BILL NUMBER: AB 439 CHAPTERED
BILL TEXT
CHAPTER 437
FILED WITH SECRETARY OF STATE SEPTEMBER 22, 2012
APPROVED BY GOVERNOR SEPTEMBER 22, 2012
PASSED THE SENATE AUGUST 28, 2012
PASSED THE ASSEMBLY AUGUST 29, 2012
AMENDED IN SENATE AUGUST 24, 2012
AMENDED IN SENATE AUGUST 7, 2012
AMENDED IN SENATE JUNE 15, 2012
AMENDED IN SENATE JUNE 28, 2011
AMENDED IN ASSEMBLY MAY 18, 2011
AMENDED IN ASSEMBLY APRIL 7, 2011
INTRODUCED BY Assembly Member Skinner
FEBRUARY 14, 2011
An act to amend Section 56.36 of the Civil Code, relating to
health care information.
LEGISLATIVE COUNSEL'S DIGEST
AB 439, Skinner. Health care information.
Existing law, the Confidentiality of Medical Information Act
(CMIA), prohibits a health care provider, a contractor, or a health
care service plan from disclosing medical information, as defined,
regarding a patient of the provider or an enrollee or subscriber of
the health care service plan without first obtaining an
authorization, except as specified. In addition to other remedies
available, existing law authorizes an individual to bring an action
against any person or entity who has negligently released his or her
confidential records in violation of those provisions for nominal
damages of $1,000.
This bill would specify that, in an action brought on or after
January 1, 2013, a court may not award nominal damages if the
defendant establishes specified factors as an affirmative defense,
including, but not limited to, that it is a covered entity or
business associate, as defined, that it has complied with any
obligations to notify persons entitled to receive notice regarding
the release of the information, and that it has taken appropriate
preventative actions to protect the confidential information or
records against release consistent with federal law, as specified.
The bill would provide that if an affirmative defense is established
as described above, the defendant shall not be liable for more than
one judgment on the merits for releases of confidential information
or records arising out of the same event, transaction, or occurrence.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 56.36 of the Civil Code is amended to read:
56.36. (a) Any violation of the provisions of this part that
results in economic loss or personal injury to a patient is
punishable as a misdemeanor.
(b) In addition to any other remedies available at law, any
individual may bring an action against any person or entity who has
negligently released confidential information or records concerning
him or her in violation of this part, for either or both of the
following:
(1) Except as provided in subdivision (e), nominal damages of one
thousand dollars ($1,000). In order to recover under this paragraph,
it shall not be necessary that the plaintiff suffered or was
threatened with actual damages.
(2) The amount of actual damages, if any, sustained by the
patient.
(c) (1) In addition, any person or entity that negligently
discloses medical information in violation of the provisions of this
part shall also be liable, irrespective of the amount of damages
suffered by the patient as a result of that violation, for an
administrative fine or civil penalty not to exceed two thousand five
hundred dollars ($2,500) per violation.
(2) (A) Any person or entity, other than a licensed health care
professional, who knowingly and willfully obtains, discloses, or uses
medical information in violation of this part shall be liable for an
administrative fine or civil penalty not to exceed twenty-five
thousand dollars ($25,000) per violation.
(B) Any licensed health care professional, who knowingly and
willfully obtains, discloses, or uses medical information in
violation of this part shall be liable on a first violation, for an
administrative fine or civil penalty not to exceed two thousand five
hundred dollars ($2,500) per violation, or on a second violation for
an administrative fine or civil penalty not to exceed ten thousand
dollars ($10,000) per violation, or on a third and subsequent
violation for an administrative fine or civil penalty not to exceed
twenty-five thousand dollars ($25,000) per violation. Nothing in this
subdivision shall be construed to limit the liability of a health
care service plan, a contractor, or a provider of health care that is
not a licensed health care professional for any violation of this
part.
(3) (A) Any person or entity, other than a licensed health care
professional, who knowingly or willfully obtains or uses medical
information in violation of this part for the purpose of financial
gain shall be liable for an administrative fine or civil penalty not
to exceed two hundred fifty thousand dollars ($250,000) per violation
and shall also be subject to disgorgement of any proceeds or other
consideration obtained as a result of the violation.
(B) Any licensed health care professional, who knowingly and
willfully obtains, discloses, or uses medical information in
violation of this part for financial gain shall be liable on a first
violation, for an administrative fine or civil penalty not to exceed
five thousand dollars ($5,000) per violation, or on a second
violation for an administrative fine or civil penalty not to exceed
twenty-five thousand dollars ($25,000) per violation, or on a third
and subsequent violation for an administrative fine or civil penalty
not to exceed two hundred fifty thousand dollars ($250,000) per
violation and shall also be subject to disgorgement of any proceeds
or other consideration obtained as a result of the violation. Nothing
in this subdivision shall be construed to limit the liability of a
health care service plan, a contractor, or a provider of health care
that is not a licensed health care professional for any violation of
this part.
(4) Nothing in this subdivision shall be construed as authorizing
an administrative fine or civil penalty under both paragraphs (2) and
(3) for the same violation.
(5) Any person or entity who is not permitted to receive medical
information pursuant to this part and who knowingly and willfully
obtains, discloses, or uses medical information without written
authorization from the patient shall be liable for a civil penalty
not to exceed two hundred fifty thousand dollars ($250,000) per
violation.
(d) In assessing the amount of an administrative fine or civil
penalty pursuant to subdivision (c), the Office of Health Information
Integrity, licensing agency, or certifying board or court shall
consider any one or more of the relevant circumstances presented by
any of the parties to the case including, but not limited to, the
following:
(1) Whether the defendant has made a reasonable, good faith
attempt to comply with this part.
(2) The nature and seriousness of the misconduct.
(3) The harm to the patient, enrollee, or subscriber.
(4) The number of violations.
(5) The persistence of the misconduct.
(6) The length of time over which the misconduct occurred.
(7) The willfulness of the defendant's misconduct.
(8) The defendant's assets, liabilities, and net worth.
(e) (1) In an action brought by an individual pursuant to
subdivision (b) on or after January 1, 2013, in which the defendant
establishes the affirmative defense in paragraph (2), the court shall
award any actual damages and reasonable attorney's fees and costs,
but may not award nominal damages for a violation of this part.
(2) The defendant is entitled to an affirmative defense if all of
the following are established, subject to the equitable
considerations in paragraph (3):
(A) The defendant is a covered entity or business associate, as
defined in Section 160.103 of Title 45 of the Code of Federal
Regulations, in effect as of January 1, 2012.
(B) The defendant has complied with any obligations to notify all
persons entitled to receive notice regarding the release of the
information or records.
(C) The release of confidential information or records was solely
to another covered entity or business associate.
(D) The release of confidential information or records was not an
incident of medical identity theft. For purposes of this
subparagraph, "medical identity theft" means the use of an individual'
s personal information, as defined in Section 1798.80, without the
individual's knowledge or consent, to obtain medical goods or
services, or to submit false claims for medical services.
(E) The defendant took appropriate preventive actions to protect
the confidential information or records against release consistent
with the defendant's obligations under this part or other applicable
state law and the Health Insurance Portability and Accountability Act
of 1996 (Public Law 104-191) (HIPAA) and all HIPAA Administrative
Simplification Regulations in effect on January 1, 2012, contained in
Parts 160, 162, and 164 of Title 45 of the Code of Federal
Regulations and Part 2 of Title 42 of the Code of Federal
Regulations, including, but not limited to:
(i) Developing and implementing security policies and procedures.
(ii) Designating a security official who is responsible for
developing and implementing its security policies and procedures,
including educating and training the workforce.
(iii) Encrypting the information or records, and protecting
against the release or use of the encryption key and passwords, or
transmitting the information or records in a manner designed to
provide equal or greater protections against improper disclosures.
(F) The defendant took reasonable and appropriate corrective
action after the release of the confidential information or records,
and the covered entity or business associate that received the
confidential information or records destroyed or returned the
confidential information or records in the most expedient time
possible and without unreasonable delay, consistent with any measures
necessary to determine the scope of the breach and restore the
reasonable integrity of the data system. A court may consider this
subparagraph to be established if the defendant shows in detail that
the covered entity or business associate could not destroy or return
the confidential information or records because of the technology
utilized.
(G) The covered entity or business associate that received the
confidential information or records, or any of its agents,
independent contractors, or employees, regardless of the scope of the
employee's employment, did not retain, use, or release the
information or records.
(H) After the release of the confidential information or records,
the defendant took reasonable and appropriate action to prevent a
future similar release of confidential information or records.
(I) The defendant has not previously established an affirmative
defense pursuant to this subdivision, or the court determines, in its
discretion, that application of the affirmative defense is
compelling and consistent with the purposes of this section to
promote reasonable conduct in light of all the facts.
(3) (A) In determining whether the affirmative defense may be
established pursuant to paragraph (2), the court shall consider the
equity of the situation, including, but not limited to, (i) whether
the defendant has previously violated this part, regardless of
whether an action has previously been brought, and (ii) the nature of
the prior violation.
(B) To the extent the court allows discovery to determine whether
there has been any other violation of this part that the court will
consider in balancing the equities, the defendant shall not provide
any medical information, as defined in Section 56.05. The court, in
its discretion, may enter a protective order prohibiting the further
use of any personal information, as defined in Section 1798.80, about
the individual whose medical information may have been disclosed in
a prior violation.
(4) In an action under this subdivision in which the defendant
establishes the affirmative defense pursuant to paragraph (2), a
plaintiff shall be entitled to recover reasonable attorney's fees and
costs without regard to an award of actual or nominal damages or the
imposition of administrative fines or civil penalties.
(5) In an action brought by an individual pursuant to subdivision
(b) on or after January 1, 2013, in which the defendant establishes
the affirmative defense pursuant to paragraph (2), a defendant shall
not be liable for more than one judgment on the merits under this
subdivision for releases of confidential information or records
arising out of the same event, transaction, or occurrence.
(f) (1) The civil penalty pursuant to subdivision (c) shall be
assessed and recovered in a civil action brought in the name of the
people of the State of California in any court of competent
jurisdiction by any of the following:
(A) The Attorney General.
(B) Any district attorney.
(C) Any county counsel authorized by agreement with the district
attorney in actions involving violation of a county ordinance.
(D) Any city attorney of a city.
(E) Any city attorney of a city and county having a population in
excess of 750,000, with the consent of the district attorney.
(F) A city prosecutor in any city having a full-time city
prosecutor or, with the consent of the district attorney, by a city
attorney in any city and county.
(G) The Director of the Office of Health Information Integrity may
recommend that any person described in subparagraphs (A) to (F),
inclusive, bring a civil action under this section.
(2) If the action is brought by the Attorney General, one-half of
the penalty collected shall be paid to the treasurer of the county in
which the judgment was entered, and one-half to the General Fund. If
the action is brought by a district attorney or county counsel, the
penalty collected shall be paid to the treasurer of the county in
which the judgment was entered. Except as provided in paragraph (3),
if the action is brought by a city attorney or city prosecutor,
one-half of the penalty collected shall be paid to the treasurer of
the city in which the judgment was entered and one-half to the
treasurer of the county in which the judgment was entered.
(3) If the action is brought by a city attorney of a city and
county, the entire amount of the penalty collected shall be paid to
the treasurer of the city and county in which the judgment was
entered.
(4) Nothing in this section shall be construed as authorizing both
an administrative fine and civil penalty for the same violation.
(5) Imposition of a fine or penalty provided for in this section
shall not preclude imposition of any other sanctions or remedies
authorized by law.
(6) Administrative fines or penalties issued pursuant to Section
1280.15 of the Health and Safety Code shall offset any other
administrative fine or civil penalty imposed under this section for
the same violation.
(g) For purposes of this section, "knowing" and "willful" shall
have the same meanings as in Section 7 of the Penal Code.
(h) No person who discloses protected medical information in
accordance with the provisions of this part shall be subject to the
penalty provisions of this part.