Summary
holding that a plaintiff need not provide the statutorily required HIPAA-compliant medical authorization when the suit only includes a single health care provider that is given pre-suit notice of a health care liability claim
Summary of this case from Estate of Barnwell v. GrigsbyOpinion
No. W2015–00397–SC–R11–CV
07-05-2017
Duncan E. Ragsdale, William R. Bruce, and Aaron L. Thomas, Memphis, Tennessee, for the appellant, Deborah Bray. James T. McColgan, III and Sherry S. Fernandez, Cordova, Tennessee, for the appellee, Radwan R. Khuri, M.D. W. Bryan Smith, Memphis, Tennessee; John Vail, Washington, D.C.; and Brian G. Brooks, Greenbrier, Arkansas, for amicus curiae, Tennessee Association for Justice.
Duncan E. Ragsdale, William R. Bruce, and Aaron L. Thomas, Memphis, Tennessee, for the appellant, Deborah Bray.James T. McColgan, III and Sherry S. Fernandez, Cordova, Tennessee, for the appellee, Radwan R. Khuri, M.D.
W. Bryan Smith, Memphis, Tennessee; John Vail, Washington, D.C.; and Brian G. Brooks, Greenbrier, Arkansas, for amicus curiae, Tennessee Association for Justice.
Sharon G. Lee, J., delivered the opinion of the Court, in which Jeffrey S. Bivins, C.J., Cornelia A. Clark, Holly Kirby, and Roger A. Page, JJ., joined.
OPINION
Sharon G. Lee, J.
Tennessee Code Annotated section 29-26-121(a)(2)(E) requires a person who asserts a potential claim for healthcare liability to include with pre-suit notice a HIPAA-compliant medical authorization permitting the healthcare provider who receives the notice to obtain complete medical records "from each other provider being sent the notice." Tenn. Code Ann. § 29-26-121(a)(2)(E). Here, the plaintiff sent pre-suit notice of her claim to a single healthcare provider and included a medical authorization. After the plaintiff filed suit, the defendant healthcare provider moved to dismiss, asserting the plaintiff had failed to provide a HIPAA-compliant medical authorization. The trial court granted the motion, and the Court of Appeals affirmed. We hold that a prospective plaintiff who provides pre-suit notice to one potential defendant is not required under Tennessee Code Annotated section 29-26-121(a)(2)(E) to provide the single potential defendant with a HIPAA-compliant medical authorization. We reverse the judgments of the trial court and the Court of Appeals and remand this case to the trial court for further proceedings.
"HIPAA" is the acronym for the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 18, 26, 29, and 42 U.S.C.). Among other things, HIPAA requires healthcare providers to protect the confidentiality of patients' health information. In general, a healthcare provider may not disclose protected health information without a patient's express written authorization, with certain exceptions. 45 C.F.R. § 164.508(a)(1).
I.
Between the evening of March 25 and the morning of March 26, 2003, Nigel Bray committed suicide at Saint Francis Hospital in Memphis. Dr. Radwan Khuri provided psychiatric care to Mr. Bray from the time of his hospital admission on March 20 until his death less than a week later.
In March 2004, Deborah Bray, Mr. Bray's surviving spouse, filed a healthcare liability case against Dr. Khuri alleging negligence in the care and treatment of Mr. Bray. In May 2010, after the parties had engaged in pretrial discovery, Mrs. Bray voluntarily dismissed the suit.
In May 2011, Mrs. Bray sent Dr. Khuri pre-suit notice of her healthcare liability claim as required by section 29-26-121(a)(1). The pre-suit notice letter advised Dr. Khuri of a potential claim by Mrs. Bray for the wrongful death of her husband arising out of the medical and psychiatric treatment Dr. Khuri provided to Mr. Bray at Saint Francis Hospital. The notice, which included a medical authorization signed by Mrs. Bray, stated that Dr. Khuri was the only healthcare provider receiving the notice.
In September 2011, Mrs. Bray filed a healthcare liability suit against Dr. Khuri. Dr. Khuri moved to dismiss the case, asserting that Mrs. Bray had failed to provide a HIPAA-compliant medical authorization under section 29-26-121(a)(2)(E). Dr. Khuri argued that because the authorization was incomplete and not HIPAA- compliant, he could not discuss Mr. Bray's medical records with counsel to prepare a defense to the potential claim. Mrs. Bray responded, in part, that no authorization was required under section 29-26-121(a)(2)(E) because Dr. Khuri was the only healthcare provider to whom she sent pre-suit notice.
HIPAA regulations require a medical authorization to include the following:
(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
(iv) A description of each purpose of the requested use or disclosure....
(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure....
(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.
45 C.F.R. § 164.508(c)(1).
The trial court granted Dr. Khuri's motion and dismissed the complaint, finding that the authorization provided by Mrs. Bray did not comply with HIPAA and did not substantially comply with the requirements of Tennessee Code Annotated section 29-26-121(a)(2)(E). Further, the trial court ruled that Dr. Khuri was prejudiced by Mrs. Bray's deficient authorization because he could not use Mr. Bray's records to prepare a defense. The trial court concluded that it was not determinative that Dr. Khuri was the only defendant and may have had the records.
The Court of Appeals affirmed, holding that Mrs. Bray was required to furnish a HIPAA-compliant authorization with the pre-suit notice even though Dr. Khuri was the only healthcare provider notified of the claim. Bray v. Khuri , No. W2015-00397-COA-R3-CV, 2015 WL 7775316, at *3, *5 (Tenn. Ct. App. Dec. 3, 2015). The Court of Appeals reasoned that the goal of section 29-26-121(a)(2)(E) is to allow a defendant to gain early access to a plaintiff's medical records to evaluate the substantive merits of the claim. Id. at *3 (quoting Stevens ex rel. Stevens v. Hickman Cmty. Health Care Servs., Inc. , 418 S.W.3d 547, 555 (Tenn. 2013) ). The Court of Appeals concluded that even though Dr. Khuri may have physically possessed the decedent's records, he could not review them with counsel to evaluate the merits of the claim absent a HIPAA-compliant authorization. Id. The Court of Appeals further held that the authorization failed to substantially comply with HIPAA requirements. Id. at *3–4.
We granted Mrs. Bray's application for permission to appeal.
II.
This case involves an interpretation of Tennessee Code Annotated section 29-26-121(a)(2)(E), which is a question of law we review de novo. See Stevens , 418 S.W.3d at 553 (citing Pratcher v. Methodist Healthcare Memphis Hosps. , 407 S.W.3d 727, 734 (Tenn. 2013) ). "[O]ur role is to ascertain and effectuate the legislature's intent." Id. (citing Sullivan ex rel. Hightower v. Edwards Oil Co. , 141 S.W.3d 544, 547 (Tenn. 2004) ). We do not broaden or restrict a statute's intended meaning, and we presume that the legislature intended to give each word of the statute its full effect. Id. (citing Garrison v. Bickford , 377 S.W.3d 659, 663 (Tenn. 2012) ; In re Estate of Trigg , 368 S.W.3d 483, 490 (Tenn. 2012) ). When statutory language is clear and unambiguous, we accord the language its plain meaning, understood in its ordinary and accepted usage, without a forced interpretation. Foster v. Chiles , 467 S.W.3d 911, 914 (Tenn. 2015) (citing Baker v. State , 417 S.W.3d 428, 433 (Tenn. 2013) ); Stevens , 418 S.W.3d at 553 (citing Glassman, Edwards, Wyatt, Tuttle & Cox, P.C. v. Wade , 404 S.W.3d 464, 467 (Tenn. 2013) ).
Tennessee Code Annotated section 29-26-121(a)(1) provides that a person "asserting a potential claim for health care liability shall give written notice of the potential claim to each health care provider that will be a named defendant at least sixty (60) days before the filing of a complaint...." Tenn. Code Ann. § 29-26-121(a)(1). Tennessee Code Annotated section 29-26-121(a)(2)(E) states that the notice shall include "[a] HIPAA compliant medical authorization permitting the provider receiving the notice to obtain complete medical records from each other provider being sent a notice. " Id. § 29-26-121(a)(2)(E) (emphasis added).
We hold that, based on the clear and unambiguous language of section 29-26-121(a)(2)(E), a plaintiff need not provide a HIPAA-compliant authorization when a single healthcare provider is given pre-suit notice of a healthcare liability claim. The authorization only allows a potential defendant to obtain the prospective plaintiff's medical records from any other healthcare provider also given notice and identified as a potential defendant in the pre-suit notice. This authorization requirement is consistent with section 29-26-121(d)(1), which specifies that all parties to a healthcare suit "shall be entitled to obtain complete copies of the claimant's medical records from any other provider receiving notice" and that the claimant complies with this requirement by providing a HIPAA-compliant medical authorization with pre-suit notice. Id. § 29-26-121(d)(1).
Dr. Khuri argues that HIPAA prohibits the disclosure of a patient's medical records to counsel for evaluating the merits of a potential claim absent a valid medical authorization. HIPAA, enacted in 1996, establishes requirements for protecting confidential medical information by healthcare providers. As a general rule, HIPAA prohibits a healthcare provider from using or disclosing protected health information without a valid authorization. 45 C.F.R. § 164.508(a)(1). However, HIPAA regulations allow a healthcare provider to "use or disclose protected health information for treatment, payment, or health care operations ," with some exceptions for certain uses or disclosure requiring an authorization. 45 C.F.R. § 164.506(a) (emphasis added); see also id. § 164.506(c)(1). "Health care operations" include "[c]onducting or arranging for medical review, legal services , and auditing functions." Id. § 164.501 (emphasis added). The United States Department of Health and Human Services ("HHS"), in its Frequently Asked Questions ("FAQ") for Professionals pages of its website, indicates that a healthcare provider may use or disclose protected health information for litigation "whether for judicial or administrative proceedings, ... or as part of the covered entity's health care operations." HHS further recognizes that "[i]n most cases, the covered entity will share protected health information for litigation purposes with its lawyer, who is either a workforce member or a business associate." HIPAA regulations define a "business associate" to include a person who provides legal services to or for a healthcare provider. 45 C.F.R. § 160.103. HIPAA does not require Dr. Khuri to obtain a medical authorization to use a patient's medical records in his possession and consult with counsel to evaluate the merits of a potential claim.
HIPAA for Professionals FAQ 704, HHS (Jan. 7, 2005), https://www.hhs.gov/hipaa/for-professionals/faq/704/may-a-covered-entity-use-protected-health-information-for-litigation/index.html (citations omitted); HIPAA for Professionals FAQ 705, HHS (Jan. 7, 2005), https://www.hhs.gov/hipaa/for-professionals/faq/705/may-a-covered-entity-in-a-legalproceeding-use-protected-health-information/index.html.
HIPAA for Professionals FAQ 705, supra note 3.
Dr. Khuri argues that the HHS website indicates "health care operations" do not include consultation with an attorney regarding a potential claim prior to the commencement of a lawsuit. He emphasizes that the website refers to a "plaintiff or defendant in a legal proceeding," a "defendant in a malpractice action," and "the course of any judicial or administrative proceeding." According to Dr. Khuri, this language applies only to proceedings following the filing of a complaint.
We disagree with Dr. Khuri's narrow interpretation. Under HIPAA regulations, "healthcare operations" include arranging for legal services. HHS has indicated that a healthcare provider may share health information for "litigation purposes" with its lawyer. HIPAA does not limit "legal services" and "litigation purposes" to pending lawsuits. Although providing pre-suit notice does not commence a lawsuit, see Rajvongs v. Wright , 432 S.W.3d 808, 811–12 (Tenn. 2013), pre-suit notice is a prerequisite to the commencement of a healthcare liability claim and is provided to each healthcare provider who "will be a named defendant" in the lawsuit. Mrs. Bray's pre-suit notice was a predicate to filing suit against Dr. Khuri. Mrs. Bray's pre-suit notice to Dr. Khuri, as the sole healthcare provider who would "be a named defendant," sufficiently invoked the regulatory exception to the general requirement of a HIPAA-compliant medical authorization.
See HIPAA for Professionals FAQ 705, supra note 3.
See Tenn. Code Ann. § 29-26-121(a) ("Any person ... asserting a potential claim for health care liability shall give written notice of the potential claim to each health care provider that will be a named defendant at least sixty (60) days before the filing of a complaint based upon health care liability....") (emphasis added).
--------
Dr. Khuri relies on Roberts v. Prill , E2013-02202-COA-R3-CV, 2014 WL 2921930, at *6 (Tenn. Ct. App. June 26, 2014), no perm. app. filed , an unreported decision, to support his argument that a HIPAA-compliant medical authorization was required to enable him to use Mr. Bray's medical records in his possession. Roberts , however, is distinguishable. In Roberts , the plaintiff filed a healthcare liability suit against the decedent's treating oncologist and the specialty healthcare group that employed the oncologist. Id. at *1. The trial court granted the defendants' motions to dismiss based on its finding that the plaintiff failed to provide a HIPAA-compliant authorization and failed to attach a copy of the pre-suit notices to her complaint. The Court of Appeals affirmed. Id. While Roberts and the case at bar are both healthcare liability suits concerning incomplete medical authorizations, they are factually distinguishable on a critical point: Roberts involved two defendants, whereas this case involves a single defendant. Neither the trial court nor the Court of Appeals in Roberts considered whether section 29-26-121(a)(2)(E) applies when a single healthcare provider is named as a potential defendant.Last, Dr. Khuri argues that the Patient's Privacy Protection Act, Tenn. Code Ann. §§ 68-11-1501 to –1505, is more restrictive than HIPAA and bars the disclosure of protected health information without proper authorization or a court order. Dr. Khuri also argues that the protections afforded by Tennessee privacy laws are not preempted by HIPAA or other federal laws. These arguments are without merit.
The Patient's Privacy Protection Act provides that "[e]very patient entering and receiving care at a healthcare facility licensed by the board for licensing healthcare facilities has the expectation of and right to privacy for care received at such facility." Tenn. Code Ann. § 68-11-1502. This statute applies only to healthcare facilities, not physicians. More importantly, it authorizes a patient to recover damages for invasion of privacy against a healthcare provider who publicly divulges the patient's identifying information. Id. § 68-11-1504. The healthcare liability act does not require a patient to provide an authorization under this statute, and Mrs. Bray has not sued Dr. Khuri under this statute. The Patient Privacy Protection Act does not support Dr. Khuri's argument or provide any basis for upholding the dismissal of Mrs. Bray's claim.
Because we conclude that Tennessee Code Annotated section 29-26-121(a)(2)(E) does not apply here, where only a single healthcare provider received pre-suit notice as a potential defendant, the issue of whether Mrs. Bray substantially complied with section 29-26-121(a)(2)(E) is pretermitted. The Patient's Privacy Protection Act is also inapplicable; therefore, we need not determine whether Tennessee's privacy law conflicts with or is preempted by HIPAA.
III.
After careful review, we hold that a HIPAA-compliant medical authorization was not required under section 29-26-121(a)(2)(E) because Mrs. Bray's pre-suit notice was sent to a single provider. The judgments of the trial court and the Court of Appeals are reversed, and this case is remanded to the trial court for further proceedings. The costs of this appeal are taxed to Radwan R. Khuri, M.D., for which execution may issue if necessary.