The Doctor Is In, but Your Medical Information Is Out Trends in California Privacy Cases Relating to Release of Medical Information

• Publication year: 2015
• Author: By Joseph R. Tiffany II, Connie J. Wolfe, Ph.D. and Allen Briskin

THE DOCTOR IS IN, BUT YOUR MEDICAL INFORMATION IS OUT TRENDS IN CALIFORNIA PRIVACY CASES RELATING TO RELEASE OF MEDICAL INFORMATION

By Joseph R. Tiffany II, Connie J. Wolfe, Ph.D. and Allen Briskin¹

Privacy breaches continue to be big news. In California, breaches of health care information are particularly sensitive, due to a number of state laws that provide legal remedies not available in other jurisdictions. While California's Civil Code sections 1798.29, 1798.82 and its Unfair Competition Law ("UCL")² are often relied on to remedy breaches of privacy, California also has the Confidentiality of Medical Information Act ("CMIA"),³ providing that an individual may recover $1,000 in nominal damages (plus actual damages if any) based on the negligent release of medical information by a health care provider or other covered party. As health care providers have moved toward the storage of medical data in large electronic databases containing information regarding many thousands of individuals, the potential number of people who may be affected by a single unauthorized release of medical information and the accompanying potential liability have skyrocketed. Until the past two years, however, there was little published authority interpreting the CMIA's definition of "medical information" or its prohibition on the "release" of such information. California courts have now provided guidance on these two critical issues affecting the potential liability of providers and others who sustain health care data breaches.

I. SCOPE OF THE CMIA

The CMIA, enacted in 1981 and since amended several times, obligates any "provider of health care, health care service plan, pharmaceutical company or contractor" to maintain "medical information . . . in a manner that preserves the confidentiality of the information contained therein."⁴ "Contractors" under the CMIA include medical groups, independent practice associations, certain pharmaceutical benefits managers and medical service organizations. The CMIA has recently been broadened to cover businesses that are "organized for the purpose of maintaining medical information" and "any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information" (e.g., personal health record vendors), even though such entities are excluded from the definition of "provider of health care for purposes of any law other than this part, [section 56.06]."⁵

[Page 206]

The CMIA generally prohibits the disclosure of an individual's medical information without the individual's authorization, unless a specific exception applies or the disclosure is required by law.⁶ Health care providers and other parties subject to the CMIA are prohibited from sharing, selling, using for marketing purposes or otherwise using medical information for a purpose not necessary to provide health care services unless "expressly authorized."⁷ In addition, the CMIA requires employers who obtain employee medical information to handle it confidentially and similarly prohibits their unauthorized disclosure of such information.⁸

The CMIA applies only to "medical information," which is defined as "any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment."⁹

Under this definition, for information to constitute "medical information," three elements must be established:

1. There must be individually identifiable information regarding an individual's medical history, mental or physical condition, or treatment;
2. Such information must be in the possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor; and
3. Such information must pertain to a "patient" of a provider of health care, i.e., one who has received health care services from that provider of health care.

The CMIA also includes a detailed list of specific medical information excluded from coverage under the Act. Data found in certain types of public social services records, industrial accident documentation,¹⁰ and law enforcement records, among other sources, are on the exclusion list.¹¹

Violations of the CMIA are subject to harsh penalties, which are in addition to any other remedies available to a plaintiff.¹² Such damages and penalties include:

Damages for Economic Loss: Any patient who has sustained economic loss or personal injury resulting from violation of any of the following prohibitions may recover

[Page 207]

compensatory damages; punitive damages (not to exceed $3,000); attorneys' fees (not to exceed $1,000); and the costs of litigation.¹³ The prohibitions include: unauthorized "disclosure" of a patient's medical information; ¹⁴ unauthorized "release" of information regarding outpatient psychotherapy treatment;¹⁵ violation of the CMIA's limitations on the use and disclosure of medical information by employers;¹⁶ and third party administrators' "knowingly" using, disclosing or permitting its employees or agents to use or disclose medical information, except as reasonably necessary in connection with the administration or maintenance of the program, or with authorization.¹⁷

Damages for Negligent Disclosure: Any covered party "who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information"¹⁸in violation of California Civil Code section 56.101 is subject to the following remedies under section 56.36(b): nominal damages of $1,000 (which does not require "that the plaintiff suffered or was threatened with actual damages");¹⁹ and/or actual damages, if any.

Civil/Criminal Penalties: If a violation of the CMIA results in an economic loss or personal injury to a patient, it is punishable as a misdemeanor.²⁰ For negligent disclosures, an administrative remedy or civil penalty of up to $2,500 per violation may be assessed.²¹A person or entity (other than a licensed health care professional) who knowingly and willfully "obtains, discloses, or uses medical information in violation of [the CMIA] shall be liable for an administrative fine or civil penalty not to exceed $25,000 per violation."²²If the violation was carried out "for . . . purpose[s] of financial gain," the penalty may be increased to $250,000 per violation and violators are also subject to disgorgement of any proceeds of that unlawful use.²³ Licensed health care professionals are subject to staggered penalties, ranging from $2,500 to $25,000 per violation.²⁴ If such professionals engaged in the violation "for financial gain," the penalty ranges from $5,000 to $250,000 per violation (for the third and subsequent violations), and disgorgement is also available at the highest tier.²⁵

[Page 208]

II. JUDICIAL INTERPRETATION OF THE SCOPE OF MEDICAL INFORMATION UNDER THE CMIA

In the years since the CMIA was implemented, various California courts have provided some guidance in further defining the term "medical information." The California Supreme Court clarified that the accuracy of the information is not at issue—a CMIA claim does not require a plaintiff to show that the disclosure was false or misleading.²⁶ In addition, the California Court of Appeal for the Second District held that the term "medical information" under the CMIA is "broadly defined" and "[t]here is no question that 'the patient's name, address, age, and sex' when combined with 'a general description of the reason for treatment'; 'the general nature of the injury'; and 'the general condition of the patient' comprise 'medical information.'"²⁷ In another case, the Court of Appeal for the Second District held that the fact that a patient "received in vitro fertilization was clearly 'medical information' as defined in section 56.05, subdivision (g)."²⁸ In contrast, an anesthesiologist's loud verbal review of a patient's chart, including her HIV status, in a location where other patients could overhear was held not to violate the CMIA when there was no evidence that potential listeners were able to see the patient during the discussion and the defendant did not use the plaintiff's full name, or disclose any other individually identifying information specified in the statute that would disclose her identity.²⁹

Consequently, since the CMIA's enactment, it has been unclear just how broadly the term "medical information" could be defined. As a result, until last year's decision in Eisenhower Medical Center v. Superior Court (Malanche), 226 Cal.App.4th 430 (Cal. Ct. App. 2014), it remained possible that the term could be construed as broadly as is the term "individually identifiable health information" under the Health Insurance Portability and Accountability Act ("HIPAA"), the federal statute providing privacy and security standards for health information. For example, in the preamble to the HIPAA Privacy Rule,³⁰ the Department of Health and Human Services ("HHS") stated that a record that simply identifies the individual and provides the name of a health care provider that has provided unspecified services to the patient (e.g., hospital or physician) can, without any additional information being present, constitute individually identifiable health information. The HHS's approach appears to be based on the reasoning that an individual's provider-patient relationship with a specific health care provider is information that "relates" broadly to the individual's health or condition, or health care

[Page 209]

received, and thus information may legally "relate" to an individual's health or condition without divulging anything substantive about it. In the same way, "medical information" under the CMIA, defined as information that "regards" a patient's medical history or physical condition, could potentially be deemed to apply to information as limited as the name of the health care...