have no way of knowing the identity of the exact person to whom the Defendants wished the records be disclosed. In an effort to be as accommodating as possible and to ensure that the Defendants could each obtain the relevant records and have them sent to whomever they wished, the Plaintiffs allowed the Defendants to complete the recipient section themselves. This gives credence to the proverb that no good deed goes unpunished. Had the Plaintiffs completed the form to include the name of a specific person within the Defendant's organization, given their current complaints, it is all but certain that the Defendant would have argued that the Plaintiffs had handcuffed them by entering the "incorrect" person's name and would have then sough[t] dismissal on that ground. This is a "catch-22" situation in all its glory.

PID 144/Pls. Mem. in Opp. to Def. Methodist's Mo. to Dismiss; see also Appellants Br. 10.

A.

Citing the order denying their motion to amend or alter the judgment, PID 460, Plaintiffs assert that the district court "was confused as to the blanks" in their HIPAA authorizations and "believed that the HIPAA release did not allow the co-defendants to obtain the records of the others," when, in fact, the blank in the HIPAA release "was for the person receiving the notice to complete with his or her own authorized representative, not the information of any other Defendant." Appellants Br. 19-20. However, the district court was not confused; it observed that Plaintiffs left blank the sections where they "were to list the persons to whom each provider could disclose Mr. Riley's records." See C.F.R. § 145.608(c)(1)(iii) ("The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure."); PID 467/Order Denying Pls. Mo. to Alter or Amend J. Plaintiffs' argument goes to the purported reasons they sent partially completed HIPAA authorizations, not whether the authorizations substantially complied with the statutory requirement.

Plaintiffs also assert that the pre-suit notice letter accompanying the HIPAA authorizations narrowed the HIPAA release "by allowing the respective Defendants to provide the information as to whom in their organizations were to receive Plaintiff's medical records." Appellants Br. 24-25. According to Plaintiffs, the district court "seems to have incorrectly concluded that the letter served to expand the HIPAA release when it, in fact, served to narrow it, as allowed." Id. at 25. We surmise that Plaintiffs are referring to the language advising Defendants that HIPAA authorizations are attached and explaining their purpose⁵; but Plaintiffs point to no particular language in the pre-suit notice letter to support this argument. Rather, Plaintiffs assert that the HIPAA authorizations

5 Plaintiffs' pre-suit notice letter states in pertinent part:

E. A HIPAA-compliant Medical Authorization permitting the provider receiving the notice to obtain complete medical records from each of the other providers being sent notice is enclosed . . . .

. . . .

As required by Tennessee Code Annotated § 29-26-121, Mr. Riley has executed a HIPAA-compliant medical authorization (enclosed herein) that authorizes you to obtain Mr. Riley's complete medical records . . . .

PID 21-22.

did not need to be expanded, for anyone whose name was included by the Defendant organization could have theoretically received the records. The HIPAA release was as expansive as it could have possibly been . . . . What the HIPAA needed was the specific information as to the actual recipient of the medical records within or on behalf of the Defendant organization: in other words, a narrowing of the release.[⁶]

6 Appellants Br. 25. Plaintiffs rely on a "frequently asked question" regarding HIPAA on HHS's website:

Can an authorization be used together with other written instructions from the intended recipient of the information?

Answer: A transmittal or cover letter can be used to narrow or provide specifics about a request for protected health information as described in an Authorization, but it cannot expand the scope of the Authorization.

For example, if an individual has authorized the disclosure of "all medical records" to an insurance company, the insurance company could by cover letter narrow the request to the medical records for the last 12 months. The cover letter could also specify a particular employee or address for the "class of persons" designated in the Authorization to receive the information. By contrast, an insurance company could not by cover letter extend the expiration date of an Authorization, or expand the scope of information set forth in the Authorization.

As explained in its order denying Plaintiffs' motion to alter or amend the judgment, the district court did not incorrectly conclude that Plaintiffs' notice letter served to expand the HIPAA releases:

In the Dismissal Order, the Court addressed Plaintiffs' argument that, according to guidance provided by HHS's website, cover letters can supplement HIPAA authorizations for purposes of permitting provider-defendants to share a patient's medical records with one another. (ECF No. 55 at PageID 329-30.) Assuming without deciding that the HHS website's guidance was legal authority the Court could consider in its substantial-compliance determination under § 29-26-121(a)(2)(E), the Court noted that the HHS webpage instructed that cover letters can be used only to narrow a request, not to expand it. The Court noted that a Tennessee court had opined that a cover letter may be used to cure a blank portion of a HIPAA authorization form only if the letter explicitly authorizes the defendant to make any additions or changes to the authorization. (Id. (citing Bray [v. Khuri, No. W2015-00397-COA-R3-CV, 2015 WL 7775316, at *4 (Tenn. Ct. App. Dec. 3, 2015), rev'd on other grounds 523 S.W.3d 619 (Tenn. 2017)[⁷]]). The Court concluded that Plaintiffs' notice letter did not give Defendants explicit authority to make additions or changes to Plaintiffs' HIPAA Authorizations. (Id.).

Plaintiffs argue that, by leaving blank the portion of the HIPAA Authorizations designating to whom each Defendant could release Mr. Riley's records, the permission to release conferred by the Authorizations was maximally expansive, and the cover letter narrowed that permission to each of the three Defendants. (ECF No. 57-1 at PageID 359.) That argument assumes that the Authorizations

were actually HIPAA-compliant and permitted each Defendant to share Mr. Riley's records with anyone it wished. As discussed above, however, because of the omissions in the Authorizations, Defendants were permitted to disclose the records to no one. Plaintiffs cite no authority that a cover letter can make a noncompliant HIPAA authorization compliant. Because a cover letter can only narrow a request, not expand it, it could not make Plaintiffs' noncompliant HIPAA Authorizations compliant.
In construing § 29-26-121(a)(2)(E), the Tennessee Supreme Court has recognized that the "penalties imposed upon covered entities that wrongfully disclose or obtain private health information in violation of HIPAA are . . . extremely severe." Stevens, 418 S.W.3d at 555 n.6. As the Dismissal Order recognized, Tennessee law protects provider-defendants by sparing them the risk inherent in testing the sufficiency of a HIPAA authorization and by placing the burden of satisfying the THCLA's pre-suit notice requirements on plaintiffs. (ECF No. 55 at PageID 332, 334 (citing Stevens, 418 S.W.3d at 559).)
Plaintiffs' arguments that the Court misapplied HHS guidance or otherwise gave too little weight to language in the cover letter in its substantial-compliance determination are not well taken.

PID 474-76/Order Denying Pls. Mo. to Amend or Alter J. (emphasis in original).⁸

7 In reversing the Tennessee Court of Appeals, the Tennessee Supreme Court did not mention the Court of Appeals's discussion of whether the plaintiffs' notice letter gave the defendants authority to make additions or changes to the plaintiffs' HIPAA authorizations. See Bray v. Khuri, 523 S.W.3d 619, 621 (Tenn. 2017).

8 We note that the district court's reasoning is supported by Lawson v. Knoxville Dermatology Group, P.C., ___S.W.3d ___; No. E201700077COAR3CV, 2017 WL 3268535 (Tenn. Ct. App. Aug. 1, 2017), perm. app. denied (Tenn. Nov. 16, 2017), which was decided during the pendency of this appeal and is discussed infra at 17-18. In Lawson, the Tennessee Court of Appeals rejected the plaintiffs' argument that the list of health care providers attached to their pre-suit notice could supplement their HIPAA authorization to satisfy a core element of HIPAA, specifically, 45 C.F.R. § 164.508(c)(1)(ii):

[T]he Code of Federal Regulations, with certain exceptions not applicable here, specifically prohibits compound authorizations. See 45 C.F.R. § 164.508(b)(3) ("An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization . . . ."). This Court has previously "rejected the Plaintiffs' contention that the authorization forms were sufficient when considered alongside the pre-suit notice letters that accompanied the forms." See J.A.C. v. Methodist Healthcare Memphis Hosps., No. W2016-00024-COA-R3-CV, ___ S.W.3d ___, 2016 WL 6493229, at *8 (Nov. 2, 2016), perm. app. denied (Tenn. Mar. 9, 2017). Therefore, the Lawsons could not combine their attached list of health care providers with the medical authorization in order to achieve substantial compliance.

Thus, we find no error in the district court's conclusion that the cover letter did not render the incomplete HIPAA authorization forms compliant.

B.

Plaintiffs argue that the district court gave too much weight to Roberts v. Prill, No. E2013-02202-COA-R3-CV, 2014 WL 2921930 (Tenn. Ct. App. June 26, 2014), which is factually distinguishable because there were three errors in that HIPAA form, including that Roberts's counsel was the only person authorized to receive the records. However, the district court in the instant case simply cited Roberts to support that leaving blank the section in the HIPAA authorizations where Plaintiffs were to fill in the persons to whom each provider could disclose records "is more than a 'minor omission' because Defendants were not authorized to disclose records to one another." See Thurmond v. Mid-Cumberland Infectious Disease Consultants, PLC, 433 S.W.3d at 520 ⁹; Lawson v. Knoxville Dermatology Group, P.C., ___S.W.3d___; No. E201700077COAR3CV, 2017 WL 3268535, at *1, 3-4 (Tenn. Ct. App. Aug. 1, 2017), perm. app. denied (Tenn. Nov. 16, 2017) (holding that the plaintiffs did not substantially comply with HCLA's pre-suit notice requirement where their HIPAA authorizations omitted the "name or other specific identification of the person(s), or class of persons authorized to make the requested use or disclosure," as 45 C.F.R. § 164.508(c)(1)(ii) requires, noting, "Defendants are clearly prejudiced when unable, due to a form procedural error, to obtain medical records needed for their legal defense."). 2017 WL 3468535, at *1, 3-4.

9 In Thurmond, the Tennessee Supreme Court reversed the Tennessee Court of Appeals' dismissal of the plaintiff's complaint for failure to file with his complaint an affidavit of the party mailing the pre-suit notice establishing that the specified notice was timely mailed by certified mail, see HCLA § 29-26-121(a)(4), noting that "[t]he defendants did not allege that the lack of the affidavit resulted in prejudice. Instead, the defendants contended that the pre-suit notice statute demands strict compliance with all its requirements and that dismissal is the mandatory remedy for noncompliance." Thurmond held that "the statutory requirement of an affidavit of the person who sent pre-suit notice by certified mail may be satisfied by substantial compliance," and that the plaintiff substantially complied with the statute.

Plaintiffs further assert that Hargrow v. Shelby County, Tennessee, No. 13-2770, 2014 WL 3891651 (W.D. Tenn. Aug. 7, 2014), which held that there was substantial compliance with the HCLA, is on point. Appellants Br. 17. But as the district court observed, Hargrow is distinguishable because it involved only one medical provider. Although the plaintiff's HIPAA authorizations failed to provide the name and address of the provider releasing the records as well as the contact information for the intended recipient, the district court in Hargrow concluded that "those omissions did not prejudice CCS because CCS was the sole medical provider" and the plaintiff "provided CCS sufficient notice to obtain the medical records necessary for its defense." Id. at *6.

Plaintiffs next assert that Hamilton v. Abercrombie Radiological Consultants, Inc., 487 S.W.3d 114 (Tenn. Ct. App. 2014), perm. app. denied (Tenn. May 15, 2015), closely mirrors the facts here because the HIPAA authorizations in both cases had only "one blank field." Appellants Br. 18; Reply Br. 6-7. But the only omission in the HIPAA form in Hamilton was that it was missing the date on which the plaintiff signed it. Hamilton, 487 S.W.3d at 120. The Tennessee Court of Appeals held that the plaintiff substantially complied with the HCLA, emphasizing that the HIPAA form "allowed disclosure" to the defendants:

[D]espite the trial court's holding that Appellees were prejudiced by failure to obtain the medical records due to the non-compliant HIPAA release, no evidence was adduced to support this finding. In addition, here, as in Roberts, the decedent's medical records may, in fact, be held by the defendant, ARC, and may be accessible to Dr. Culhane by virtue of her employment with ARC. In Roberts, this Court rejected the argument that because the pertinent medical records were already in the defendants' possession, this fact should result in a holding excusing full compliance with the statutory requirements. However, in Roberts, the HIPAA release only permitted use or disclosure of the medical records to plaintiff's counsel. In the instant case, the medical release included no such limitation. While the release had an open date line, it allowed disclosure to the Appellees, which is a critical distinction between this case and Roberts.
We read the Roberts holding in light of the particular shortcomings in the Roberts HIPAA form, which, as discussed above, were more substantive and substantial than the omitted date on the HIPAA form in the instant case. The relatively minor omission on Appellant's HIPAA form, coupled with the lack of evidence that Appellees were prejudiced or otherwise denied access to medical records as a result of the missing date, leads us to conclude that the trial court applied the

Stevens holding too harshly in this case. While we concede that it is not good practice to omit any of the C.F.R. criteria from a HIPAA form, we conclude that the relatively minor shortcoming in the HIPAA form here is not fatal to the Appellant's cause of action. The Appellant substantially complied with § 29-26-121(a)(2)(E) because she provided Appellees sufficient notice to obtain the relevant medical records. Hargrow, 2014 WL 3891651, at *6 (citing Stevens, 418 S.W.3d at 555).

Hamilton, 487 S.W.3d at 122. We glean from these cases that substantial compliance requires that the noncomplying features of the authorization do not render it insufficient to authorize access and use of the records. The trial court did not err in concluding that the authorizations here did not permit that access and use.

C.

Plaintiffs' remaining arguments go to the question whether defendant-providers must show actual prejudice, i.e., must show that they were in fact denied access to medical records.

Plaintiffs first assert that the district court gave Stevens too much weight because, unlike in Stevens, Defendants here were not prejudiced by the omission in the HIPAA authorizations. Appellants Br. 12-15. Relying on Justice Wade's partial dissent in Stevens, Plaintiffs urge that the question should be whether the purpose of pre-suit notice requirements has been frustrated, that is, whether Defendants in fact were unable to procure the medical records to which they were entitled. See Stevens, 418 S.W.3d at 564 (Wade, C.J., dissenting in part). Justice Wade noted that the defendants "could easily have recognized the inadequacy of the medical authorization," and could have asked the plaintiff for a HIPAA compliant authorization, sought the court's assistance in ordering the plaintiff to provide medical records, or done nothing, "making no effort to obtain the authorization needed to fully investigate the claim and strategically lying in wait for the optimal moment to seek a dismissal." Id. By doing nothing, Justice Wade concluded, the defendants forfeited any claim of prejudice. Id. at 565.

To the extent that Plaintiffs argue that Defendants had a duty to notify them of deficiencies in the HIPAA authorizations, Stevens rejected that argument, 418 S.W.3d at 559, and the Tennessee Supreme Court again rejected that argument in an order denying an application for permission to appeal where the Plaintiff's HIPAA authorization form, as in the instant case, failed to comply with HCLA § 29-26-121(a)(2)(E):

We note that the medical authorization Mr. Vaughn provided to the defendants before filing his original complaint was not HIPAA compliant, as required by Tenn. Code Ann. § 29-26-121(a)(2)(E). Among the issues raised in his pending application in this Court, Mr. Vaughn asserts that "the Defendants had a duty to inform the Plaintiff of the defective HIPAA authorization so that a HIPAA-compliant authorization could be provided to allow the Defendants to obtain the Plaintiff's deceased wife's medical records[.]" We explicitly rejected the same argument in Stevens v . Hickman Community Health Care Services, Inc., 418 S.W.3d 547, 559 (Tenn. 2013), and our holding in Stevens therefore would be dispositive of this issue raised by Mr. Vaughn. Moreover, the resolution of that issue would pretermit the other issues raised in Mr. Vaughn's application for permission to appeal.

Vaughn v. Mt. States Health Alliance, No. E2012-01042-SC-R11-CV, 2014 Tenn. LEXIS 409 (Tenn. May 15, 2014).

Plaintiffs read Hamilton and Hughes v. Henry County Medical Center, No. W2014-01973-COA-R3-CV, 2015 WL 3562733 (Tenn. Ct. App. 2015), as supporting their view that defendant-providers must affirmatively show that they were denied access to medical records in order to establish prejudice.¹⁰ There is language in both cases suggesting as much. See Hamilton, 487 S.W.3d at 120 ("[T]here is no indication in the record that the Appellees were denied access to any medical records sought as a result of the HIPAA form provided by the Appellant."); Hughes, at *3 ("The touchstone of this [substantial-compliance] analysis is whether a party's procedural error resulted in actual prejudice to an opposing party."). However, these cases are distinguishable and must be read together with the other Tennessee cases.

10 See Appellants Br. 26-28; Reply Br. 8-11.

In Hamilton, where the only omission in the HIPAA authorization form was the signature date, the court reversed the trial court's dismissal of the plaintiffs' complaint, concluding that the trial court had interpreted Stevens too strictly and had improperly held that the defendant-providers were prejudiced by failure to obtain the medical records due to the absence of the signature date where there was no evidence to support that finding. 487 S.W.3d at 121-22. The Hamilton court quoted the well-established proposition from Stevens,

[b]ecause HIPAA itself prohibits medical providers from using or disclosing a plaintiff's medical records without a fully compliant authorization form, it is a threshold requirement of the statute that the plaintiff's medical authorization must be sufficient to enable defendants to obtain and review a plaintiff's relevant medical records. See 45 C.F.R. § 164.508(a)(1) ("a covered entity may not use or disclose protected health information without an authorization that is valid under this section".

Hamilton, 487 S.W.3d at 120 (quoting Stevens, 418 S.W.3d at 555). However, because of the nature of the deficit in Hamilton, the court was not prepared to assume that defendants were unable to obtain the records. In contrast, the authorizations here did not authorize Defendant to obtain and use the records.

The Tennessee Court of Appeals' recent decision in Lawson, ___S.W.3d___; 2017 WL 3268535, see supra n.8, involved an authorization that, unlike the Hamilton authorization, was not substantially compliant. In Lawson, the defendants, a dermatology practice and a certified physician's assistant employed by the practice, moved to dismiss the complaint for failure to comply with HCLA § 29-26-121(a)(2)(E) because the HIPAA authorizations omitted the "name or other specific identification of the person(s), or class of persons authorized to make the requested use or disclosure," see 45 C.F.R. § 164.508(c)(1)(ii). Lawson, 2017 WL 3468535, at *1, 3-4. The Tennessee Court of Appeals held that the plaintiffs had not substantially complied with the HCLA, noting that, "[b]ecause HIPAA itself prohibits medical providers from using or disclosing a plaintiff's medical records without a fully compliant authorization form, it is a threshold requirement of the statute that the plaintiff's medical authorization must be sufficient to enable defendants to obtain and review a plaintiff's relevant medical records." Lawson, id. at *4 (quoting Stevens, 418 S.W.3d at 555). The court in Lawson determined that the defendants were prejudiced by the inadequacy of the HIPAA authorizations because the defendants would not be allowed to obtain or use the plaintiff's medical records to mount a defense, Lawson, id. at *7, indicating that where the authorizations do not permit access and use, the defendant-providers need not affirmatively show that they sought and were denied medical records in order to establish prejudice, as Plaintiffs argue.

In Hughes, due to a clerical error, the relevant HIPAA authorization form did not permit the medical-center defendant to obtain the records of the physician provider. It was undisputed that the physician treated the decedent at the medical center's facility and had no records independent of the medical-center's records. The trial court refused to consider the absence of prejudice, concluding instead that the failure to substantially comply with HIPAA was conclusive. The Court of Appeals reviewed the cases sustaining and reversing dismissals for failure to provide adequate authorizations, rejected the trial court's refusal to consider the evident lack of prejudice, and emphasized Stevens' core holding that the statute

serves to equip defendants with the actual means to evaluate the substantive merits of a plaintiff's claim by enabling early access to a plaintiff's medical records. Because HIPAA itself prohibits medical providers from using or disclosing a plaintiff's medical records without a fully compliant authorization form, it is a threshold requirement of the statute that the plaintiff's medical authorization must be sufficient to enable defendants to obtain and review a plaintiff's relevant medical records.

The court concluded that the goals were clearly satisfied because the medical center had both notice and access to all the records, and "admittedly suffered no prejudice as a result of the medical authorization provided by Appellants." Hughes, 2015 WL 3562733 at *5. Hughes does indeed support that where there is no prejudice resulting from an authorization's failure to substantially comply with HIPAA, dismissal is improper.¹¹ It does not follow, however, that a provider given pre-suit authorizations that are inadequate to authorize access must affirmatively show that it had no other means of access where there is no showing that another means of access was in fact available.

11 This is consistent with the language in Hamilton raising the possibility that substantial compliance might be excused where the defendants have access to each other's records by virtue of their relationship, without regard to any HIPAA authorizations: "the decedent's medical records may, in fact, be held by the defendant ARC, and may be accessible to Dr. Culhane by virtue of her employment with ARC." 487 S.W.3d at 122.

Plaintiffs argue that the instant case is analogous to Hughes, asserting that Defendants were not prejudiced by Plaintiffs' failure to substantially comply with HIPAA's requirements because Defendants had access to the relevant records without need for HIPAA authorizations. Plaintiffs first asserted this argument in their motion to amend or alter judgment, attaching answers to interrogatories by Dr. Michael and Methodist, which they asserted showed that the three Defendants had full access to Riley's records prior to the filing of the suit. PID 354-57/Mo. to Alter or Amend J.; PID 373 # 20 (Dr. Michael's Answers to Interrogatories); PID 404-05 #19 (Methodist's Answers to Interrogatories). The district court determined that Plaintiffs' "new factual argument" was not properly before the court because Plaintiffs had failed to raise it in response to Defendants' motions, and Plaintiffs had received all of Defendants' interrogatory responses weeks before the court ruled on Defendants' motions, but failed to supplement the record or otherwise notify the district court of the new evidence. PID 479-80. Under the circumstances, it was well within the district court's discretion to decline to consider Plaintiff's new argument.

The district court also determined that "the interrogatory responses do not clearly establish that no Defendant suffered prejudice," noting that "Methodist may have had access to some of Mr. Riley's relevant records, but Methodist's interrogatory responses do not establish that it had access to any relevant records that might have been in the Semmes Murphey Defendants' possession." Defendants' answers to interrogatories reveal that Riley had visited Semmes Murphey Clinic both before and after his surgery at Methodist. Thus, Plaintiffs failed to adequately raise and establish that although the authorizations did not substantially comply with HIPAA, Defendants suffered no prejudice because they already had full access to the records.

C.

Plaintiffs' final argument is that this case "is essentially a one-provider case" because all alleged negligence occurred during Riley's hospitalization at Methodist after Dr. Michael performed the biopsy, and all records would be held by Methodist and accessible by Dr. Michael, as a healthcare provider who rendered care to Riley at Methodist. This argument is somewhat different from the one just addressed. Plaintiffs rely on Bray v. Khuri, 523 S.W.3d 619 (Tenn. 2017),¹² which was decided after the district court granted Defendants' motions and denied Plaintiffs' motion to alter or amend the judgment. But Bray is a statutory interpretation case, not a prejudice case. Bray held that the HIPAA authorization requirement applies only where more than one healthcare provider is given pre-suit notice. The Tennessee Supreme Court explained:

12 Appellants Br. 31-33; Reply Br. 11-12. --------

based on the clear and unambiguous language of section 29-26-121(a)(2)(E), a plaintiff need not provide a HIPAA-compliant authorization when a single healthcare provider is given pre-suit notice of a healthcare liability claim. The authorization only allows a potential defendant to obtain the prospective plaintiff's medical records from any other healthcare provider also given notice and identified as a potential defendant in the pre-suit notice. This authorization

requirement is consistent with section 29-26-121(d)(1), which specifies that all parties to a healthcare suit "shall be entitled to obtain complete copies of the claimant's medical records from any other provider receiving notice" and that the claimant complies with this requirement by providing a HIPAA-compliant medical authorization with pre-suit notice. Id. § 29-26-121(d)(1).

Bray, 523 S.W.3d at 622. Given that Plaintiffs sent pre-suit notice to three healthcare providers, Bray is inapposite.

IV.

We conclude that the district court committed no error in interpreting and applying Tennessee law and AFFIRM.

See http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/479.html.

Id. at *7. J.A.C. v. Methodist Healthcare, cited in Lawson, was decided after the district court granted Defendants' motions but before it denied Plaintiffs' motion to amend or alter the judgment.