Mary Wenzler v. Dr. Xiao Yu

11/20/2018 IN THE COURT OF APPEALS OF TENNESSEE AT JACKSON October 9, 2018 Session MARY WENZLER v. DR. XIAO YU, ET AL. Appeal from the Circuit Court for Shelby County No. CT-003652-17 Mary L. Wagner, Judge ___________________________________ No. W2018-00369-COA-R3-CV ___________________________________ This is a health care liability case filed against a dentist and the dental practice that employed him. Before filing the complaint, the plaintiff gave written notice to the two potential defendants of her health care liability claims against them. Tennessee Code Annotated section 29-26-121(a)(2)(E) requires that a plaintiff’s pre-suit notice include a HIPAA compliant medical authorization permitting the health care provider receiving the notice to obtain complete medical records from every other provider that is being sent a notice. After the plaintiff filed suit, the defendants moved to dismiss the complaint based on noncompliance with the statute, as the defendants alleged that the HIPAA authorizations provided by the plaintiff did not contain all of the required information and were therefore invalid. After a hearing, the trial court granted the motion to dismiss, concluding that the authorizations provided by the plaintiff were not HIPAA compliant and therefore the plaintiff did not substantially comply with the statute. The plaintiff appeals. We affirm in part, reverse in part, and remand for further proceedings. Tenn. R. App. P. 3 Appeal as of Right; Judgment of the Circuit Court Affirmed in Part, Reversed in Part, and Remanded BRANDON O. GIBSON, J., delivered the opinion of the court, in which J. STEVEN STAFFORD, P.J., W.S., and ARNOLD B. GOLDIN, J., joined. Kathleen L. Caldwell, Memphis, Tennessee, for the appellant, Mary Wenzler. Laura L. Deakins, Memphis, Tennessee, and Lucas A. Davidson, Nashville, Tennessee, for the appellees, Xiao Yu, and American Family Dentistry of Memphis, PC. OPINION I. FACTS & PROCEDURAL HISTORY On June 8, 2017, Plaintiff Mary Wenzler sent pre-suit notice letters to two potential defendants – Dr. Xiao Yu and American Family Dentistry of Memphis, PC – notifying them of potential health care liability claims arising out of their care and treatment of Mrs. Wenzler on June 13, 2016. The pre-suit notice letters stated that Plaintiff was attaching HIPAA compliant medical authorizations authorizing each potential defendant to obtain complete medical records relating to her care and treatment from the other medical provider receiving the notice.1 According to federal regulations, a HIPAA compliant authorization must, at a minimum, contain six “core elements,” including, (iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. 45 C.F.R. § 164.508(c)(1). The HIPAA authorizations sent by Plaintiff mentioned that the information would be used for litigation but did not identify any particular person or class of persons to whom the covered entities could make the use or disclosure. Plaintiff filed her complaint for health care liability on September 1, 2017, and named as defendants Dr. Xiao Yu and American Family Dentistry of Memphis, PC.2 The defendants filed a motion to dismiss on October 2, 2017, asserting that Plaintiff failed to provide HIPAA compliant medical authorizations with her pre-suit notice letters as required by Tennessee Code Annotated section 29-26-121(a)(2)(E). Specifically, the defendants noted that the authorization forms failed to identify the person or entity that was authorized to receive the disclosure pursuant to the release. Based on this defect, the defendants argued that Plaintiff could not take advantage of the 120-day statutory extension to the statute of limitations provided by Tennessee Code Annotated section 29- 26-121(c), and as a result, her complaint was time-barred.3 1 “HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104–191, 110 Stat. 1936 (codified as amended in scattered sections of 18 U.S.C., 26 U.S.C., 29 U.S.C., 42 U.S.C.).” Runions v. Jackson-Madison Cnty. Gen. Hosp. Dist., 549 S.W.3d 77, 80 n.3 (Tenn. 2018). 2 The complaint also included a loss of consortium claim filed by Plaintiff’s husband. However, the trial court ultimately dismissed his claim, and Plaintiff’s husband was not listed on the notice of appeal to this Court. Accordingly, we limit our review on appeal to Plaintiff’s claim. 3 “When a plaintiff gives pre-suit notice to a health care provider under Tennessee Code Annotated section 29-26-121, the one-year statute of limitations is extended by 120 days.” Runions, 549 S.W.3d at 86 (citing Tenn. Code Ann. § 29-26-121(c)). However, the pre-suit notice must comply with the statute in order for the plaintiff to receive the 120-day extension. Byrge v. Parkwest Med. Ctr., 442 S.W.3d 245, 249-50 (Tenn. Ct. App. 2014); see, e.g., Dortch v. Methodist Healthcare Memphis Hosps., No. W2017-01121-COA-R3-CV, 2018 WL 706767, at *3 (Tenn. Ct. App. Feb. 5, 2018) (“because Ms. Dortch did not comply with the provisions of -2- In response to the motion to dismiss, Plaintiff raised two arguments. First, she argued that her HIPAA authorization forms met or exceeded the statutory requirements. But alternatively, Plaintiff argued that even though there were “two named defendant medical providers: Dr. Yu and American Family Dentistry of Memphis, P.C. (Dr. Yu’s employer),” there was no “other” medical provider from whom records would be needed, so the defendants were not prejudiced. After a hearing, the trial court entered an order granting the defendants’ motion to dismiss. The trial court found that Plaintiff’s authorizations were not HIPAA compliant, as they did not identify any person or entity that could receive the protected information. Because of this omission, the trial court concluded that Plaintiff did not substantially comply with Tennessee Code Annotated section 29-26-121(a)(2)(E). The trial court rejected Plaintiff’s argument that a HIPAA authorization was unnecessary in the event that only one set of medical records existed, stating, “[t]he current case law is clear that where there are two or more defendants, the plaintiff must provide HIPAA compliant authorizations to all defendants,” “even when the defendants stand in an employee- employer relationship.” Because Plaintiff was not entitled to rely on the 120-day extension of the statute of limitations, the trial court dismissed Plaintiff’s complaint as time-barred. Plaintiff timely filed a notice of appeal. II. ISSUES PRESENTED On appeal, Plaintiff asks this Court to consider “whether Plaintiff[] failed to provide a HIPAA compliant medical authorization with the[] pre-suit notice as required by Tennessee Code Annotated § 29-26-121(a)(2)(E).”4 Specifically, Plaintiff argues that she substantially complied with the statute despite her failure to identify the intended recipient of the medical records. Alternatively, she contends that a HIPAA authorization was not needed because “in essence the instant case involves a single health care provider.” For the following reasons, we affirm the decision of the circuit court in part, section 121, she did not receive the 120 day extension, which made her [] Complaint time- barred”); J.A.C. by & through Carter v. Methodist Healthcare Memphis Hosps., 542 S.W.3d 502, 514 (Tenn. Ct. App. 2016) (“Due to the Plaintiffs’ substantial noncompliance, the trial court was correct in determining that the 120-day extension of the statute of limitations [] provided by Tennessee Code Annotated section 29-26-121(c) was unavailable.”) 4 We note the defendants’ argument that this Court should dismiss the appeal due to deficiencies in Plaintiff’s brief. Plaintiff failed to include a section in her brief listing the issues presented for review and failed to include proper citations to the relevant pages of the record. Instead, the cover page of Plaintiff’s brief states, “The nature of the proceedings: whether Plaintiffs failed to provide a HIPAA compliant medical authorization with their pre-suit notice as required by Tennessee Code Annotated § 29-26-121(02)(E),” and for citations to the record, she included references such as “Complaint, ¶2” and “see Exhibit B-1 . . . to Complaint.” In light of the limited issue resolved by the trial court and the small record on appeal, we will proceed to address the merits of the appeal, and we decline the defendants’ request for attorney’s fees. -3- reverse in part, and remand for further proceedings. III. STANDARD OF REVIEW According to the Tennessee Supreme Court, The proper way for a defendant to challenge a complaint’s compliance with Tennessee Code Annotated section 29-26-121 [] is to file a Tennessee Rule of Procedure 12.02 motion to dismiss. In the motion, the defendant should state how the plaintiff has failed to comply with the statutory requirements by referencing specific omissions in the complaint and/or by submitting affidavits or other proof. Once the defendant makes a properly supported motion under this rule, the burden shifts to the plaintiff to show either that it complied with the statutes or that it had extraordinary cause for failing to do so. Based on the complaint and any other relevant evidence submitted by the parties, the trial court must determine whether the plaintiff has complied with the statutes. If the trial court determines that the plaintiff has not complied with the statutes, then the trial court may consider whether the plaintiff has demonstrated extraordinary cause for its noncompliance. If the defendant prevails and the complaint is dismissed, the plaintiff is entitled to an appeal of right under Tennessee Rule of Appellate Procedure 3 using the standards of review in Tennessee Rule of Appellate Procedure 13. Myers v. AMISUB (SFH), Inc., 382 S.W.3d 300, 307 (Tenn. 2012). Because the trial court’s decision on the motion “involves a question of law, our review is de novo with no presumption of correctness.” Id. (citing Graham v. Caples, 325 S.W.3d 578, 581 (Tenn. 2010)). IV. DISCUSSION Under Tennessee law, a claimant must provide written pre-suit notice to a potential defendant before filing a complaint alleging health care liability: Any person, or that person’s authorized agent, asserting a potential claim for health care liability shall give written notice of the potential claim to each health care provider that will be a named defendant at least sixty (60) days before the filing of a complaint based upon health care liability in any court of this state. -4- Tenn. Code Ann. § 29-26-121(a)(1). Pursuant to the statute, the pre-suit notice must include “[a] HIPAA compliant medical authorization permitting the provider receiving the notice to obtain complete medical records from each other provider being sent a notice.” Tenn. Code Ann. § 29-26-121(a)(2)(E) (emphasis added). “Because the penalties imposed on entities that wrongfully disclose or obtain private health information in violation of HIPAA are severe, the sufficiency of the plaintiffs’ medical authorizations is imperative.” Woodruff by & through Cockrell v. Walker, 542 S.W.3d 486, 499 (Tenn. Ct. App. 2017). The specific requirements for a HIPAA compliant medical authorization are set forth in 45 C.F.R. § 164.508: (a) Standard: Authorizations for uses and disclosures (1) Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. . . . .... (c) Implementation specifications: Core elements and requirements— (1) Core elements. A valid authorization under this section must contain at least the following elements: (i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. (ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure. (iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. (iv) A description of each purpose of the requested use or disclosure. . . . (v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. . . . (vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided. (Emphasis added). “Under the plain language of the regulation,” with respect to subsection (iii), “a name is not required so long as there is specific identification of the entity, person, or class of persons authorized to receive the protected health records.” -5- Rush v. Jackson Surgical Assocs. PA, No. W2016-01289-COA-R3-CV, 2017 WL 564887, at *4 (Tenn. Ct. App. Feb. 13, 2017) perm. app. denied (Tenn. June 8, 2017). For example, a valid authorization may authorize disclosure to a designated class of persons, “such as the employees of XYZ division of ABC insurance company,” so long as the class is specifically identified. Id. On the other hand, an authorization simply listing the term “bearer” does not satisfy the specificity requirement, and such a form is not HIPAA compliant. Id. Additionally, the HIPAA regulation expressly provides: Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects: .... (ii) The authorization has not been filled out completely, with respect to an element described by paragraph (c) of this section, if applicable[.] 45 C.F.R. § 164.508(b)(2). Thus, “HIPAA deems authorizations defective if not filled out completely.” Smith v. Wellmont Health Sys., No. E2017-00850-COA-R9-CV, 2018 WL 3343591, at *4 (Tenn. Ct. App. July 9, 2018). As previously noted, the authorizations provided by Plaintiff in this case omitted information regarding element (iii), failing to identify any person or class of persons to whom the covered entity could make the requested use or disclosure. We now consider the effect of such an error under Tennessee law. The Tennessee Supreme Court provided guidance on that issue in Stevens ex rel. Stevens v. Hickman Community Health Care Services, Inc., 418 S.W.3d 547 (Tenn. 2013). In that case, the pre-suit notice provided by the plaintiff included a HIPAA authorization that only permitted the release of medical records to plaintiff’s counsel and lacked other required information. Id. at 552. The defendants moved to dismiss the complaint based on noncompliance with Tennessee Code Annotated section 29-26-121(a)(2)(E). Id. The trial court denied the motion, and the case eventually made its way to the Tennessee Supreme Court. Id. at 553. The supreme court recognized that “[h]ealthcare liability defendants have a right to receive medical records to defend themselves against civil liability,” and section 29-26- 121(a)(2)(E) requires a plaintiff to complete a HIPAA authorization “as a pre-condition of filing suit.” Id. at 557-58. The supreme court explained that the statute’s HIPAA authorization requirement serves “an investigatory function, equipping defendants with the actual means to evaluate the substantive merits of a plaintiff’s claim by enabling . . . early access to a plaintiff’s medical records.” Id. at 554. According to the court, Because HIPAA itself prohibits medical providers from using or disclosing a plaintiff’s medical records without a fully compliant authorization form, it -6- is a threshold requirement of the statute that the plaintiff’s medical authorization must be sufficient to enable defendants to obtain and review a plaintiff’s relevant medical records. See 45 C.F.R. § 164.508(a)(1) (“a covered entity may not use or disclose protected health information without an authorization that is valid under this section”). Tenn. Code Ann. § 29- 26-121(d)(1) creates a statutory entitlement to the records governed by § 29-26-121(a)(2)(E). See Tenn. Code Ann. § 29-26-121(d)(1) (“All parties in an action covered by this section shall be entitled to obtain complete copies of the claimant’s medical records from any other provider receiving notice ...”) (emphasis added). . . . . A plaintiff’s less-than-perfect compliance with Tenn. Code Ann. § 29-26-121(a)(2)(E), however, should not derail a healthcare liability claim. Non-substantive errors and omissions will not always prejudice defendants by preventing them from obtaining a plaintiff’s relevant medical records. Thus, we hold that a plaintiff must substantially comply, rather than strictly comply, with the requirements of Tenn. Code Ann. § 29-26-121(a)(2)(E). Id. at 555 (emphasis in original). Next, the court considered the sufficiency of the HIPAA authorization provided in that case to determine whether it substantially satisfied the requirements of the statute. Id. After noting the six core elements required by federal regulations, the supreme court concluded that the authorization at issue was not HIPAA compliant. Id. at 556. “First, and most importantly,” the court said, “by permitting disclosure only to Plaintiff’s counsel, Plaintiff’s medical authorization failed to satisfy the express requirement of Tenn. Code Ann. § 29-26-121(a)(2)(E) that a plaintiff’s medical authorization ‘permit[ ] the provider receiving the notice to obtain complete medical records from each other provider being sent a notice.’” Id. Secondly, the court found that the authorization failed to satisfy at least three of the six compliance requirements mandated by HIPAA. Id. The court continued, In determining whether a plaintiff has substantially complied with a statutory requirement, a reviewing court should consider the extent and significance of the plaintiff’s errors and omissions and whether the defendant was prejudiced by the plaintiff’s noncompliance. Not every non- compliant HIPAA medical authorization will result in prejudice. But in this case, the medical authorization submitted by Plaintiff was woefully deficient. The errors and omissions were numerous and significant. Due to Plaintiff's material non-compliance, Defendants were not authorized to receive any of the Plaintiff’s records. As a result of multiple errors, -7- Plaintiff failed to substantially comply with the requirements of Tenn. Code Ann. § 29-26-121(a)(2)(E). Id. (emphasis added). In a later case, the supreme court summarized Stevens as holding that “non-substantive errors and omissions and a plaintiff's less-than-perfect compliance with subsection 29-26-121(a)(2)(E) will not derail a healthcare liability claim so long as the medical authorization provided is sufficient to enable defendants to obtain and review a plaintiff’s relevant medical records.” Thurmond v. Mid-Cumberland Infectious Disease Consultants, PLC, 433 S.W.3d 512, 519-20 (Tenn. 2014) (quotations and bracketing omitted). In sum, “there is no bright line rule that determines whether a party has substantially complied with the requirements of Tenn. Code Ann. § 29-26- 121(a)(2)(E)[.]” Rush, 2017 WL 564887, at *4. However, in order to substantially comply with the statute, a plaintiff must provide a defendant with a HIPAA compliant medical authorization form that is sufficient to allow the defendant to obtain the plaintiff’s medical records from the other providers being sent the notice. Brookins v. Tabor, No. W2017-00576-COA-R3-CV, 2018 WL 2106652, at *5 (Tenn. Ct. App. May 8, 2018); Travis v. Cookeville Reg’l Med. Ctr., No. M2015-01989-COA-R3-CV, 2016 WL 5266554, at *7 (Tenn. Ct. App. Sept. 21, 2016). In this context, substantial compliance requires “a degree of compliance that provides the defendant with the ability to access and use the medical records for the purpose of mounting a defense.” Lawson v. Knoxville Dermatology Grp., P.C., 544 S.W.3d 704, 711 (Tenn. Ct. App. 2017). Applying these principles, we consider whether Plaintiff failed to substantially comply with section 29-26-121(a)(2)(E) by providing each defendant with an incomplete HIPAA authorization form that failed to identify to whom the covered entity could make the requested use or disclosure. Considering first “the extent and significance of the plaintiff’s errors and omissions,” as instructed by Stevens, 418 S.W.3d at 556, we note that these HIPAA authorizations were “defective” and “not valid” under HIPAA regulations due to Plaintiff’s omission. 45 C.F.R. § 164.508(b)(2)(ii). Her omission was both substantive and significant. As a result of Plaintiff’s failure to identify any authorized recipient of the records, her HIPAA authorizations did not permit the defendants to receive Plaintiff’s medical records. In Lawson, 544 S.W.3d at 712, this Court found no substantial compliance where a similar core element of the plaintiff’s HIPAA authorization, designating who was authorized to make the requested use or disclosure, was left blank. Id. We explained that “health care providers presented with a medical authorization missing the identification of those authorized to release information would have no way of knowing that they were -8- the providers for which the authorization was intended or that they were allowed to release medical records.” Id. As such, we concluded that the single omitted core element was “a necessary element” to the defendants’ legal authorization to use the medical records. Id. In Riley v. Methodist Healthcare Memphis Hospitals, 731 F. App’x 481 (6th Cir. 2018), the Sixth Circuit considered a HIPAA authorization with the same omission as the one before us in the context of a diversity jurisdiction case alleging health care liability. Specifically, the plaintiffs in Riley left blank the section where they were supposed to list the persons to whom each provider could disclose the patient’s records. Id. at 488 (citing C.F.R. § 145.608(c)(1)(iii)). Applying Tennessee law and federal HIPAA regulations, the district court deemed the authorization defective, rejecting the plaintiff’s argument that the forms were HIPAA compliant and would effectively permit each defendant to share records with anyone it wished. Id. at 489. Instead, the district court concluded, because of the omission in the form, the defendants were permitted to disclose records to no one. Id. The Sixth Circuit found no error in this decision. Id. at 490. After reviewing Tennessee caselaw, the court concluded that “substantial compliance requires that the noncomplying features of the authorization do not render it insufficient to authorize access and use of the records,” and the form at issue in Riley “did not permit that access and use.” Id. at 491-92; see also Rush, 2017 WL 564887, at *4 (concluding that an authorization that failed to identify with specificity a person or class of persons able to receive the records but instead listing “bearer” was not HIPAA compliant). Despite the deficiencies in Plaintiff’s HIPAA authorization, Plaintiff argues that “in essence the instant case involves a single health care provider,” and therefore, no HIPAA authorization was necessary in the first place. According to Plaintiff’s complaint, Dr. Yu was “a health care provider” who was “practicing dentistry at the dental clinic owned and operated by American Family Dentistry of Memphis, P.C.,” and Dr. Yu either “worked at, was employed by, or had an ownership interest in” American Family Dentistry.5 Plaintiff argues that the Tennessee Supreme Court’s holding in Bray v. Khuri, 523 S.W.3d 619 (Tenn. 2017) is “directly on point” and no HIPAA authorization needed to be provided under these circumstances. In Bray, the plaintiff filed suit against one physician – a single “health care provider” within the meaning of HIPAA and the Tennessee Health Care Liability Act.6 5 Because we are reviewing the trial court’s decision on a Rule 12.02(6) motion to dismiss, for purposes of this appeal, we presume that the allegations of fact in the complaint are true. Stevens, 418 S.W.3d at 552 n.1. 6 Under HIPAA, a “health care provider” is defined as “a provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as -9- Id. at 620. The Tennessee Supreme Court examined the text of Tennessee Code Annotated section 29-26-121(a)(2)(E), which requires a person who asserts a potential claim for health care liability to provide with pre-suit notice a HIPAA compliant authorization “permitting the provider receiving the notice to obtain complete medical records from each other provider being sent a notice.” Tenn. Code Ann. § 29-26- 121(a)(2)(E). Considering the plain language of the statute, the Bray court concluded that “a prospective plaintiff who provides pre-suit notice to one potential defendant is not required under Tennessee Code Annotated section 29-26-121(a)(2)(E) to provide the single potential defendant with a HIPAA-compliant medical authorization.” Id. (emphasis added). In other words, “a plaintiff need not provide a HIPAA-compliant authorization when a single healthcare provider is given pre-suit notice of a healthcare liability claim.” Id. at 622 (emphasis added). According to the court, “The authorization only allows a potential defendant to obtain the prospective plaintiff’s medical records from any other healthcare provider also given notice and identified as a potential defendant in the pre-suit notice.” Id. (emphasis added). The intermediate appellate court in Bray had concluded that even though the sole defendant-physician may have physically possessed the patient’s records, he could not review them with counsel to evaluate the merits of the claim absent a HIPAA compliant authorization. Id. at 621. Thus, on appeal, the physician maintained that a HIPAA authorization would be necessary because HIPAA would prohibit him from disclosing medical records already in his possession to his own counsel. Id. The supreme court recognized the “general rule” that “HIPAA prohibits a healthcare provider from using or disclosing protected health information without a valid authorization.” Id. (citing 45 C.F.R. § 164.508(a)(1)).7 However, examining HIPAA regulations, the supreme court found an applicable “regulatory exception to the general requirement of a HIPAA- compliant medical authorization.” Id. at 623. The court explained that HIPAA regulations permit a health care provider to use or disclose protected health information for its own “health care operations,” with some exceptions. Id. at 622 (citing 45 C.F.R. § defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.” 45 C.F.R. § 160.103. Tennessee Code Annotated section 29-26-101(a)(2) defines a “health care provider” as “[a] health care practitioner licensed, authorized, certified, registered, or regulated under any chapter of title 63 or title 68 . . . .” 7 Specifically, section 164.508(a)(1) provides: (a) Standard: Authorizations for uses and disclosures (1) Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. 45 C.F.R. § 164.508(a)(1) (emphasis added). - 10 - 164.506(a)). “Health care operations” include “[c]onducting or arranging for . . . legal services,” and the website maintained by the United States Department of Health and Human Services indicated that a health care provider may use or disclose protected health information with its lawyer for litigation. Id. at 622-23. As such, the supreme court concluded that “HIPAA does not require Dr. Khuri to obtain a medical authorization to use a patient’s medical records in his possession and consult with counsel to evaluate the merits of a potential claim.” Id. at 623 (emphasis added). Notably, the physician relied on a previous decision from the Court of Appeals, Roberts v. Prill, E2013-02202-COA- R3-CV, 2014 WL 2921930, at *6 (Tenn. Ct. App. June 26, 2014), to support his argument that a HIPAA compliant medical authorization was required to enable him to “use” medical records in his possession. Id. Without opining on the merits of the Roberts decision, the supreme court found it “factually distinguishable on a critical point: Roberts involved two defendants, whereas this case involves a single defendant.” Id. Accordingly, the supreme court explained, Roberts did not consider the same issue – “whether section 29-26-121(a)(2)(E) applies when a single healthcare provider is named as a potential defendant.”8 Id. In summary, Bray established two points – (1) “a plaintiff need not provide a HIPAA-compliant authorization when a single healthcare provider is given pre-suit notice of a healthcare liability claim,” and (2) a health care provider may use or disclose protected health information for its health care operations and does not need to obtain a medical authorization in order “to use a patient’s medical records in [its] possession and consult with counsel to evaluate the merits of a potential claim.” Id. at 622-23. Clearly, the factual situation before us does not fall within the “single healthcare provider” exception recognized in Bray that would have excused Plaintiff from providing a HIPAA authorization in the first place. This Court rejected a similar argument in another case 8 The Roberts case was filed against an oncologist and the health care group that employed the oncologist. Roberts, 2014 WL 2921930, at *1. The plaintiff claimed that the defendants already had all of the relevant records in their possession. Id. at *6. The court of appeals concluded that because the HIPAA authorizations provided by the plaintiff were defective, the two defendants “were not legally authorized to use the pertinent medical records to mount a defense, despite the fact that the records may have already been in their possession.” Id. at *5. The court concluded that the “case did not fall within one of the limited circumstances anticipated by HIPAA that would allow for the use of the records without authorization.” Id. at *6. However, the only specific exception the court discussed was provided in 45 C.F.R. § 164.508(a)(2)(i)(C), which addresses the use of psychotherapy notes in a legal action. Id. We did not mention the exception for health care operations that was later discussed by the supreme court in Bray. Id.; see also Harmon v. Shore, No. M2014-01339-COA-R3-CV, 2015 WL 1881467, at *5 & n.3 (Tenn. Ct. App. Apr. 23, 2015) (relying on Roberts prior to Bray -- where the plaintiff argued that a doctor and hospital already possessed the records -- and concluding that the case did not fall within one of the limited circumstances that would allow for the “use” of records without an authorization, but only discussing the psychotherapy exception). - 11 - involving two defendant medical providers – a physician’s assistant and the dermatology practice that employed her. Lawson, 544 S.W.3d at 710. Despite the employer-employee relationship between the defendants, we ultimately concluded that the situation before us involved multiple defendants, and therefore “the one-defendant exception articulated in Bray [did] not apply[.]” Id. at 711-12. The Sixth Circuit also considered and rejected a similar argument in Riley, where health care liability claims were filed against a physician in addition to the clinic and the hospital where the physician practiced. 731 Fed. Appx. at 483. Like Plaintiff, the appellants in Riley argued that this was “essentially a one-provider case” and suggested that all of the records would be accessible by the physician as the health care provider who rendered the care. Id. at 495. The Sixth Circuit rejected that argument, first characterizing Bray as “a statutory interpretation case” that was “inapposite” given that the case before it involved pre-suit notice sent to three health care providers. Id. However, to the extent that the plaintiffs were suggesting a lack of prejudice on the part of the defendants due to an alleged ability to access records without the need for a HIPAA authorization, the court further held that the plaintiffs failed to adequately raise and establish a lack of prejudice or that the defendants actually had “another means of access” to the records. Id. at 494-95. Likewise, this is not a “single healthcare provider” case within the meaning of Bray such that HIPAA authorizations were unnecessary. However, to the extent that Plaintiff is attempting to argue a lack of prejudice in light of the two defendants’ employment relationship, we find it necessary to consider the issue of prejudice separately with respect to each defendant. Again, Stevens requires us to consider whether each defendant was prejudiced by Plaintiff’s failure to provide a HIPAA compliant release. See Stevens, 418 S.W.3d at 556. Notably, at oral argument before this Court, counsel for the defendants conceded that “[i]n this particular case, Dr. Yu does not possess the records; American Family Dentistry possesses the records.” Therefore, we begin by considering the issue of prejudice to American Family Dentistry, which already had the records in its possession, resulting from its inability to utilize the HIPAA authorization provided by Plaintiff.9 According to the Tennessee Supreme Court’s decision in Bray, a HIPAA authorization “only allows a potential defendant to obtain the prospective plaintiff’s medical records from any other healthcare provider also given notice and identified as a 9 With regard to the issue of prejudice, we note that a defendant is not required to attempt to use a medical authorization it believes to be defective, and “a defendant’s claim of prejudice is not waived by failing to attempt to use or otherwise ‘test’ an allegedly defective authorization.” Smith, 2018 WL 3343591, at *6. - 12 - potential defendant in the pre-suit notice,” and HIPAA regulations allow a health care provider to use or disclose protected health information in its possession for its own health care operations. 523 S.W.3d at 622. For instance, in Bray, HIPAA did not require the defendant-doctor to obtain a medical authorization in order to “use” the patient’s medical records in his possession and consult with counsel to evaluate the merits of the potential claim. Id. Here, according to the concession of defense counsel, Dr. Yu did not possess any records. The records were maintained by American Family Dentistry. Therefore, it was not necessary for American Family Dentistry to utilize the HIPAA authorization to obtain records from any other health care provider identified as a potential defendant, and American Family Dentistry was authorized to use the records in its possession to evaluate the merits of Plaintiff’s claim without a HIPAA authorization. In this regard, this case is analogous to Hughes v. Henry County Medical Center, No. W2014-01973-COA-R3-CV, 2015 WL 3562733 (Tenn. Ct. App. June 9, 2015). In Hughes, the plaintiff filed a health care liability action against a hospital and a physician (although the physician was not a party to the appeal). Id. at *1. A clerical error in the medical authorization form provided to the hospital did not permit it to obtain medical records from the physician. Id. However, counsel for the hospital conceded that the physician saw the patient only at the hospital and had no records independent of the hospital’s records. Id. at *2. This Court quoted the following pertinent language from Stevens, [I]n determining whether a plaintiff has substantially complied with a statutory requirement, a reviewing court should consider the extent and significance of the plaintiff’s errors and omissions and whether the defendant was prejudiced by the plaintiff’s noncompliance. Not every non- compliant HIPAA medical authorization will result in prejudice. Id. (citing 418 S.W.3d at 556). We noted the undisputed fact that the physician had no medical records, and therefore, the validity of the release for the physician’s records had no effect on the hospital’s ability to obtain “complete medical records” as contemplated by the statute. Id. at *3. Rather, the hospital “was able to obtain all of the [patient’s] relevant medical records, and evaluate the merits of the claim despite Appellants’ technical failure to include [the physician’s] records in its release.”10 Id. at *4. Because the hospital admittedly suffered no prejudice as a result of the defective HIPAA authorization and the statutory goal of allowing a defendant to evaluate the merits of a 10 Hughes was a pre-Bray decision. The Court of Appeals concluded that the hospital was permitted to “use its own records” in light of the particular language of the defective HIPAA release form, without discussing the exception for health care operations later discussed in Bray. Id. at *1. However, we believe the result here is the same with respect to the issue of prejudice. - 13 - claim with early access to medical records was satisfied, we concluded that Plaintiff substantially complied with the statute. Id. at *5. See also Martin v. Rolling Hills Hosp., LLC, No. M2016-02214-COA-R3-CV, 2018 WL 3097231, at *8 (Tenn. Ct. App. June 22, 2018) (finding no prejudice to the defendants in a case where the plaintiffs argued that the defendants already had possession of the relevant documents); but see Dolman v. Donovan, No. W2015-00392-COA-R3-CV, 2015 WL 9315565, at *1 (Tenn. Ct. App. Dec. 23, 2015) (declining to find no prejudice when eight separate providers were given pre-suit notice, only one defendant-hospital actually had relevant records, but the providers did not know this information during the pre-suit notice period and were unable to use the defective authorizations to request whatever records might have existed). We recognize that our holding with regard to this issue seems to conflict with the portion of the Lawson opinion analyzing the issue of prejudice when two defendants are involved. Again, Lawson involved two defendant medical providers – a physician’s assistant and the dermatology practice that employed her. Lawson, 544 S.W.3d at 705. However, the plaintiffs only appealed the dismissal of the claim against the dermatology practice. Id. On appeal, the plaintiffs argued that the defendant-practice was not prejudiced by a defective HIPAA release because it “already had access to the medical record it generated” when the plaintiff was treated and “was already in possession of the only medical record relevant to the case at bar.” Id. at 710. We found the “one- defendant exception” from Bray inapplicable and instead relied on the pre-Bray decision in Roberts (which had only discussed the applicability of the HIPAA exception for psychotherapy notes). Id. Applying Roberts, we concluded that the fact that the records were already in the defendant’s possession did not excuse compliance with the HIPAA authorization requirement because, in the absence of one of HIPAA’s limited exceptions, HIPAA generally provides that a covered entity may not use protected health information without a valid authorization. Id. As in Roberts, the only exception we referenced was the one for psychotherapy notes. Id. We concluded that in light of the defective HIPAA form, the defendant medical practice would not be allowed to consult with anyone about the records and “would not be allowed to use Mr. Lawson’s medical records to mount a defense.” Id. at 713. Essentially, in Lawson, we concluded that “the one-defendant exception articulated in Bray [did] not apply” to excuse the plaintiffs from providing HIPAA authorizations, but we did not discuss whether the “health care operations” exception to HIPAA that was secondarily discussed in Bray would nevertheless permit the defendant- practice to use the records in its possession. Id. at 711. Having carefully reviewed Lawson, Roberts (and cases citing it), and the Tennessee Supreme Court’s decision in Bray, we simply conclude that our decision is controlled by the Bray decision and its conclusion regarding the use of records that are already in the possession of a health care provider. Discerning no prejudice to American Family Dentistry due to Plaintiff’s failure - 14 - to provide it with a HIPAA compliant release, we conclude that Plaintiff substantially complied with Tennessee Code Annotated section 29-26-121(a)(2)(E), she was entitled to the 120-day extension to the statute of limitations, and her claim against American Family Dentistry was not time-barred. We reverse the trial court’s dismissal of Plaintiff’s claim against American Family Dentistry. We now consider the existence of prejudice to Dr. Yu, who did not already possess the records, resulting from his inability to utilize the HIPAA authorization provided by Plaintiff. Before the trial court, counsel for the defendants acknowledged that American Family Dentistry and Dr. Yu are “in an employer-employee relationship.” Although Plaintiff does not cite any HIPAA regulations on appeal, she suggests that it is incomprehensible that Dr. Yu would not have “free access” to obtain medical records from American Family Dentistry when he continues to work at the clinic. We disagree. HIPAA distinguishes between uses or disclosures for purposes of treatment and those for purposes of health care operations.11 The “health care operations” exception to the general requirement of a HIPAA compliant authorization, which was discussed in Bray, does not extend to the lengths implicitly urged by Plaintiff. Keeping in mind that the purpose of American Family Dentistry providing these records to Dr. Yu would be for Dr. Yu’s own health care operations, we look to the language of the regulation: (c) Implementation specifications: Treatment, payment, or health care operations. (1) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. .... (4) A covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is: (i) For a purpose listed in paragraph (1) or (2) of the definition of health care operations; or 11 “Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.” 45 C.F.R. § 164.501. - 15 - (ii) For the purpose of health care fraud and abuse detection or compliance. 45 C.F.R. § 164.506(c) (emphasis added). The referenced purposes listed in paragraphs (1) and (2) are for quality-related health care operations and do not include legal services, which is separately addressed in paragraph (4).12 Accordingly, this exception to the authorization requirement would not permit American Family Dentistry to disclose records to Dr. Yu for the purposes of Dr. Yu’s health care operations (i.e., conducting or arranging for legal services). “Requiring a HIPAA compliant medical authorization to accompany the pre-suit notice was a policy decision by the General Assembly that ‘equip[s] defendants with the actual means to evaluate the substantive merits of a plaintiff’s claim by enabling early access to a plaintiff’s medical records.’”13 J.A.C. by & through Carter, 542 S.W.3d at 12 See https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures- treatment-payment-health-care-operations/index.html (characterizing paragraphs (1) and (2) as “quality-related health care operations activity”). The definition of health care operations provides: Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions: (1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities (as defined in 42 CFR 3.20); population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment; (2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities; .... (4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; 45 C.F.R. § 164.501. 13 We note that HIPAA also permits a covered entity to disclose protected health information “in the course of any judicial or administrative proceeding” but only “[i]n response to an order of a court or administrative tribunal” or “a subpoena, discovery request, or other lawful process” and provided that other conditions are met. 45 C.F.R. § 164.512(e). - 16 - 521 (quoting Stevens, 418 S.W.3d at 555). In the case before us, the authorization Plaintiff sent to Dr. Yu was not HIPAA-compliant, and Plaintiff has not demonstrated that Dr. Yu had another means of access to the records maintained by American Family Dentistry that would have enabled him to evaluate her claim. See Myers, 382 S.W.3d at 307 (“Once the defendant makes a properly supported motion under this rule, the burden shifts to the plaintiff to show [] that it complied with the statutes . . . . Based on the complaint and any other relevant evidence submitted by the parties, the trial court must determine whether the plaintiff has complied with the statutes.”); Dolman, 2015 WL 9315565, at *4 (concluding that plaintiffs presented only sparse evidence regarding an alleged affiliation between defendant entities that failed to reveal the extent of the defendants’ access to records). We therefore conclude that Dr. Yu was prejudiced by the lack of a HIPAA compliant authorization. “‘Defendants are clearly prejudiced when unable, due to a form procedural error, to obtain medical records needed for their legal defense.’” Hamilton v. Abercrombie Radiological Consultants, Inc., 487 S.W.3d 114, 120 (Tenn. Ct. App. 2014). Plaintiff failed to substantially comply with Tennessee Code Annotated section 29-26-121(a)(2)(E) because her authorization would not allow Dr. Yu to obtain medical records from the other health care provider receiving pre-suit notice. Due to Plaintiff’s failure to substantially comply with the statute within the original statute of limitations, Plaintiff did not receive the 120-day extension of the statute of limitations, and her complaint against Dr. Yu was not timely filed. See Byrge, 442 S.W.3d at 250. We affirm the trial court’s dismissal of the claim against Dr. Yu. V. CONCLUSION For the aforementioned reasons, we affirm the decision of the circuit court in part, we reverse in part, and we remand this cause for further proceedings consistent with this opinion. Costs of this appeal are taxed equally to the appellant, Mary Wenzler, and to appellee American Family Dentistry, for which execution may issue if necessary. _________________________________ BRANDON O. GIBSON, JUDGE - 17 -