BILL ANALYSIS Ó SENATE JUDICIARY COMMITTEE Senator Noreen Evans, Chair 2011-2012 Regular Session AB 439 (Skinner) As Amended June 28, 2011 Hearing Date: July 5, 2011 Fiscal: No Urgency: No SK SUBJECT Confidentiality of Medical Information Act DESCRIPTION Existing law provides that a plaintiff may bring an action for a violation of the Confidentiality of Medical Information Act (CMIA) and may recover nominal damages of $1,000. This bill would provide an affirmative defense for such an action, so that the plaintiff may not be awarded nominal damages if the defendant establishes that defense, as specified. This bill would apply to actions brought on or after January 1, 2012. BACKGROUND According to Privacy Rights Clearinghouse, 507 data breaches involving medical and healthcare providers have been made public since 2005. Those breaches involved more than 20 million records. ( http://www.privacyrights.org/data-breach/new ). Recent press described the problem: . . . data breaches have taken a wide array of forms. In one case, a custodian traded more than 30,000 patient records for $40 at a recycling center. In another, a hospital mistakenly faxed medical records to an automobile repair shop, mistakenly thinking it was a pharmacy. And there have been several incidents of hospital employees posting information about patients on Facebook or sharing pictures of patients via text messages. ("Data leaks go beyond celebrities," Daily Journal, November 16, 2010.) In 1999, the Legislature passed and the Governor signed SB 19 (more) AB 439 (Skinner) Page 2 of ? (Figueroa, Ch. 526, Stats. 1999) which, among other things, prohibited disclosure of confidential medical information and created a cause of action to permit a plaintiff to recover limited damages, including nominal damages, when his or her confidential records are negligently released. In August 2010, a complaint was filed against, among others, McKesson Corporation, owner of RelayHealth, alleging that the defendants improperly disclosed confidential patient information to the wrong pharmacy for marketing purposes. That case spurred a legislative effort by McKesson to address its concerns that existing law's nominal damages provision did not sufficiently recognize an inadvertent disclosure of information from one specified Health Insurance Portability and Accountability Act (HIPAA) covered entity to another when the entity receiving the mistakenly sent information immediately destroys it. While that case has since settled, this bill would create an affirmative defense against liability for nominal damages under the CMIA. CHANGES TO EXISTING LAW Existing law , the California Constitution, provides that all people have inalienable rights, including the right to pursue and obtain privacy. (Cal. Const. art. I, Sec. 1.) Existing law prohibits a health care provider, health care service plan, or contractor from disclosing medical information regarding a patient, enrollee, or subscriber without first obtaining an authorization, except as specified. (Civ. Code Sec. 56.10(a).) Existing law requires a health care provider, health care service plan, or contractor to disclose medical information if the disclosure is compelled as specified (Civ. Code Sec. 56.10(b)) and permits a health care provider or service plan to disclose medical information in specified circumstances. (Civ. Code Sec. 56.10(c).) Existing law defines "medical information" to mean any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment. Existing law defines "individually identifiable" to mean that the medical information includes or contains any element of personal identifying AB 439 (Skinner) Page 3 of ? information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity. (Civ. Code Sec. 56.05(g).) Existing federal law , the Health Insurance Portability and Accountability Act (HIPAA), specifies privacy protections for patients' protected health information and generally provides that a covered entity, as defined (health plan, health care provider, and health care clearing house), may not use or disclose protected health information except as specified or as authorized by the patient in writing. (45 C.F.R. Sec. 164.500 et seq.) Existing law requires a health care provider, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records to do so in a manner that preserves the confidentiality of the information contained within those records. Existing law provides that any health care provider of health care, health care service plan, pharmaceutical company, or contractor who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records shall be subject to existing remedies and penalties, as specified. (Civ. Code Sec. 56.101.) Existing law provides that a plaintiff may bring an action against any person or entity who has negligently released his or her confidential information or records in violation of the CMIA as follows: nominal damages of $1,000; and the amount of actual damages. (Civ. Code Sec. 56.36(b).) Existing law specifies that in order to recover nominal damages, it is not necessary that the plaintiff suffered or was threatened with actual damages. (Civ. Code Sec. 56.36(b).) This bill would provide that, in an action brought by an individual pursuant to the above provisions (Civ. Code Sec. 56.36(b)), a court shall award any actual damages and reasonable attorney's fees and costs, but may not award any nominal damages if the defendant establishes all of the following as an affirmative defense: AB 439 (Skinner) Page 4 of ? the defendant is a covered entity as defined under HIPAA; the defendant has complied with any obligations to notify all persons entitled to receive notice regarding the release of the information or records; the release of confidential information or records was solely to another covered entity; the defendant took appropriate preventive actions to protect the confidential information or records against release, retention, or use by any person or entity other than the covered entity that received the information or records, including: o developing and implementing security policies and procedures; o designating a security official who is responsible for those security policies and procedures; and o encrypting the information or records and protecting against the release or use of the encryption key and passwords, or transmitting the information or records in a manner designed to provide similar protections against improper disclosures; the defendant took appropriate corrective action after the release of the confidential records or information, and the covered entity that received the information or records immediately destroyed or returned the information or records; the covered entity that received the confidential information or records did not retain, use, or release the information or records; and the defendant has not been found liable for a violation of CMIA within the three years preceding the alleged violation, or the court determines that application of the affirmative defense is found to be compelling and consistent with the purposes of this section to promote reasonable conduct in light of all the facts. This bill would provide that a plaintiff shall be entitled to recover reasonable attorney's fees and costs without regard to an award of actual or nominal damages. This bill would specify that a defendant shall not be liable for more than one judgment on the merits for a violation of these provisions. COMMENT 1. Stated need for the bill: The author writes: AB 439 (Skinner) Page 5 of ? AB 439 establishes an affirmative defense against liability for nominal damages under the CMIA. The defense is narrowly crafted to strike a balance between the need to preserve strong deterrents to protect against careless release of confidential patient information and the need to recognize the real complexities imposed on California businesses by current privacy laws. The CMIA allows patients whose medical information is released in violation of the act to sue for damages. In addition to actual damages, nominal damages of $1,000 are permitted. When a health care provider's improper release of information involves many patients, current law authorizes a large award of nominal damages since $1,000 may be recovered for each patient affected. This may result under current law despite the fact that the health care provider has taken appropriate steps to protect the information before its release and also taken corrective actions after the release-even if the patients suffered no actual provable damages from the violation. 2. Recent amendments raise privacy concerns This bill would create an affirmative defense against liability for nominal damages under CMIA provided that the defendant meets a number of specified conditions. The bill was recently amended on June 28, 2011, and those amendments raise significant concerns about the bill's impact on patient privacy, as described below. a. Prior violations more than three years old Prior to the June 28th amendments, this bill provided that a defendant could establish the affirmative defense if, among other things, the defendant had not previously violated the CMIA (or in the judge's discretion, as specified). The most recent amendments, however, revise that provision to instead specify that in order to establish the defense, the defendant must not have been found liable for a violation of CMIA within the three years preceding the alleged violation. In other words, a defendant may establish the affirmative defense if the defendant has not violated CMIA within the previous three years. If the defendant violated the CMIA outside of that three-year window, however, the defendant could still be able to take advantage of the affirmative defense, and the court, AB 439 (Skinner) Page 6 of ? in evaluating whether the defendant met his or her burden of proving the affirmative defense, would not be able to consider those older violations. This revision was made to the bill in an effort to address supporters' concern that, if the defendant had previously violated CMIA, that defendant would not be able to proceed with the affirmative defense (although the judge would still have discretion to allow the defense despite the defendant's prior violations of the act). The policy question thus raised by this provision is whether the court, in deciding whether to permit the defendant to proceed with the affirmative defense, should be required to disregard the defendant's privacy violations of the CMIA older than three years. Committee staff is unaware-as are the bill's main supporters-of similar provisions in the codes. In addition, this bill would provide that a defendant could still take advantage of the affirmative defense if the court determines that application of the affirmative defense is compelling and consistent with the purposes of CMIA's liability provisions to promote reasonable conduct in light of all of the facts. The Consumer Attorneys of California (CAOC), previously neutral on the bill, now have an oppose unless amended position on the measure and write: The amended language would not allow the court to consider the defendant's past violations if they occurred more than three years in the past. Specifically, it uses a mechanical approach to strip the court of its discretion to consider past conduct. Conversely, the bill would still give the court discretion to disregard more recent violations. Under this approach, it is entirely possible that a defendant may have committed a string of violations more than three years ago, but a court would not be able to consider any of those violations, no matter how egregious. This mechanical approach is completely unbalanced and strips the court of its long-held discretion. The amendment to AB 439 will weaken measures meant to prevent releases of confidential information and provide greater protection to the defendants who release it. Staff notes that the bill would also specify that a defendant shall not be liable for more than one judgment on the merits for a violation of these provisions. This provision is AB 439 (Skinner) Page 7 of ? intended to prevent "copycat" lawsuits. In addition, existing law requires a court or administrative agency, when imposing administrative fines or civil penalties to consider circumstances that relate to prior violations over time. For example, the court or agency must consider the number of violations, the persistence of the conduct, the length of time over which the misconduct occurred, and the willfulness of the defendant's conduct. This bill, on the other hand, would require the court to disregard such information if it relates to prior violations within the preceding three-year period. In order to address the above concerns, the bill should be amended to restore this provision to the May 18th version of the bill. In an effort to address the concern raised by supporters that a prior violation would preclude application of the affirmative defense, the bill should also be amended to relax somewhat the standard that a court must use in determining whether a defendant may proceed with the affirmative defense despite having previously violated CMIA. The following amendments would achieve this: Suggested amendments 1. On page 5, beginning on line 4, strike "been found liable for a violation of this part within the three years preceding the alleged violation, or the court determines that" and insert "previously violated this part, or, in the court's discretion, despite the prior violation," 2. On page 5, line 7, strike "compelling" and insert "essential" a. Alternative to encryption This bill would provide that a defendant may avail itself of the affirmative defense created by the bill as long as the defendant meets several conditions, including that the defendant has taken appropriate preventive actions to protect the confidential information including, among other things, encrypting the information or records and protecting against the release or use of the encryption key and passwords. The June 28th amendments also provided that, in the alternative, appropriate preventive actions could also include transmitting AB 439 (Skinner) Page 8 of ? the information or records in a manner designed to provide similar protections against improper disclosures. According to supporters, the amendment was intended to provide for alternative methods of transmission besides encryption. CAOC raises concerns about these amendments as well, writing: Unfortunately, the phrase "similar protections" could mean protections that are weaker. We recognize that it is possible that current and future technologies may provide the same or greater protection than encryption, but the bill's amended language does nothing to ensure that equivalent or superior methods are used. The current language would weaken measures meant to prevent releases of confidential information from ever happening, while providing defendants protection from liability when they use weaker protection methods. It is important that the provisions of this bill do not inadvertently weaken the strong protections of CMIA. For example, it is recommended that health care providers not fax patient information because of the possibility that the records will remain on the recipient's fax machine, out in the open. In addition, fax confirmations often contain the information faxed, and fax machines store transmitted information which can be later printed out. It is arguably problematic if this bill were to allow a defendant to take advantage of the affirmative defense and obtain liability protection when that defendant implemented an alternative to encryption such as faxing patient information. In addition, the June 28th amendments are also weaker in that they require that the alternative method simply be "designed to provide" similar protections rather than actually "providing" those protections. In order to address these concerns, but still ensure that safe, secure alternative technologies may be used, the bill should be amended as follows: Suggested amendment On page 4, line 34, delete "or" and delete lines 35-36 and insert "transmitting the information or records in a manner that provides equivalent or superior protections to prevent the improper release of information" AB 439 (Skinner) Page 9 of ? 3. Bill does not apply to pending litigation Although this bill was prompted by a lawsuit against, among others, McKesson Corporation, the bill does not apply to any pending litigation. Instead, the bill specifies that its provisions would apply in an action brought by a plaintiff on or after January 1, 2012. Support : California Association of Physician Groups; California Healthcare Institute; California Hospital Association; California Retailers Association; California Retired Teachers Association; McKesson Corporation; National Association of Chain Drug Stores Opposition : Consumer Attorneys of California (unless amended) HISTORY Source : Author Related Pending Legislation : None Known Prior Legislation : None Known Prior Vote : Assembly Floor (Ayes 78, Noes 0) Assembly Judiciary Committee (Ayes 10, Noes 0) **************