Alert
Alert
By Allen Briskin,
07.08.14
California appellate courts are clarifying potential liability under California’s Confidentiality of Medical Information Act, Cal. Civ. Code § 56 et seq. (“CMIA”) of health care providers, health plans, pharmaceutical companies and others for the unauthorized disclosure of medical information. The CMIA provides that an individual may recover $1,000 nominal damages (plus actual damages if any) from a health care provider or other covered party that negligently releases that individual’s medical information. In data breaches involving large numbers of records and individuals, the potential liability can be enormous even without proof of any damages.
Eisenhower Medical Center Case
In a significant decision for health care providers and other holders of medical information, the California Court of Appeal recently decided that the CMIA’s civil liability provisions do not cover the theft of a hospital index containing personal identifying information unless the index also includes information relating to medical history, mental or physical condition, or treatment. Eisenhower Medical Center v. Superior Court (Malanche), No. E058378, 2014 WL 2115216, at *1 (Cal. Ct. App. May 21, 2014). In Eisenhower, the plaintiffs sought damages for a class of over 500,000 individuals, which could amount to total nominal damages of over $500 million without any showing of actual injury. While the CMIA continues to impose significant obligations upon those within its coverage, this decision dramatically reduces the liability risk arising from the release of one type of information.
Under the CMIA, a provider of health care, health care service plan, pharmaceutical company or contractor is obligated to maintain “medical information ... in a manner that preserves the confidentiality of the information contained therein,” and any such party “who negligently ... maintains, preserves, stores, abandons, destroys or disposes of medical information” is subject to specified remedies. Cal. Civ. Code § 56.101. Such remedies include nominal damages of $1,000 and/or actual damages from “any person or entity who has negligently released confidential information or records....” Cal. Civ. Code § 56.36(b). The CMIA defines the term “medical information” as follows:
“Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment.
Cal. Civ. Code § 56.05(j).
In Eisenhower, a unanimous three-judge panel of the California Court of Appeal, Fourth Appellate District, examined whether a patient index containing personal identifying information qualifies as medical information under the CMIA and held that it did not
Prior to Eisenhower, the California Court of Appeal had held that the term “medical information” as used in the CMIA is “broadly defined” and “[t]here is no question that ‘the patient’s name, address, age, and sex’ when combined with ‘a general description of the reason for treatment’; ‘the general nature of the injury’; and ‘the general condition of the patient’ comprise ‘medical information.’” Garrett v. Young, 109 Cal. App. 4th 1393, 1406 (2003). The Court of Appeal had also ruled that a valid claim of improper disclosure of “medical information” required that the information about an individual’s health condition be accompanied by specific information that identified the individual involved. Maureen K. v. Tuschka, M.D., 215 Cal. App. 4th 519 (2013) (holding there was no disclosure of any identifying medical information where physician discussed patient’s HIV-positive condition in a room containing other patients, but did not use plaintiff’s full name, or disclose any other identifying information specified in the statute, and that there was no evidence that other patients would have been able to see the plaintiff during the discussion).
The Eisenhower decision takes the analysis one step further, and holds that “medical information” under the CMIA (i.e., information “regarding” a patient’s medical history, condition, or treatment) must include or reveal something about the patient’s history, condition, or treatment. A computer was stolen that contained an index of over 500,000 persons to whom the Eisenhower Medical Center (“EMC”) had assigned a clerical record number and that included each person’s name, medical record number, age, birth date, and the last four digits of their Social Security number. 2014 WL 2115216 at *1. The computer was password-protected but not encrypted. EMC argued “that the index did not contain medical information within the meaning of the CMIA,” and that “there was a disclosure or release of ‘individually identifiable information,’ but not medical information.” Id. The Court of Appeal agreed.
The Court first looked at the wording of the CMIA, and found that “[i]t is clear from the plain meaning of the statute that medical information cannot mean just any patient-related information held by a healthcare provider, but must be ‘individually identifiable information’ and also include ‘a patient’s medical history, mental or physical condition, or treatment.” Id. at *3. The Court next found that plaintiff’s theory would require information to be considered “medical information” whenever any kind of personally identifying information about a patient was released, “render[ing] meaningless the clause ‘regarding a patient’s medical history, mental or physical condition, or treatment.” Id. The Court found that the medical record number did not disclose anything about the nature of any medical treatment (if, in fact, treatment was provided) and that the fact that the person “was a patient is not in itself medical information as defined in section 56.05.” Id. at *4. The Court further held that “[c]onfirmation that a person’s medical record exists somewhere is not medical information as defined under the CMIA.” Id.
The Court found it “noteworthy” that section 56.16 of the CMIA allows an acute care hospital to release, at its discretion, certain limited patient information upon request, including a “general description of the reason for the treatment, the general nature of the injury, and the general condition of the patient, as well as nonmedical data.” Id. Although the Court acknowledged that section 56.16 applies only when there has been a request for information, it found that the section “does lend some support for the belief that the mere fact that a person is or was a patient is not accorded the same level of privacy as specific information about his medical history.” Finally, the Court rejected plaintiffs’ contention that EMC’s reporting of the theft to the U.S. Department of Health and Human Services pursuant to federal law constituted an admission, finding that because “federal law differs markedly from that in the CMIA,” the provision did not constitute a concession that the theft involved medical information as defined in the CMIA. Id.
The Court concluded by holding “that under the CMIA a prohibited release by a health care provider must include more than individually identifiable information but must also include information relating to medical history, mental or physical condition, or treatment of the individual.” Id.
Although Eisenhower is significant for its clarifications regarding the definition of medical information, the Eisenhower Court expressly declined to address other important issues relating to interpretation of the CMIA: (1) whether there is a distinction between a disclosure or release of medical information under the CMIA; and (2) whether the very fact that a person was a patient of certain health care providers, such as an AIDS clinic, may rise to the level of medical information. Id. at *2 n.3, *4 n.4.
Read more: California Court Limits Liability for Loss of Certain Patient Information under CMIA