
    Konah Evangeline BUCKMAN, Mother and Next of Kin of Edward Kofi Sasa Lenox Buckman a/k/a Edward Welsely, Deceased v. MOUNTAIN STATES HEALTH ALLIANCE, et al.
    No. E2017-01766-COA-R3-CV
    Court of Appeals of Tennessee, AT KNOXVILLE.
    May 29, 2018 Session FILED July 26, 2018 Application for Permission to Appeal Denied by Supreme Court November 15, 2018
   Brandon O. Gibson, J.

This is a healthcare liability case. Before filing the complaint, the plaintiff gave written notice to the potential defendants of her healthcare liability claim against them. Tennessee Code Annotated section 29-26-121(a)(2)(E) requires that a plaintiff's pre-suit notice include a HIPAA compliant medical authorization permitting the healthcare provider receiving the notice to obtain complete medical records from every other provider that is being sent a notice. After the plaintiff filed suit, the defendants moved to dismiss the complaint based on noncompliance with the statute, as the defendants alleged that the HIPAA authorization provided by the plaintiff had already expired when they received it. The trial court granted the defendants' motion to dismiss, concluding that the HIPAA authorization was invalid due to the fact that the listed expiration date had already passed when the authorization was provided to the defendants with pre-suit notice. The plaintiff appeals. We affirm and remand for further proceedings.

I. FACTS & PROCEDURAL HISTORY

On August 11, 2016, counsel for Konah Evangeline Buckman ("Plaintiff") sent letters to at least ten healthcare providers, notifying them of a potential healthcare liability claim arising out of their care and treatment of Plaintiff's son on August 15-16, 2015. The notice stated that counsel was enclosing a HIPAA compliant medical authorization permitting each provider to obtain a complete copy of the child's medical records generated by the other providers. According to federal regulations, a HIPAA compliant authorization must include six "core elements," including,

(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement "end of the research study," "none," or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.

45 C.F.R. § 164.508(c)(1). The HIPAA authorization sent by Plaintiff on August 11, 2016, provided, in part:

HIPAA COMPLIANT AUTHORIZATION FOR RELEASE OF MEDICAL INFORMATION

Patient:

Edward Kofi Sasa Lenox Buckman aka Edward Welsley

A. I hereby authorize any of the following listed providers to release informationfrom my medical records to yourself and all other medical providers listed below;

* * * *

B. For the following purpose: To be reviewed by sold providers and his/her/their Attorneys, agents or representatives,

C. For treatment dates;All treatment dates, and all medical records

D. Description of information to be used:

Copies of medical records regarding Edward Kofi Sasa Lenox Buckman aka Edward Welsley in the possession of the medical providers listed above in Part A, including but not limited to, all medical records, meaning every page in the records, including but net limited to office notes, face sheets, history and physical, consultation notes, impatient, outpatient and emergency room treatment, all clinical charts, reports, order sheets, progress notes, nurses notes, social

worker records, clinic records, treatment plans, admission records, discharge summaries, requests for and reports of consultations, documents, correspondence, test results, statements, questionnaires/histories, correspondence, photographs, telephone messages, and records received by other medical providers. All physical, occupational and rehab requests, coagulation, and progress notes. All autopsy, laboratory, histology, cytology, pathology, immunohisto-chemistry records and specimens; radiology records and including CT scan, MRI, MRA, EMG, hone scan, myleogram, nerve condition study, echocardiogram and cardiac catheterization results, videos/CDs/ films/reels and reports* All pharmacy/prescription records. All billing records including all statements.

E. I understand information to be released or disclosed may include information relating to sexually transmitted diseases acquired immunodeficiency syndrome (AIDS), or human immunodeficiency virus (lily), and alcohol and drug abuse, 1 authorize the release or disclosure of this, type of information, This authorization is given in compliance with the federal consent requirements foe release of alcohol or substance abuse records of 42 CFR 2*31 the restrictions of which have been specifically considered and expressly waived*

F. I understand the following:

1. I have a right to revoke this authorization in writing at any time, except to the extent information has been released in reliance upon this authorization*
2. The Information released in response to this authorization may be re-disclosed to other parties*
3. Treatment or payment for treatment cannot be conditioned on the signing of this authorization.
4. The providers releasing the medical records are hereby released and discharged of any liability and I will hold the facilities handiness for complying with this authorization for release of medical information.

G. Any facsimile copy or photocopy of this authorization shall authorize the medical provider to release the records requested herein. This authorization shall be in force and effect until the conclusion of any litigation involving the providers listed above.

H. This authorization shall expire on the following date: ___________ or (2 years from signature) or Event:08/15/2015 .

I. All medical records obtained pursuant to this authorization shall be copied by the recipent's office and a Rates-numberd copy shall be furnished to my council, R. Wayne Culbertson, Attorney at Law, 119 W. Market Street, Kingsport, TN 37660 within five (5) days after the records are obtained by recipient.

Plaintiff filed her healthcare liability complaint on December 1, 2016.

On January 30, 2017, some of the defendants jointly filed a motion to dismiss asserting that they were provided with an expired and therefore invalid HIPPA authorization, and consequently, Plaintiff had failed to substantially comply with Tennessee Code Annotated section 29-26-121(a)(2)(E). These defendants argued in their motion that they were unable to obtain copies of the patient's medical records as a result. Plaintiff filed a response, arguing that the expiration date was sufficient but that even if it was deficient, the HIPAA authorization substantially complied with the statute. Plaintiff argued that the defendants had failed to demonstrate any prejudice as a result of the alleged deficiency in the form.

Additional defendants filed a motion to dismiss on the same ground, asserting that the HIPAA authorization provided to them was likewise expired and therefore Plaintiff did not substantially comply with the pre-suit notice requirement of Tennessee Code Annotated section 29-26-121(a)(2)(E). These defendants argued that they were forbidden from using or disclosing the patient's protected health information without a valid HIPAA authorization and that releasing, obtaining, or using the records pursuant to the expired HIPAA authorization would have constituted a violation of HIPAA by both the party releasing the records and the recipient or user of the records.

After a hearing, the trial court entered an order of dismissal granting the motion to dismiss that was filed first. Noting the "core elements" of a HIPAA authorization required by federal regulations, the trial court concluded that Plaintiff's HIPAA authorization was expired and "thereby invalid for use by the defendants" at the time it was received. The trial court found that the defendants were prejudiced by the invalid HIPAA release in that they were unable to obtain medical records from healthcare providers. The trial court added, "see Exhibit 1, Refusal Notice received by Defendants in response to request for medical records, on the basis of an invalid HIPAA release," but no exhibit is attached to the order in the appellate record. Because the defendants were unable to lawfully use the HIPAA authorizations provided by Plaintiff, the trial court concluded that Plaintiff failed to substantially comply with Tennessee Code Annotated section 29-26-121(a)(2)(E) and dismissed the claims against these defendants without prejudice. The order of dismissal was entered on August 22, 2017.

On September 7, 2017, the trial court entered a second order resolving the second motion to dismiss that was filed by additional defendants. The order noted that the identical issue had been raised and previously addressed with regard to other defendants. Specifically, the order referenced the court's previous ruling that Plaintiff's HIPAA authorization had expired by its terms and was therefore invalid for use by the defendants at the time of receipt, preventing them from obtaining the patient's medical records. The trial court attached a transcript of its prior ruling to the order and granted the second motion to dismiss filed by the additional defendants. Plaintiff timely filed a notice of appeal.

II. ISSUES PRESENTED

As we perceive it, Plaintiff presents the following issue for review on appeal: whether the trial court misinterpreted Plaintiff's HIPAA authorization by concluding that it listed an expiration date that preceded the execution of the document and erred in finding that the authorization was not HIPAA-compliant. For the following reasons, we affirm the trial court's decision and remand for further proceedings.

III. STANDARD OF REVIEW

According to the Tennessee Supreme Court,

The proper way for a defendant to challenge a complaint's compliance with Tennessee Code Annotated section 29-26-121 and Tennessee Code Annotated section 29-26-122 is to file a Tennessee Rule of Procedure 12.02 motion to dismiss. In the motion, the defendant should state how the plaintiff has failed to comply with the statutory requirements by referencing specific omissions in the complaint and/or by submitting affidavits or other proof. Once the defendant makes a properly supported motion under this rule, the burden shifts to the plaintiff to show either that it complied with the statutes or that it had extraordinary cause for failing to do so. Based on the complaint and any other relevant evidence submitted by the parties, the trial court must determine whether the plaintiff has complied with the statutes. If the trial court determines that the plaintiff has not complied with the statutes, then the trial court may consider whether the plaintiff has demonstrated extraordinary cause for its noncompliance. If the defendant prevails and the complaint is dismissed, the plaintiff is entitled to an appeal of right under Tennessee Rule of Appellate Procedure 3 using the standards of review in Tennessee Rule of Appellate Procedure 13.

Myers v. AMISUB (SFH), Inc. , 382 S.W.3d 300, 307 (Tenn. 2012). Because the trial court's decision on the motion "involves a question of law, our review is de novo with no presumption of correctness." Id. (citing Graham v. Caples , 325 S.W.3d 578, 581 (Tenn. 2010) ).

IV. DISCUSSION

In Tennessee, a claimant must provide written pre-suit notice to a potential defendant before filing a complaint alleging healthcare liability:

Any person, or that person's authorized agent, asserting a potential claim for health care liability shall give written notice of the potential claim to each health care provider that will be a named defendant at least sixty (60) days before the filing of a complaint based upon health care liability in any court of this state.

Tenn. Code Ann. § 29-26-121(a)(1). By statute, the pre-suit notice must include "[a] HIPAA compliant medical authorization permitting the provider receiving the notice to obtain complete medical records from each other provider being sent a notice." Tenn. Code Ann. § 29-26-121(a)(2)(E).

HIPAA "establishes requirements for protecting confidential medical information by healthcare providers" and generally "prohibits a healthcare provider from using or disclosing protected health information without a valid authorization." Bray v. Khuri , 523 S.W.3d 619, 622 (Tenn. 2017) (citing 45 C.F.R. § 164.508(a)(1) ). The specific requirements for a HIPAA compliant medical authorization are set forth in 45 C.F.R. § 164.508, which provides:

(a) Standard: Authorizations for uses and disclosures
(1) Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section....
....
(c) Implementation specifications: Core elements and requirements-(1) Core elements. A valid authorization under this section must contain at least the following elements:
(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
(iv) A description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement "end of the research study," "none," or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.

(Emphasis added.) The regulation further provides:

(2) Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects:
(i) The expiration date has passed or the expiration event is known by the covered entity to have occurred[.]

45 C.F.R. § 164.508(b)(2). Finally, the regulation contains a "[p]lain language requirement," which provides that "[t]he authorization must be written in plain language." 45 C.F.R. § 164.508(c)(3).

In the case before us, the HIPAA authorization sent by Plaintiff on August 11, 2016, provided the following, all of which was type-written:

This authorization shall expire on the following date: __________ or (2 years from signature) or Event: 08/15/2015 .

(Emphasis in original.) Plaintiff argues that the trial court and the defendants unilaterally misinterpreted this provision as providing an expiration date of "8/15/2015" when, according to Plaintiff, it provided an expiration date of two years from the date of signature. In her brief on appeal, Plaintiff argues:

The CFR set forth above clearly refers to two different ways to establish the expiration of the HIPAA agreement. The first is by a date, or the second way is by an event that relates to the individual or the purpose of the use or disclosure. Plaintiff submits that a date is straight forward but blank in this agreement. Instead the plaintiff chose to use an event, which is the expiration of two years from her signature.

We simply cannot agree with Plaintiff's strained interpretation of the HIPAA authorization. First of all, the authorization clearly lists "Event: 08/15/2015 ," which refutes Plaintiff's argument that she chose to designate an "Event" of "two years from her signature." The pre-printed blank beside the "date" was left blank. Plaintiff entered "08/15/2015 " in the second blank and emphasized it with bold font, as she did when answering other questions on the form, such as, "For treatment dates: All treatment dates and all medical records. " The phrase "2 years from signature" only appears parenthetically in the provision, without bold emphasis, and would appear to be a default parenthetical that appeared on the original form beside the blank for the date. Although the provision as a whole is not a model of clarity, the most reasonable interpretation of it is that the HIPAA authorization would expire on "08/15/2015 ." Plaintiff certainly did not specify any other expiration date or event in the "plain language" required by federal regulations. See 45 C.F.R. § 164.508(c)(3).

Plaintiff suggests on appeal that she listed "08/15/2015 " simply in order "to assist the defendants in their search for records" because that was the date of "the negligent event," but again, we find such an interpretation unreasonable. The form clearly states, "This authorization shall expire on the following date : __________ or (2 years from signature) or Event: 08/15/2015 ." (Italics added.) Regardless of Plaintiff's unexpressed intention, the provision contains nothing to convey to a healthcare provider receiving the form that 08/15/2015 was not really intended to signify the expiration of the authorization. As the appellees note on appeal, medical providers are "not at liberty to disregard [a plaintiff's] explicitly designated expiration date just because it happened to coincide with the date of injury," nor can they be expected to effectively rewrite a release to correct a perceived error. Compare J.A.C. by & through Carter v. Methodist Healthcare Memphis Hosps. , 542 S.W.3d 502, 515 (Tenn. Ct. App. 2016), perm. app. denied (Tenn. Mar. 9, 2017) (rejecting the argument that a healthcare provider could have used information from the pre-suit notice letters and attachments to "customize" incomplete medical authorizations); Roberts v. Prill , No. E2013-02202-COA-R3-CV, 2014 WL 2921930, at *6 (Tenn. Ct. App. June 26, 2014) (rejecting the suggestion that defendants should be required to complete an inadequate form). Defendant providers owe no duty to plaintiffs to help them achieve compliance with the requirements of the statute. J.A.C. , 542 S.W.3d at 516.

Our research has revealed another Tennessee case involving the sufficiency of an already-passed expiration date on a HIPAA authorization. In Byrge v. Parkwest Medical Center , 442 S.W.3d 245, 246 (Tenn. Ct. App. 2014), the plaintiff sent pre-suit notice along with a HIPAA authorization on September 20, 2010, but the HIPAA authorization listed an expiration date of October 4, 2009, nearly one year prior to its mailing. (This was the date of the patient's death.) After the defendant filed a motion to dismiss, the plaintiff took a nonsuit and refiled his claim. Id. The trial court granted a motion to dismiss the second complaint on the basis that the first complaint was not timely filed because the plaintiff failed to comply with Tennessee Code Annotated section 29-26-121. Id. at 247. On appeal, this Court considered whether the first lawsuit was timely filed and found it undisputed that the plaintiff did not comply with Tennessee Code Annotated section 29-26-121 in his first suit. Id. at 251. "Specifically," we said, "the medical authorization form Plaintiff sent to Parkwest was deficient because it did not authorize release of information to Parkwest and because it contained an expiration date that pre-dated the cover letter accompanying the medical authorization form by almost one year. " Id. (emphasis added).

The same defect exists in this case. Having concluded that Plaintiff's pre-suit notice included an expired HIPAA authorization, we now consider the effect of such an error. The Tennessee Supreme Court provided guidance on that issue in Stevens ex rel. Stevens v. Hickman Community Health Care Services, Inc. , 418 S.W.3d 547 (Tenn. 2013). In that case, the pre-suit notice provided by the plaintiff included a HIPAA medical authorization that only permitted the release of medical records to plaintiff's counsel, not to the providers being sent notice, and it also failed to contain other required information. Id. at 551-52. The defendants moved to dismiss the complaint based on noncompliance with Tennessee Code Annotated section 29-26-121(a)(2)(E). Id. at 552. The trial court denied the motion, and the case eventually made its way to the Tennessee Supreme Court. Id. at 553. The supreme court explained that the HIPAA authorization requirement of section 29-26-121(a)(2)(E) serves "an investigatory function, equipping defendants with the actual means to evaluate the substantive merits of a plaintiff's claim by enabling early discovery of potential co-defendants and early access to a plaintiff's medical records." Id. at 554. The court explained that Tennessee Code Annotated section 29-26-121(d)(1)"creates a statutory entitlement to the records governed by § 29-26-121(a)(2)(E)," as the statute provides that all parties "shall be entitled to obtain complete copies of the claimant's medical records from any other provider receiving notice. " Id. at 555 (emphasis in original). According to the court,

Because HIPAA itself prohibits medical providers from using or disclosing a plaintiff's medical records without a fully compliant authorization form, it is a threshold requirement of the statute that the plaintiff's medical authorization must be sufficient to enable defendants to obtain and review a plaintiff's relevant medical records. See 45 C.F.R. § 164.508(a)(1) ("a covered entity may not use or disclose protected health information without an authorization that is valid under this section")....
A plaintiff's less-than-perfect compliance with Tenn. Code Ann. § 29-26-121(a)(2)(E), however, should not derail a healthcare liability claim. Non-substantive errors and omissions will not always prejudice defendants by preventing them from obtaining a plaintiff's relevant medical records. Thus, we hold that a plaintiff must substantially comply, rather than strictly comply, with the requirements of Tenn. Code Ann. § 29-26-121(a)(2)(E).

Id. (emphasis added). Next, the court considered the sufficiency of the medical authorization provided in that case to determine whether it substantially satisfied the requirements of the statute. Id. After noting the six core elements required by federal regulations, the supreme court concluded that the authorization at issue was not HIPAA compliant. Id. at 556. "First, and most importantly," the court said, "by permitting disclosure only to Plaintiff's counsel, Plaintiff's medical authorization failed to satisfy the express requirement of Tenn. Code Ann. § 29-26-121(a)(2)(E) that a plaintiff's medical authorization 'permit[ ] the provider receiving the notice to obtain complete medical records from each other provider being sent a notice.' " Id. Secondly, the court found that the authorization failed to satisfy at least three of the six compliance requirements mandated by HIPAA. Id. The court continued,

In determining whether a plaintiff has substantially complied with a statutory requirement, a reviewing court should consider the extent and significance of the plaintiff's errors and omissions and whether the defendant was prejudiced by the plaintiff's noncompliance. Not every non-compliant HIPAA medical authorization will result in prejudice. But in this case, the medical authorization submitted by Plaintiff was woefully deficient. The errors and omissions were numerous and significant. Due to Plaintiff's material non-compliance, Defendants were not authorized to receive any of the Plaintiff's records. As a result of multiple errors, Plaintiff failed to substantially comply with the requirements of Tenn. Code Ann. § 29-26-121(a)(2)(E).

Id. (emphasis added). In a later case, the supreme court summarized Stevens as holding that "non-substantive errors and omissions and a plaintiff's less-than-perfect compliance with subsection 29-26-121(a)(2)(E) will not derail a healthcare liability claim so long as the medical authorization provided is sufficient to enable defendants to obtain and review a plaintiff's relevant medical records." Thurmond v. Mid-Cumberland Infectious Disease Consultants, PLC , 433 S.W.3d 512, 519-20 (Tenn. 2014) (quotations and bracketing omitted).

In sum, "there is no bright line rule that determines whether a party has substantially complied with the requirements of Tenn. Code Ann. § 29-26-121(a)(2)(E) [.]" Rush v. Jackson Surgical Assocs. PA , No. W2016-01289-COA-R3-CV, 2017 WL 564887, at *4 (Tenn. Ct. App. Feb. 13, 2017), perm. app. denied (Tenn. June 8, 2017). However, in order to substantially comply with the statute, a plaintiff must provide a defendant with a HIPAA compliant medical authorization form that is sufficient to allow the defendant to obtain the plaintiff's medical records from the other providers being sent the notice. Brookins v. Tabor , No. W2017-00576-COA-R3-CV, 2018 WL 2106652, at *5 (Tenn. Ct. App. May 8, 2018) ; Travis v. Cookeville Reg'l Med. Ctr. , No. M2015-01989-COA-R3-CV, 2016 WL 5266554, at *7 (Tenn. Ct. App. Sept. 21, 2016) ; see also Riley v. Methodist Healthcare Memphis Hosps. , 731 Fed.Appx. 481, 491 (6th Cir. 2018) (gleaning from Tennessee cases that "substantial compliance requires that the noncomplying features of the authorization do not render it insufficient to authorize access and use of the records"). In this context, substantial compliance refers to "a degree of compliance that provides the defendant with the ability to access and use the medical records for the purpose of mounting a defense." Lawson v. Knoxville Dermatology Grp., P.C. , 544 S.W.3d 704, 711 (Tenn. Ct. App. 2017), perm. app. denied (Tenn. Nov. 16, 2017).

Applying these principles to the case before us, we agree with the trial court's conclusion that Plaintiff failed to substantially comply with section 29-26-121(a)(2)(E) by providing the defendants with an expired and therefore invalid HIPAA authorization form. Considering first "the extent and significance of the plaintiff's errors and omissions," as instructed by Stevens , 418 S.W.3d at 556, we find that the HIPAA authorization was expressly invalid under HIPAA regulations:

(2) Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects:
(i) The expiration date has passed or the expiration event is known by the covered entity to have occurred[.]

45 C.F.R. § 164.508(b)(2). Thus, the error in the form was both substantive and significant. As a result of the expiration date having passed, the defendants were not authorized to receive any of the patient's medical records. See 45 C.F.R. § 164.508(a)(1) ("a covered entity may not use or disclose protected health information without an authorization that is valid under this section").

We further conclude that the defendants were prejudiced by Plaintiff's noncompliance with the statute. " 'Defendants are clearly prejudiced when unable, due to a form procedural error, to obtain medical records needed for their legal defense.' " Lawson v. Knoxville Dermatology Grp., P.C. , 544 S.W.3d 704, 709-10 (Tenn. Ct. App. 2017), perm. app. denied (Tenn. Nov. 16, 2017) (quoting Hamilton v. Abercrombie Radiological Consultants, Inc. , 487 S.W.3d 114, 120 (Tenn. Ct. App. 2014) ). At this juncture, we note that the trial court referenced an exhibit to its order entitled, "Exhibit 1, Refusal Notice received by Defendants in response to request for medical records, on the basis of an invalid HIPAA release," but no such exhibit is attached to the order in the appellate record. However, the absence of such a "refusal notice" does not lead us to conclude that the defendants were not prejudiced. As a result of the invalid and expired HIPAA authorization, the defendants could not lawfully request the patient's medical records, whether they attempted to do so or not.

"Because the penalties imposed on entities that wrongfully disclose or obtain private health information in violation of HIPAA are severe, the sufficiency of the plaintiffs' medical authorizations is imperative." Woodruff by & through Cockrell v. Walker , 542 S.W.3d 486, 499 (Tenn. Ct. App. 2017), perm. app. denied (Tenn. Oct. 6, 2017). The penalties for wrongfully disclosing or obtaining private health information in violation of HIPAA are "extremely severe, with such entities facing punishment of up to $50,000 per offense and/or imprisonment of up to one year for non-compliance." Stevens , 418 S.W.3d at 555 n.6 (citing 42 U.S.C.A. § 1320d-6 ).

"Several Tennessee decisions have rejected the proposition that a health care liability defendant has a duty to assist a plaintiff achieve compliance or to test whether an obviously deficient HIPAA form would allow the release of records." J.A.C. , 542 S.W.3d at 514 ; see, e.g. , Dolman v. Donovan , No. W2015-00392-COA-R3-CV, 2015 WL 9315565, at *5 (Tenn. Ct. App. Dec. 23, 2015), perm. app. denied (Tenn. May 6, 2016) (rejecting the plaintiffs' argument that the medical providers could not have been prejudiced because they never attempted to obtain medical records with the deficient medical authorization provided); Roberts , 2014 WL 2921930, at *6 (rejecting the argument that the onus should be placed on the defendants to test the sufficiency of the form and finding dismissal warranted even in the absence of evidence of any "failed attempt" to obtain records); see also Riley , 731 Fed.Appx. at 493 (wherein the Sixth Circuit concluded from Tennessee caselaw that "where the authorizations do not permit access and use, the defendant-providers need not affirmatively show that they sought and were denied medical records in order to establish prejudice"). The healthcare liability plaintiff is the party responsible for complying with the requirements of Tennessee Code Annotated section 29-26-121(a)(2)(E), not the defendants. Stevens , 418 S.W.3d at 559.

Ultimately, the statute requires pre-suit notice to include "[a] HIPAA compliant medical authorization permitting the provider receiving the notice to obtain complete medical records from each other provider being sent a notice." Tenn. Code Ann. § 29-26-121(a)(2)(E). The expired and invalid HIPAA authorization provided in this case failed to meet the "threshold requirement of the statute that the plaintiff's medical authorization must be sufficient to enable defendants to obtain and review [the] relevant medical records." See Stevens , 418 S.W.3d at 555. We therefore affirm the trial court's order of dismissal without prejudice.

On appeal, the appellees attempt to raise an additional issue regarding "[w]hether Plaintiff is barred from re-filing her case by the interaction of the Statute of Limitations and the failure to comply with Tenn. Code Ann. § 29-26-121, which Plaintiff utilized to extend the filing deadline by one hundred and twenty (120) days." At the conclusion of the hearing on the motion to dismiss, the trial judge stated that he would dismiss the case without prejudice due to noncompliance with Tennessee Code Annotated section 29-26-121, but he also recognized that "the effect ... would be a dismissal with prejudice because you were relying on the 120 day extension of the statute by giving the pre-suit notice." To the extent that this could be construed as a ruling on this issue, it was not challenged on appeal by Plaintiff. In fact, Plaintiff's counsel conceded during oral argument that if we concluded that his HIPAA authorization was non-compliant, he was not entitled to the 120-day extension. We will not address the issue further in this opinion.

V. CONCLUSION

For the aforementioned reasons, the decision of the circuit court is hereby affirmed and remanded for further proceedings. All other issues are pretermitted. Costs of this appeal are taxed to the appellant, Konah Evangeline Buckman, and her surety, for which execution may issue if necessary.

D. Michael Swiney, C.J., filed a separate concurring opinion.

D. Michael Swiney, C.J., separate concurring.

I concur, reluctantly, with the entirety of the opinion of the Court. I concur because this is the result mandated by statute and case law. I do so reluctantly because this case is the latest in a long line of healthcare liability actions dismissed on technical grounds since the enactment of the sections of the Health Care Liability Act governing pre-suit notice adopted by our General Assembly in 2008. This Court has seen healthcare liability case after case brought by Tennessee citizens dismissed without any determination of whether the case has any merit.

These results require, I believe, for us to accept that one of two things is true. The first of these options is that our General Assembly intended in enacting these healthcare liability statutes for some Tennessee citizens to have their healthcare liability actions resolved not on the merits but instead by means of technical traps. The second option is that the dismissal of numerous Tennessee citizens' healthcare liability actions for technical reasons without any decision ever being made as to the possible merits of the case is an unintended consequence of these statutes. I do not believe that our General Assembly intended by creating various technical traps resulting in dismissal to deprive some of its Tennessee citizens from the opportunity of having a healthcare liability action determined on the merits. I instead believe that this continuing flow of cases dismissed for technical reasons having nothing to do with the merits of the healthcare liability action is an unintended consequence.

As Oliver Wendell Holmes, Jr. stated, "The life of the law has not been logic; it has been experience." Our experience in this regard has been that numerous Tennessee citizens' healthcare liability actions are being dismissed for reasons having nothing to do with the merits of the action. While logic tells us that perhaps every lawyer for a Tennessee citizen should be able to follow the statutes to avoid these traps, experience has shown otherwise. Instead, Tennessee courts often find themselves in situations requiring a dismissal of the action not on the merits. An example of such a dismissal is the current case where the plaintiff's case must be dismissed under the statutes and the case law because the HIPAA authorization had one possible interpretation, among others, that it expired before it ever was signed, something I submit most of our Tennessee citizens would find to be, simply put, a silly idea. This, however, is the result required by the current statutes and existing case law.

As the courts are limited as to what they properly can do to eliminate these unintended consequences, I respectfully suggest to our General Assembly that these unintended consequences can be eliminated by simple amendments to the statute. One possible example would be something along the lines of requiring the defense counsel, if he or she has any concerns with the HIPAA authorization, to notify the plaintiff's counsel of these concerns and give plaintiff's counsel seven days to provide a HIPAA compliant authorization satisfying those concerns or have to live with the consequences of the original HIPAA authorization's deficiencies. This would satisfy the goal of getting a proper medical authorization to the defendants so as to allow them to gather and review the plaintiff's medical records promptly.

This added "burden" on defense counsel is minimal at most. The argument that even this minimal "burden" should not be placed on the defendant because it is the plaintiff's burden to provide a proper medical authorization or have the case dismissed makes sense only if the lawsuit is viewed as a game of "gotcha" to be played by the lawyers. It is not a game either to the plaintiffs or to the defendants.

If we want to resolve Tennessee citizens' healthcare liability actions on the merits and not on technicalities, as we do other types of suits, these statutes need to be amended to eliminate these unintended consequences. If, however, we are content to have some Tennessee citizens' healthcare liability actions dismissed without any determination as to the possible merits of the suit, no amendment is required. 
      
      "HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 18 U.S.C., 26 U.S.C., 29 U.S.C., 42 U.S.C.)." Runions v. Jackson-Madison Cnty. Gen. Hosp. Dist. , 549 S.W.3d 77, 80 n.3 (Tenn. 2018).
     
      
      Although Plaintiff suggests on appeal that she made a deliberate choice to complete the form in this manner, at the hearing before the trial court, her attorney suggested that the form contained "a typo."
     
      
      In Lawson , for example, the Court found no substantial compliance where a core element of the plaintiff's HIPAA authorization, designating who was authorized to make the requested use or disclosure, was left blank. Lawson , 544 S.W.3d at 712. The Court explained that "health care providers presented with a medical authorization missing the identification of those authorized to release information would have no way of knowing that they were the providers for which the authorization was intended or that they were allowed to release medical records." Id. As such, we concluded that the omitted core element was "a necessary element" to the defendants' legal authorization to use the pertinent medical records. Id.
     
      
      When discussing the issue of prejudice and finding that prejudice occurred in the Stevens case, the supreme court said,
      In determining whether a plaintiff has substantially complied with a statutory requirement, a reviewing court should consider the extent and significance of the plaintiff's errors and omissions and whether the defendant was prejudiced by the plaintiff's noncompliance. Not every non-compliant HIPAA medical authorization will result in prejudice. But in this case, the medical authorization submitted by Plaintiff was woefully deficient. The errors and omissions were numerous and significant. Due to Plaintiff's material non-compliance, Defendants were not authorized to receive any of the Plaintiff's records.
      Stevens , 418 S.W.3d at 556 (emphasis added). There was no mention of a failed attempt to obtain records. In fact, the dissent argued that the complaint should not have been dismissed because "the Defendants have not demonstrated any prejudice caused by the deficiency in the medical authorization form." Id. at 561. The dissent criticized the majority as essentially holding that the defendants were "effectively prevented access to the medical records" and "presumptively prejudiced" by the inadequate form. Id. at 564-65. So, while Stevens requires us to consider whether the defendant was prejudiced, we do not read Stevens as also requiring that a provider affirmatively prove that it requested and was denied access to records.
     
      
      These cases are rendered more technically complex due to the necessary interaction between our Tennessee health care liability statutes and the federal regulations governing HIPAA.
     
      
      I do not fault defense counsel in any way for raising these technical defenses. They are doing their job under existing law.
     