NOT RECOMMENDED FOR PUBLICATION
File Name: 18a0228n.06
No. 17-5621
UNITED STATES COURT OF APPEALS
FOR THE SIXTH CIRCUIT
FILED
CHRISTOPHER RILEY; LYNN RILEY, ) May 02, 2018
) DEBORAH S. HUNT, Clerk
Plaintiffs-Appellants, )
)
v. ) ON APPEAL FROM THE
) UNITED STATES DISTRICT
METHODIST HEALTHCARE MEMPHIS ) COURT FOR THE WESTERN
HOSPITALS, aka Methodist University Hospital; ) DISTRICT OF TENNESSEE
SEMMES MURPHEY CLINIC, P.C.; L. )
MADISON MICHAEL; JOHN DOES 1–25, )
)
Defendants-Appellees.
BEFORE: BATCHELDER, SUTTON, and WHITE, Circuit Judges.
HELENE N. WHITE, Circuit Judge. In this diversity-jurisdiction case alleging
medical-malpractice claims, Plaintiffs appeal the district court’s grant of Defendants’ motions to
dismiss and for judgment on the pleadings, asserting that the district court erred 1) in
determining that Plaintiffs’ pre-suit notice letter did not substantially comply with § 29-26-
121(a)(2)(E) of Tennessee’s Health Care Liability Act (HCLA)1 and the core elements of the
Health Insurance Portability and Accountability Act (HIPAA), and 2) by failing to support its
finding that Defendants suffered prejudice as a result of any deficiencies in Plaintiffs’ HIPAA
authorization forms. We AFFIRM.
1
“In 2011, pursuant to the Tennessee Civil Justice Act of 2011, Tennessee Code Annotated sections 29–
26–115 through 122 and 202 of the Medical Malpractice Act were amended to replace the term ‘medical
malpractice’ with the term ‘health care liability.’ Tennessee Civil Justice Act of 2011, ch. 510 § 9, 2011
Tenn. Pub Acts 1505.” Ellithorpe v. Weismark, 479 S.W.3d 818, 824 n.6 (Tenn. 2015).
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
I.
Plaintiffs Christopher and Lynn Riley (Mrs. Riley) are married. Plaintiffs’ complaint
alleges that Christopher Riley (Riley) was admitted to Defendant Methodist Healthcare Memphis
Hospitals (Methodist) on October 2, 2014; Defendant Dr. L. Madison Michael, a physician at
Semmes Murphey Clinic (Semmes Murphey) who practices at Methodist and supervised Riley’s
care at Methodist, performed a biopsy of a small mass on Riley’s pituitary gland; when
Dr. Michael discharged Riley on October 9, 2014, spinal fluid was visibly leaking from the
drilled opening in his skull; Dr. Michael and Methodist nursing staff were aware of the leak and
should not have discharged him; once home, Riley suffered an excruciating headache, Mrs. Riley
contacted Dr. Michael, and Dr. Michael advised that she simply apply pressure to the opening in
Riley’s skull; Riley became incoherent on October 12 and was re-admitted to Methodist’s
intensive care unit, having developed bacterial meningitis;2 Riley was discharged twelve days
later and received in-home care for two weeks. PID 4-5. Plaintiffs’ complaint alleges that Dr.
Michael was negligent in discharging Riley on October 9, 2014, while fluid was visibly draining
from his skull, that Semmes-Murphey is vicariously liable for Dr. Michael’s negligent acts, and
that Methodist is vicariously liable through its employees for their failure to take the requisite
steps to ensure that Riley was not discharged on that date, and for failing to keep adequate
records of Riley’s care and failing to document the drainage from his skull. PID 5. Plaintiffs
allege that as a result of this negligence, Riley contracted bacterial meningitis, had to be re-
admitted to the hospital, and required in-home care after his second discharge. PID 5. Plaintiffs
further allege that Riley continues to “experience negative impacts on his daily life, including but
2
According to the Centers for Disease Control and Prevention, “Bacterial meningitis is very serious and
can be deadly. Death can occur in as little as a few hours. Most people recover from meningitis.
However, permanent disabilities (such as brain damage, hearing loss, and learning disabilities) can result
from the infection.” https://www.cdc.gov/meningitis/bacterial.html.
2
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
not limited to: headaches, a change in his personality, deficient memory, and other symptoms,”
and that his employment was negatively impacted. PID 8.
Pursuant to HCLA § 29-26-121(a)(1), which requires that pre-suit written notice be given
to each healthcare provider that will be a named defendant at least sixty days before a health-
care-liability action is filed, Plaintiffs sent a pre-suit notice letter to the three Defendants on
September 30, 2015. PID 13-23. Plaintiffs filed their complaint on January 28, 2016, alleging
negligence, gross negligence, and loss of consortium, and attached to their complaint the pre-suit
notice letter and two HIPAA authorization forms, one addressed to Methodist and the other to
Semmes Murphey. PID 24-27; see also PID 320/Dist. Ct. Op.
Methodist filed a motion to dismiss under Rule 12(b)(6), PID 50, in which Dr. Michael
and Semmes Murphey joined, arguing that Plaintiffs’ pre-suit notice was deficient in four ways:
1) it failed to enclose HIPAA-compliant authorizations allowing all providers “receiving the
notice to obtain complete medical records from each other provider being sent a notice,” as
required by HCLA § 29-26-121(a)(2)(E); 2) it failed to complete the portion of the HIPAA
authorization form that specifies who is entitled to receive the records from the provider as
required by 45 C.F.R. § 164.508(c)(1)(iii), and was thus not HIPAA compliant as required by
§ 29-16-121(a)(2)(E); 3) it failed to provide the address of the claimant authorizing notice as
required by § 29-26-121(a)(2)(B); and 4) it was served by mail only to Methodist’s agent for
service of process, and not also to Methodist’s current business address, as required by § 29-26-
121(a)(3)(B)(ii). PID 53, 55-66. Defendants argued that Plaintiffs demonstrated no
extraordinary cause to excuse compliance with the HCLA’s pre-suit notice requirements, PID
66-67, and that Plaintiffs’ claims were time barred under Tennessee’s one-year statute of
3
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
limitations applicable to health-care-liability actions.3 PID 67-71. In response, Plaintiffs argued
that they substantially complied with HCLA § 29-26-121 and that Defendants had not shown
prejudice. PID 182-85; PID 138-51.
The district court concluded that the first two deficiencies prevented Plaintiffs’ pre-suit
notice from substantially complying with the HCLA, and that Defendants were prejudiced by
Plaintiffs’ noncompliance because they were prevented from lawfully disclosing Riley’s medical
records to one another. PID 335/Order Granting Defs. Mos. The district court dismissed
Plaintiffs’ complaint with prejudice after determining that Plaintiffs’ claims are time barred
because they accrued, at the latest, on October 12, 2014, when Riley was re-admitted to
Methodist, and the statute had not been extended by the faulty pre-suit notice. See supra n.3;
PID 335-37/Dist. Ct. Order Granting Defs. Mos., PID 339/J.
Plaintiffs moved to alter or amend the judgment under Fed. R. Civ. P. 59(e) or for relief
from judgment under Rule 60(b), asserting that they had substantially complied with § 29-26-
121(a)(2)(E) and that the district court erred by not considering whether Defendants suffered
prejudice as a result of the alleged deficiencies in the HIPAA authorization forms. PID 350-
54/Mo. to Alter or Amend J. The district court denied Plaintiffs’ motion and they appealed. PID
460-89/Order Denying Mo.
3
Actions for “injuries to the person” “shall be commenced within one (1) year after the cause of action
accrued.” Tenn. Code Ann. § 28-3-104(a)(1)(A).
Tolling is permitted under HCLA § 29-26-121:
(c) When notice is given to a provider as provided in this section, the applicable statutes
of limitations and repose shall be extended for a period of one hundred twenty (120) days
from the date of expiration of the statute of limitations and statute of repose applicable to
that provider . . . .
Tenn. Code Ann. § 29-26-121(c).
4
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
II.
We review de novo a district court’s grant of a motion to dismiss under Rule 12(b)(6),
Buck v. Thomas M. Cooley Law School, 597 F.3d. 812, 816 (6th Cir. 2010), and a motion for
judgment on the pleadings under Rule 12(c), Fortney & Weygandt, Inc. v. Am. Mfrs. Mut. Ins.
Co., 595 F.3d 308, 310 (6th Cir. 2010).
Tennessee substantive law and federal procedural law apply in this diversity-jurisdiction
case. Shady Grove Orthopedic Assocs., P.A. v. Allstate Ins. Co., 559 U.S. 393, 417 (2010)
(Stevens, J., concurring in part and concurring in the judgment). When deciding issues of
substantive law, we apply the law of the state’s highest court. Saab Auto. AB v. Gen. Motors
Co., 770 F.3d 436, 440 (6th Cir. 2014). If the state’s highest court has not decided the applicable
law, we must ascertain the state law “‘from all relevant data,’ which includes the state’s appellate
court decisions.” Id. (quoting Garden City Osteopathic Hosp. v. HBE Corp., 55 F.3d 1126, 1130
(6th Cir. 1995)).
A.
HCLA § 29-26-121 provides in pertinent part:
(a)(1) Any person, or that person’s authorized agent, asserting a potential claim
for health care liability shall give written notice of the potential claim to each
health care provider that will be a named defendant at least sixty (60) days before
the filing of a complaint based upon health care liability in any court of this state.
(2) The notice shall include:
....
(E) A HIPAA compliant medical authorization permitting the provider
receiving the notice to obtain complete medical records from each
other provider being sent a notice.
....
(b) If a complaint is filed in any court alleging a claim for health care liability, the
pleadings shall state whether each party has complied with subsection (a) and
shall provide the documentation specified in subdivision (a)(2). The court may
require additional evidence of compliance to determine if the provisions of this
5
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
section have been met. The court has discretion to excuse compliance with this
section only for extraordinary cause shown.
(d)(1) All parties in an action covered by this section shall be entitled to obtain
complete copies of the claimant’s medical records from any other provider
receiving notice. A party shall provide a copy of the specified portions of the
claimant’s medical records as of the date of the receipt of a legally authorized
written request for the records within thirty (30) days thereafter. The claimant
complies with this requirement by providing the providers with the authorized
HIPAA compliant medical authorization required to accompany the notice . . . .
Tenn. Code Ann. § 29-26-121(a)(2)(E), (b), & (d)(1).
The elements of HIPAA-compliant medical authorizations are set forth in 45 C.F.R.
§ 164.508, titled “Uses and disclosures for which an authorization is required:”
(a) Standard: Authorizations for uses and disclosures
(1) Authorization required: General rule. Except as otherwise permitted
or required by this subchapter, a covered entity may not use or disclose protected
health information without an authorization that is valid under this section. When
a covered entity obtains or receives a valid authorization for its use or disclosure
of protected health information, such use or disclosure must be consistent with
such authorization.
....
(b) Implementation specifications: general requirements—
....
(2) Defective authorizations. An authorization is not valid, if the
document submitted has any of the following defects:
....
(ii) The authorization has not been filled out completely, with
respect to an element described by paragraph (c) of this section, if
applicable;
....
(c) Implementation specifications: Core elements and requirements—
(1) Core elements. A valid authorization under this section must contain
at least the following elements:
(i) A description of the information to be used or disclosed that
identifies the information in a specific and meaningful fashion.
(ii) The name or other specific identification of the person(s), or
class of persons, authorized to make the requested use or disclosure.
6
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
(iii) The name or other specific identification of the person(s), or
class of persons, to whom the covered entity may make the requested use
or disclosure.
....
45 C.F.R. § 164.508.
B.
Under Tennessee law, a plaintiff must substantially comply with the requirements of
HCLA § 29-26-121(a)(2)(E). Stevens v. Hickman Comm. Health Care Servs., Inc., 418 S.W.3d
547, 555 (Tenn. 2013) (“A plaintiff’s less-than-perfect compliance with [] § 29-26-121(a)(2)(E) .
. . should not derail a healthcare liability claim. Non-substantive errors and omissions will not
always prejudice defendants by preventing them from obtaining a plaintiff’s relevant medical
records.”); see also Thurmond v. Mid-Cumberland Infectious Disease Consultants, PLC, 433
S.W.3d 512, 519–20 (Tenn. 2014). “In determining whether a plaintiff has substantially
complied with a statutory requirement, a reviewing court should consider the extent and
significance of the plaintiff’s errors and omissions and whether the defendant was prejudiced by
the plaintiff’s noncompliance.” Stevens, 418 S.W.3d at 556; see also Arden v. Kozawa, 466
S.W.3d 758, 763 (Tenn. 2015); Thurmond, 433 S.W.3d at 513–14.
The Tennessee Supreme Court in Stevens emphasized that “it is a threshold requirement
of [HCLA § 29-26-121(a)(2)(E)] that the plaintiff’s medical authorization must be sufficient to
enable defendants to obtain and review a plaintiff’s relevant medical records.” 418 S.W.3d at
555 (emphasis added).
[T]he purpose of Tenn. Code Ann. § 29-26-121(a)(2)(E) is not to provide
defendants with notice of a potential claim. Instead Tenn. Code Ann. § 29-26-
121(a)(2)(E) serves to equip defendants with the actual means to evaluate the
substantive merits of a plaintiff’s claim by enabling early access to a plaintiff’s
medical records. Because HIPAA itself prohibits medical providers from using or
disclosing a plaintiff’s medical records without a fully compliant authorization
form, it is a threshold requirement of the statute that the plaintiff’s medical
7
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
authorization must be sufficient to enable defendants to obtain and review a
plaintiff’s medical records. See 45 C.F.R. § 164.508(a)(1) (“a covered entity may
not use or disclose protected health information without an authorization that is
valid under this section”). Tenn. Code Ann. § 29-26-121(d)(1) creates a statutory
entitlement to the records governed by § 29-26-121(a)(2)(E). See Tenn. Code
Ann. § 29-26-121(d)(1) (“All parties in an action covered by this section shall be
entitled to obtain complete copies of the claimant’s medical records from any
other provider receiving notice . . .”).
Stevens, 418 S.W.3d at 555 (emphasis in original, footnote omitted). The Tennessee Supreme
Court clarified in Thurmond:
[W]e held [in Stevens] that “[n]on-substantive errors and omissions” and “[a]
plaintiff’s less-than-perfect compliance” with [subsection] 29-26-121(a)(2)(E)
will “not derail a healthcare liability claim” so long as the medical authorization
provided is “sufficient to enable defendants to obtain and review a plaintiff’s
relevant medical records.” Id. [Stevens, 418 S.W.3d at 555.]
Thurmond, 433 S.W.3d at 519–20 (emphasis added).
III. WHETHER PLAINTIFFS’ HIPAA AUTHORIZATIONS SUBSTANTIALLY
COMPLIED WITH HCLA § 29-26-121(a)(2)(E) and CORE HIPAA ELEMENTS
Plaintiffs assert that their pre-suit notice substantially complied with the core elements of
HIPAA, see C.F.R. § 164.508(c)(1) quoted supra at 6-7, and therefore with HCLA § 29-26-
121(a)(2)(E).
Plaintiffs attached to their pre-suit notice letter two HIPAA authorizations, one addressed
to Semmes Murphey and the other to Methodist; Plaintiffs failed to include a separate form for
Dr. Michael. The HIPAA authorizations attached to Plaintiffs’ pre-suit notice letter are titled
“HIPAA Compliant Authorization for the Release of Patient Information Pursuant to 45 C.F.R.
§ 164.508,” and left blank the four lines in the section that provides:
8
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
You are authorized to release the above records to the following representatives in
the above-entitled matter who have agreed to pay reasonable charges made by you
to supply copies of such records:
__________________________________________________________________
Name of Representative
Representative Capacity (e.g., attorney, records requestor, agent, etc.)
Street Address
City, State and Zip Code
See PID 125, 27.4
A.
Citing the order denying their motion to amend or alter the judgment, PID 460, Plaintiffs
assert that the district court “was confused as to the blanks” in their HIPAA authorizations and
“believed that the HIPAA release did not allow the co-defendants to obtain the records of the
others,” when, in fact, the blank in the HIPAA release “was for the person receiving the notice to
complete with his or her own authorized representative, not the information of any other
Defendant.” Appellants Br. 19-20. However, the district court was not confused; it observed
that Plaintiffs left blank the sections where they “were to list the persons to whom each provider
could disclose Mr. Riley’s records.” See C.F.R. § 145.608(c)(1)(iii) (“The name or other specific
4
Plaintiffs’ counsel explained that he left this section blank:
in order for the medical providers to be able to send the same to the specified member of
their entity they wished. The Plaintiffs could have no way of knowing the identity of the
exact person to whom the Defendants wished the records be disclosed. In an effort to be
as accommodating as possible and to ensure that the Defendants could each obtain the
relevant records and have them sent to whomever they wished, the Plaintiffs allowed the
Defendants to complete the recipient section themselves. This gives credence to the
proverb that no good deed goes unpunished. Had the Plaintiffs completed the form to
include the name of a specific person within the Defendant’s organization, given their
current complaints, it is all but certain that the Defendant would have argued that the
Plaintiffs had handcuffed them by entering the “incorrect” person’s name and would have
then sough[t] dismissal on that ground. This is a “catch-22” situation in all its glory.
PID 144/Pls. Mem. in Opp. to Def. Methodist’s Mo. to Dismiss; see also Appellants Br. 10.
9
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
identification of the person(s), or class of persons, to whom the covered entity may make the
requested use or disclosure.”); PID 467/Order Denying Pls. Mo. to Alter or Amend J. Plaintiffs’
argument goes to the purported reasons they sent partially completed HIPAA authorizations, not
whether the authorizations substantially complied with the statutory requirement.
Plaintiffs also assert that the pre-suit notice letter accompanying the HIPAA
authorizations narrowed the HIPAA release “by allowing the respective Defendants to provide
the information as to whom in their organizations were to receive Plaintiff’s medical records.”
Appellants Br. 24-25. According to Plaintiffs, the district court “seems to have incorrectly
concluded that the letter served to expand the HIPAA release when it, in fact, served to narrow it,
as allowed.” Id. at 25. We surmise that Plaintiffs are referring to the language advising
Defendants that HIPAA authorizations are attached and explaining their purpose5; but Plaintiffs
point to no particular language in the pre-suit notice letter to support this argument. Rather,
Plaintiffs assert that the HIPAA authorizations
did not need to be expanded, for anyone whose name was included by the
Defendant organization could have theoretically received the records. The
HIPAA release was as expansive as it could have possibly been . . . . What the
HIPAA needed was the specific information as to the actual recipient of the
medical records within or on behalf of the Defendant organization: in other
words, a narrowing of the release.[6]
5
Plaintiffs’ pre-suit notice letter states in pertinent part:
E. A HIPAA-compliant Medical Authorization permitting the provider receiving the
notice to obtain complete medical records from each of the other providers being sent
notice is enclosed . . . .
....
As required by Tennessee Code Annotated § 29-26-121, Mr. Riley has executed a
HIPAA-compliant medical authorization (enclosed herein) that authorizes you to obtain
Mr. Riley’s complete medical records . . . .
PID 21-22.
6
Appellants Br. 25. Plaintiffs rely on a “frequently asked question” regarding HIPAA on HHS’s website:
10
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
As explained in its order denying Plaintiffs’ motion to alter or amend the judgment, the
district court did not incorrectly conclude that Plaintiffs’ notice letter served to expand the
HIPAA releases:
In the Dismissal Order, the Court addressed Plaintiffs’ argument that, according
to guidance provided by HHS’s website, cover letters can supplement HIPAA
authorizations for purposes of permitting provider-defendants to share a patient’s
medical records with one another. (ECF No. 55 at PageID 329-30.) Assuming
without deciding that the HHS website’s guidance was legal authority the Court
could consider in its substantial-compliance determination under § 29-26-
121(a)(2)(E), the Court noted that the HHS webpage instructed that cover letters
can be used only to narrow a request, not to expand it. The Court noted that a
Tennessee court had opined that a cover letter may be used to cure a blank portion
of a HIPAA authorization form only if the letter explicitly authorizes the
defendant to make any additions or changes to the authorization. (Id. (citing Bray
[v. Khuri, No. W2015-00397-COA-R3-CV, 2015 WL 7775316, at *4 (Tenn. Ct.
App. Dec. 3, 2015), rev’d on other grounds 523 S.W.3d 619 (Tenn. 2017)[7]]).
The Court concluded that Plaintiffs’ notice letter did not give Defendants explicit
authority to make additions or changes to Plaintiffs’ HIPAA Authorizations.
(Id.).
Plaintiffs argue that, by leaving blank the portion of the HIPAA Authorizations
designating to whom each Defendant could release Mr. Riley’s records, the
permission to release conferred by the Authorizations was maximally expansive,
and the cover letter narrowed that permission to each of the three Defendants.
(ECF No. 57-1 at PageID 359.) That argument assumes that the Authorizations
Can an authorization be used together with other written instructions from the intended
recipient of the information?
Answer: A transmittal or cover letter can be used to narrow or provide specifics about a
request for protected health information as described in an Authorization, but it cannot
expand the scope of the Authorization.
For example, if an individual has authorized the disclosure of “all medical records” to an
insurance company, the insurance company could by cover letter narrow the request to
the medical records for the last 12 months. The cover letter could also specify a
particular employee or address for the “class of persons” designated in the Authorization
to receive the information. By contrast, an insurance company could not by cover letter
extend the expiration date of an Authorization, or expand the scope of information set
forth in the Authorization.
See http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/479.html.
7
In reversing the Tennessee Court of Appeals, the Tennessee Supreme Court did not mention the Court of
Appeals’s discussion of whether the plaintiffs’ notice letter gave the defendants authority to make
additions or changes to the plaintiffs’ HIPAA authorizations. See Bray v. Khuri, 523 S.W.3d 619, 621
(Tenn. 2017).
11
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
were actually HIPAA-compliant and permitted each Defendant to share Mr.
Riley’s records with anyone it wished. As discussed above, however, because of
the omissions in the Authorizations, Defendants were permitted to disclose the
records to no one. Plaintiffs cite no authority that a cover letter can make a
noncompliant HIPAA authorization compliant. Because a cover letter can only
narrow a request, not expand it, it could not make Plaintiffs’ noncompliant
HIPAA Authorizations compliant.
In construing § 29-26-121(a)(2)(E), the Tennessee Supreme Court has recognized
that the “penalties imposed upon covered entities that wrongfully disclose or
obtain private health information in violation of HIPAA are . . . extremely
severe.” Stevens, 418 S.W.3d at 555 n.6. As the Dismissal Order recognized,
Tennessee law protects provider-defendants by sparing them the risk inherent in
testing the sufficiency of a HIPAA authorization and by placing the burden of
satisfying the THCLA’s pre-suit notice requirements on plaintiffs. (ECF No. 55
at PageID 332, 334 (citing Stevens, 418 S.W.3d at 559).)
Plaintiffs’ arguments that the Court misapplied HHS guidance or otherwise gave
too little weight to language in the cover letter in its substantial-compliance
determination are not well taken.
PID 474-76/Order Denying Pls. Mo. to Amend or Alter J. (emphasis in original).8
Thus, we find no error in the district court’s conclusion that the cover letter did not render
the incomplete HIPAA authorization forms compliant.
8
We note that the district court’s reasoning is supported by Lawson v. Knoxville Dermatology Group,
P.C., __S.W.3d __; No. E201700077COAR3CV, 2017 WL 3268535 (Tenn. Ct. App. Aug. 1, 2017),
perm. app. denied (Tenn. Nov. 16, 2017), which was decided during the pendency of this appeal and is
discussed infra at 17-18. In Lawson, the Tennessee Court of Appeals rejected the plaintiffs’ argument
that the list of health care providers attached to their pre-suit notice could supplement their HIPAA
authorization to satisfy a core element of HIPAA, specifically, 45 C.F.R. § 164.508(c)(1)(ii):
[T]he Code of Federal Regulations, with certain exceptions not applicable here,
specifically prohibits compound authorizations. See 45 C.F.R. § 164.508(b)(3) (“An
authorization for use or disclosure of protected health information may not be combined
with any other document to create a compound authorization . . . .”). This Court has
previously “rejected the Plaintiffs’ contention that the authorization forms were sufficient
when considered alongside the pre-suit notice letters that accompanied the forms.”
See J.A.C. v. Methodist Healthcare Memphis Hosps., No. W2016-00024-COA-R3-CV,
__ S.W.3d __, 2016 WL 6493229, at *8 (Nov. 2, 2016), perm. app. denied (Tenn. Mar. 9,
2017). Therefore, the Lawsons could not combine their attached list of health care
providers with the medical authorization in order to achieve substantial compliance.
Id. at *7. J.A.C. v. Methodist Healthcare, cited in Lawson, was decided after the district court granted
Defendants’ motions but before it denied Plaintiffs’ motion to amend or alter the judgment.
12
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
B.
Plaintiffs argue that the district court gave too much weight to Roberts v. Prill, No.
E2013-02202-COA-R3-CV, 2014 WL 2921930 (Tenn. Ct. App. June 26, 2014), which is
factually distinguishable because there were three errors in that HIPAA form, including that
Roberts’s counsel was the only person authorized to receive the records. However, the district
court in the instant case simply cited Roberts to support that leaving blank the section in the
HIPAA authorizations where Plaintiffs were to fill in the persons to whom each provider could
disclose records “is more than a ‘minor omission’ because Defendants were not authorized to
disclose records to one another.” See Thurmond v. Mid–Cumberland Infectious Disease
Consultants, PLC, 433 S.W.3d at 5209; Lawson v. Knoxville Dermatology Group, P.C.,
__S.W.3d__; No. E201700077COAR3CV, 2017 WL 3268535, at *1, 3–4 (Tenn. Ct. App. Aug.
1, 2017), perm. app. denied (Tenn. Nov. 16, 2017) (holding that the plaintiffs did not
substantially comply with HCLA’s pre-suit notice requirement where their HIPAA
authorizations omitted the “name or other specific identification of the person(s), or class of
persons authorized to make the requested use or disclosure,” as 45 C.F.R. § 164.508(c)(1)(ii)
requires, noting, “Defendants are clearly prejudiced when unable, due to a form procedural error,
to obtain medical records needed for their legal defense.”). 2017 WL 3468535, at *1, 3–4.
Plaintiffs further assert that Hargrow v. Shelby County, Tennessee, No. 13-2770, 2014
WL 3891651 (W.D. Tenn. Aug. 7, 2014), which held that there was substantial compliance with
9
In Thurmond, the Tennessee Supreme Court reversed the Tennessee Court of Appeals’ dismissal of the
plaintiff’s complaint for failure to file with his complaint an affidavit of the party mailing the pre-suit
notice establishing that the specified notice was timely mailed by certified mail, see HCLA § 29-26-
121(a)(4), noting that “[t]he defendants did not allege that the lack of the affidavit resulted in prejudice.
Instead, the defendants contended that the pre-suit notice statute demands strict compliance with all its
requirements and that dismissal is the mandatory remedy for noncompliance.” Thurmond held that “the
statutory requirement of an affidavit of the person who sent pre-suit notice by certified mail may be
satisfied by substantial compliance,” and that the plaintiff substantially complied with the statute.
13
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
the HCLA, is on point. Appellants Br. 17. But as the district court observed, Hargrow is
distinguishable because it involved only one medical provider. Although the plaintiff’s HIPAA
authorizations failed to provide the name and address of the provider releasing the records as
well as the contact information for the intended recipient, the district court in Hargrow
concluded that “those omissions did not prejudice CCS because CCS was the sole medical
provider” and the plaintiff “provided CCS sufficient notice to obtain the medical records
necessary for its defense.” Id. at *6.
Plaintiffs next assert that Hamilton v. Abercrombie Radiological Consultants, Inc.,
487 S.W.3d 114 (Tenn. Ct. App. 2014), perm. app. denied (Tenn. May 15, 2015), closely mirrors
the facts here because the HIPAA authorizations in both cases had only “one blank field.”
Appellants Br. 18; Reply Br. 6-7. But the only omission in the HIPAA form in Hamilton was
that it was missing the date on which the plaintiff signed it. Hamilton, 487 S.W.3d at 120. The
Tennessee Court of Appeals held that the plaintiff substantially complied with the HCLA,
emphasizing that the HIPAA form “allowed disclosure” to the defendants:
[D]espite the trial court’s holding that Appellees were prejudiced by failure to
obtain the medical records due to the non-compliant HIPAA release, no evidence
was adduced to support this finding. In addition, here, as in Roberts, the
decedent’s medical records may, in fact, be held by the defendant, ARC, and may
be accessible to Dr. Culhane by virtue of her employment with ARC. In Roberts,
this Court rejected the argument that because the pertinent medical records were
already in the defendants’ possession, this fact should result in a holding excusing
full compliance with the statutory requirements. However, in Roberts, the
HIPAA release only permitted use or disclosure of the medical records to
plaintiff’s counsel. In the instant case, the medical release included no such
limitation. While the release had an open date line, it allowed disclosure to the
Appellees, which is a critical distinction between this case and Roberts.
We read the Roberts holding in light of the particular shortcomings in the Roberts
HIPAA form, which, as discussed above, were more substantive and substantial
than the omitted date on the HIPAA form in the instant case. The relatively minor
omission on Appellant’s HIPAA form, coupled with the lack of evidence that
Appellees were prejudiced or otherwise denied access to medical records as a
result of the missing date, leads us to conclude that the trial court applied the
14
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
Stevens holding too harshly in this case. While we concede that it is not good
practice to omit any of the C.F.R. criteria from a HIPAA form, we conclude that
the relatively minor shortcoming in the HIPAA form here is not fatal to the
Appellant’s cause of action. The Appellant substantially complied with § 29-26-
121(a)(2)(E) because she provided Appellees sufficient notice to obtain the
relevant medical records. Hargrow, 2014 WL 3891651, at *6 (citing Stevens, 418
S.W.3d at 555).
Hamilton, 487 S.W.3d at 122. We glean from these cases that substantial compliance requires
that the noncomplying features of the authorization do not render it insufficient to authorize
access and use of the records. The trial court did not err in concluding that the authorizations
here did not permit that access and use.
C.
Plaintiffs’ remaining arguments go to the question whether defendant-providers must
show actual prejudice, i.e., must show that they were in fact denied access to medical records.
Plaintiffs first assert that the district court gave Stevens too much weight because, unlike
in Stevens, Defendants here were not prejudiced by the omission in the HIPAA authorizations.
Appellants Br. 12-15. Relying on Justice Wade’s partial dissent in Stevens, Plaintiffs urge that
the question should be whether the purpose of pre-suit notice requirements has been frustrated,
that is, whether Defendants in fact were unable to procure the medical records to which they
were entitled. See Stevens, 418 S.W.3d at 564 (Wade, C.J., dissenting in part). Justice Wade
noted that the defendants “could easily have recognized the inadequacy of the medical
authorization,” and could have asked the plaintiff for a HIPAA compliant authorization, sought
the court’s assistance in ordering the plaintiff to provide medical records, or done nothing,
“making no effort to obtain the authorization needed to fully investigate the claim and
strategically lying in wait for the optimal moment to seek a dismissal.” Id. By doing nothing,
Justice Wade concluded, the defendants forfeited any claim of prejudice. Id. at 565.
15
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
To the extent that Plaintiffs argue that Defendants had a duty to notify them of
deficiencies in the HIPAA authorizations, Stevens rejected that argument, 418 S.W.3d at 559,
and the Tennessee Supreme Court again rejected that argument in an order denying an
application for permission to appeal where the Plaintiff’s HIPAA authorization form, as in the
instant case, failed to comply with HCLA § 29-26-121(a)(2)(E):
We note that the medical authorization Mr. Vaughn provided to the defendants
before filing his original complaint was not HIPAA compliant, as required by
Tenn. Code Ann. § 29-26-121(a)(2)(E). Among the issues raised in his pending
application in this Court, Mr. Vaughn asserts that “the Defendants had a duty to
inform the Plaintiff of the defective HIPAA authorization so that a HIPAA-
compliant authorization could be provided to allow the Defendants to obtain the
Plaintiff’s deceased wife’s medical records[.]” We explicitly rejected the same
argument in Stevens v. Hickman Community Health Care Services, Inc.,
418 S.W.3d 547, 559 (Tenn. 2013), and our holding in Stevens therefore would be
dispositive of this issue raised by Mr. Vaughn. Moreover, the resolution of that
issue would pretermit the other issues raised in Mr. Vaughn’s application for
permission to appeal.
Vaughn v. Mt. States Health Alliance, No. E2012-01042-SC-R11-CV, 2014 Tenn. LEXIS 409
(Tenn. May 15, 2014).
Plaintiffs read Hamilton and Hughes v. Henry County Medical Center, No. W2014-
01973-COA-R3-CV, 2015 WL 3562733 (Tenn. Ct. App. 2015), as supporting their view that
defendant-providers must affirmatively show that they were denied access to medical records in
order to establish prejudice.10 There is language in both cases suggesting as much. See
Hamilton, 487 S.W.3d at 120 (“[T]here is no indication in the record that the Appellees were
denied access to any medical records sought as a result of the HIPAA form provided by the
Appellant.”); Hughes, at *3 (“The touchstone of this [substantial-compliance] analysis is whether
a party’s procedural error resulted in actual prejudice to an opposing party.”). However, these
cases are distinguishable and must be read together with the other Tennessee cases.
10
See Appellants Br. 26-28; Reply Br. 8-11.
16
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
In Hamilton, where the only omission in the HIPAA authorization form was the signature
date, the court reversed the trial court’s dismissal of the plaintiffs’ complaint, concluding that the
trial court had interpreted Stevens too strictly and had improperly held that the defendant-
providers were prejudiced by failure to obtain the medical records due to the absence of the
signature date where there was no evidence to support that finding. 487 S.W.3d at 121–22. The
Hamilton court quoted the well-established proposition from Stevens,
[b]ecause HIPAA itself prohibits medical providers from using or disclosing a
plaintiff’s medical records without a fully compliant authorization form, it is a
threshold requirement of the statute that the plaintiff’s medical authorization must
be sufficient to enable defendants to obtain and review a plaintiff’s relevant
medical records. See 45 C.F.R. § 164.508(a)(1) (“a covered entity may not use or
disclose protected health information without an authorization that is valid under
this section”.
Hamilton, 487 S.W.3d at 120 (quoting Stevens, 418 S.W.3d at 555). However, because of the
nature of the deficit in Hamilton, the court was not prepared to assume that defendants were
unable to obtain the records. In contrast, the authorizations here did not authorize Defendant to
obtain and use the records.
The Tennessee Court of Appeals’ recent decision in Lawson, __S.W.3d__; 2017 WL
3268535, see supra n.8, involved an authorization that, unlike the Hamilton authorization, was
not substantially compliant. In Lawson, the defendants, a dermatology practice and a certified
physician’s assistant employed by the practice, moved to dismiss the complaint for failure to
comply with HCLA § 29-26-121(a)(2)(E) because the HIPAA authorizations omitted the “name
or other specific identification of the person(s), or class of persons authorized to make the
requested use or disclosure,” see 45 C.F.R. § 164.508(c)(1)(ii). Lawson, 2017 WL 3468535, at
*1, 3–4. The Tennessee Court of Appeals held that the plaintiffs had not substantially complied
with the HCLA, noting that, “[b]ecause HIPAA itself prohibits medical providers from using or
17
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
disclosing a plaintiff’s medical records without a fully compliant authorization form, it is a
threshold requirement of the statute that the plaintiff’s medical authorization must be sufficient
to enable defendants to obtain and review a plaintiff’s relevant medical records.” Lawson, id. at
*4 (quoting Stevens, 418 S.W.3d at 555). The court in Lawson determined that the defendants
were prejudiced by the inadequacy of the HIPAA authorizations because the defendants would
not be allowed to obtain or use the plaintiff’s medical records to mount a defense, Lawson, id. at
*7, indicating that where the authorizations do not permit access and use, the defendant-
providers need not affirmatively show that they sought and were denied medical records in order
to establish prejudice, as Plaintiffs argue.
In Hughes, due to a clerical error, the relevant HIPAA authorization form did not permit
the medical-center defendant to obtain the records of the physician provider. It was undisputed
that the physician treated the decedent at the medical center’s facility and had no records
independent of the medical-center’s records. The trial court refused to consider the absence of
prejudice, concluding instead that the failure to substantially comply with HIPAA was
conclusive. The Court of Appeals reviewed the cases sustaining and reversing dismissals for
failure to provide adequate authorizations, rejected the trial court’s refusal to consider the evident
lack of prejudice, and emphasized Stevens’ core holding that the statute
serves to equip defendants with the actual means to evaluate the substantive
merits of a plaintiff’s claim by enabling early access to a plaintiff’s medical
records. Because HIPAA itself prohibits medical providers from using or
disclosing a plaintiff's medical records without a fully compliant authorization
form, it is a threshold requirement of the statute that the plaintiff's medical
authorization must be sufficient to enable defendants to obtain and review a
plaintiff's relevant medical records.
The court concluded that the goals were clearly satisfied because the medical center had both
notice and access to all the records, and “admittedly suffered no prejudice as a result of the
18
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
medical authorization provided by Appellants.” Hughes, 2015 WL 3562733 at *5. Hughes does
indeed support that where there is no prejudice resulting from an authorization’s failure to
substantially comply with HIPAA, dismissal is improper.11 It does not follow, however, that a
provider given pre-suit authorizations that are inadequate to authorize access must affirmatively
show that it had no other means of access where there is no showing that another means of
access was in fact available.
Plaintiffs argue that the instant case is analogous to Hughes, asserting that Defendants
were not prejudiced by Plaintiffs’ failure to substantially comply with HIPAA’s requirements
because Defendants had access to the relevant records without need for HIPAA authorizations.
Plaintiffs first asserted this argument in their motion to amend or alter judgment, attaching
answers to interrogatories by Dr. Michael and Methodist, which they asserted showed that the
three Defendants had full access to Riley’s records prior to the filing of the suit. PID 354-
57/Mo. to Alter or Amend J.; PID 373 # 20 (Dr. Michael’s Answers to Interrogatories); PID 404-
05 #19 (Methodist’s Answers to Interrogatories). The district court determined that Plaintiffs’
“new factual argument” was not properly before the court because Plaintiffs had failed to raise it
in response to Defendants’ motions, and Plaintiffs had received all of Defendants’ interrogatory
responses weeks before the court ruled on Defendants’ motions, but failed to supplement the
record or otherwise notify the district court of the new evidence. PID 479-80. Under the
circumstances, it was well within the district court’s discretion to decline to consider Plaintiff’s
new argument.
11
This is consistent with the language in Hamilton raising the possibility that substantial compliance
might be excused where the defendants have access to each other’s records by virtue of their relationship,
without regard to any HIPAA authorizations: “the decedent’s medical records may, in fact, be held by the
defendant ARC, and may be accessible to Dr. Culhane by virtue of her employment with ARC.” 487
S.W.3d at 122.
19
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
The district court also determined that “the interrogatory responses do not clearly
establish that no Defendant suffered prejudice,” noting that “Methodist may have had access to
some of Mr. Riley’s relevant records, but Methodist’s interrogatory responses do not establish
that it had access to any relevant records that might have been in the Semmes Murphey
Defendants’ possession.” Defendants’ answers to interrogatories reveal that Riley had visited
Semmes Murphey Clinic both before and after his surgery at Methodist. Thus, Plaintiffs failed
to adequately raise and establish that although the authorizations did not substantially comply
with HIPAA, Defendants suffered no prejudice because they already had full access to the
records.
C.
Plaintiffs’ final argument is that this case “is essentially a one-provider case” because all
alleged negligence occurred during Riley’s hospitalization at Methodist after Dr. Michael
performed the biopsy, and all records would be held by Methodist and accessible by Dr. Michael,
as a healthcare provider who rendered care to Riley at Methodist. This argument is somewhat
different from the one just addressed. Plaintiffs rely on Bray v. Khuri, 523 S.W.3d 619 (Tenn.
2017),12 which was decided after the district court granted Defendants’ motions and denied
Plaintiffs’ motion to alter or amend the judgment. But Bray is a statutory interpretation case, not
a prejudice case. Bray held that the HIPAA authorization requirement applies only where more
than one healthcare provider is given pre-suit notice. The Tennessee Supreme Court explained:
based on the clear and unambiguous language of section 29-26-121(a)(2)(E), a
plaintiff need not provide a HIPAA-compliant authorization when a single
healthcare provider is given pre-suit notice of a healthcare liability claim. The
authorization only allows a potential defendant to obtain the prospective
plaintiff’s medical records from any other healthcare provider also given notice
and identified as a potential defendant in the pre-suit notice. This authorization
12
Appellants Br. 31-33; Reply Br. 11-12.
20
No. 17-5621, Riley v. Methodist Healthcare Memphis Hospitals et al.
requirement is consistent with section 29-26-121(d)(1), which specifies that all
parties to a healthcare suit “shall be entitled to obtain complete copies of the
claimant’s medical records from any other provider receiving notice” and that the
claimant complies with this requirement by providing a HIPAA-compliant
medical authorization with pre-suit notice. Id. § 29-26-121(d)(1).
Bray, 523 S.W.3d at 622. Given that Plaintiffs sent pre-suit notice to three healthcare providers,
Bray is inapposite.
IV.
We conclude that the district court committed no error in interpreting and applying
Tennessee law and AFFIRM.
21