I guess I wasn’t the only one surprised by the Third District Court of Appeal’s dismissal of a lawsuit against Sutter Health for violations of California’s Confidentiality of Medical Information Act (CMIA). The justices had unanimously held that the CMIA wasn’t triggered because there was no evidence that anyone even looked at the stolen protected health information, much less misused it.
Since the language of CMIA doesn’t seem to require evidence of harm or misuse, I found their ruling surprising. The statute seems pretty clear:
A provider of health care, health care service plan, or
contractor shall not disclose medical information regarding a patient
of the provider of health care or an enrollee or subscriber of a
health care service plan without first obtaining an authorization,
except as provided in subdivision (b) or (c).
The definition section of the statute does not define what “disclose” means, however.
Now Kathy Robertson of the Sacramento Business Journal reports that the plaintiffs intend to appeal to the California Supreme Court:
“We’re disappointed with the decision and plan to appeal to the state Supreme Court,” said John Parker Jr., a Sacramento attorney and one of several lead counsel for the plaintiffs. The appeals court did not correctly interpret the law, he added. “In fact, they rewrote it in such a way that it violates the intent of the Legislature, legal history and long-standing protections of the privacy and confidentiality of medical records in California,” he said.
Read more on Sacramento Business Journal.
The dismissal was important because CMIA provides for penalties for negligent disclosures, even where no harm has been demonstrated. Under Section 56.36(b):
In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following:
(1) Except as provided in subdivision (e), nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages.
(2) The amount of actual damages, if any, sustained by the
patient.
(c) (1) In addition, any person or entity that negligently discloses medical information in violation of the provisions of this part shall also be liable, irrespective of the amount of damages suffered by the patient as a result of that violation, for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation.
The Sutter Health case was the second time in the past year that the courts dismissed a complaint under CMIA. The California Court of Appeals limited the ability of plaintiffs to obtain statutory damages under CMIA in Regents of the Univ. of Cal. v. Superior Court of Los Angeles County, holding
by incorporating the remedy specified in section 56.36, subdivision (b), section 56.101 allows a private right of action for negligent maintenance only when such negligence results in unauthorized or wrongful access to the information. Because Platter cannot allege her information was improperly viewed or otherwise accessed, we grant the Regents’s petition and issue a writ of mandate to the superior court directing it to vacate its order overruling the Regents’s demurrer and to enter a new order sustaining the demurrer without leave to amend and dismissing the action.
In both cases, hardware with PHI was stolen. It is not clear to me how the acquisition of devices with PHI is not an unauthorized or wrongful access to PHI.
In other words, I think both courts have gone way beyond the language of CMIA and the state legislature’s intent in passing CMIA. I hope the California Supreme Court agrees.