BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Noreen Evans, Chair
2011-2012 Regular Session
AB 439 (Skinner)
As Amended June 28, 2011
Hearing Date: July 5, 2011
Fiscal: No
Urgency: No
SK
SUBJECT
Confidentiality of Medical Information Act
DESCRIPTION
Existing law provides that a plaintiff may bring an action for a
violation of the Confidentiality of Medical Information Act
(CMIA) and may recover nominal damages of $1,000. This bill
would provide an affirmative defense for such an action, so that
the plaintiff may not be awarded nominal damages if the
defendant establishes that defense, as specified. This bill
would apply to actions brought on or after January 1, 2012.
BACKGROUND
According to Privacy Rights Clearinghouse, 507 data breaches
involving medical and healthcare providers have been made public
since 2005. Those breaches involved more than 20 million
records. ( http://www.privacyrights.org/data-breach/new ). Recent
press described the problem:
. . . data breaches have taken a wide array of forms. In one
case, a custodian traded more than 30,000 patient records for
$40 at a recycling center. In another, a hospital mistakenly
faxed medical records to an automobile repair shop, mistakenly
thinking it was a pharmacy. And there have been several
incidents of hospital employees posting information about
patients on Facebook or sharing pictures of patients via text
messages. ("Data leaks go beyond celebrities," Daily Journal,
November 16, 2010.)
In 1999, the Legislature passed and the Governor signed SB 19
(more)
�
AB 439 (Skinner)
Page 2 of ?
(Figueroa, Ch. 526, Stats. 1999) which, among other things,
prohibited disclosure of confidential medical information and
created a cause of action to permit a plaintiff to recover
limited damages, including nominal damages, when his or her
confidential records are
negligently released.
In August 2010, a complaint was filed against, among others,
McKesson Corporation, owner of RelayHealth, alleging that the
defendants improperly disclosed confidential patient information
to the wrong pharmacy for marketing purposes. That case spurred
a legislative effort by McKesson to address its concerns that
existing law's nominal damages provision did not sufficiently
recognize an inadvertent disclosure of information from one
specified Health Insurance Portability and Accountability Act
(HIPAA) covered entity to another when the entity receiving the
mistakenly sent information immediately destroys it. While that
case has since settled, this bill would create an affirmative
defense against liability for nominal damages under the CMIA.
CHANGES TO EXISTING LAW
Existing law , the California Constitution, provides that all
people have inalienable rights, including the right to pursue
and obtain privacy. (Cal. Const. art. I, Sec. 1.)
Existing law prohibits a health care provider, health care
service plan, or contractor from disclosing medical information
regarding a patient, enrollee, or subscriber without first
obtaining an authorization, except as specified. (Civ. Code
Sec. 56.10(a).)
Existing law requires a health care provider, health care
service plan, or contractor to disclose medical information if
the disclosure is compelled as specified (Civ. Code Sec.
56.10(b)) and permits a health care provider or service plan to
disclose medical information in specified circumstances. (Civ.
Code Sec. 56.10(c).)
Existing law defines "medical information" to mean any
individually identifiable information, in electronic or physical
form, in possession of or derived from a provider of health
care, health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, mental or
physical condition, or treatment. Existing law defines
"individually identifiable" to mean that the medical information
includes or contains any element of personal identifying
�
AB 439 (Skinner)
Page 3 of ?
information sufficient to allow identification of the
individual, such as the patient's name, address, electronic mail
address, telephone number, or social security number, or other
information that, alone or in combination with other publicly
available information, reveals the individual's identity. (Civ.
Code Sec. 56.05(g).)
Existing federal law , the Health Insurance Portability and
Accountability Act (HIPAA), specifies privacy protections for
patients' protected health information and generally provides
that a covered entity, as defined (health plan, health care
provider, and health care clearing house), may not use or
disclose protected health information except as specified or as
authorized by the patient in writing. (45 C.F.R. Sec. 164.500
et seq.)
Existing law requires a health care provider, health care
service plan, pharmaceutical company, or contractor who creates,
maintains, preserves, stores, abandons, destroys, or disposes of
medical records to do so in a manner that preserves the
confidentiality of the information contained within those
records. Existing law provides that any health care provider of
health care, health care service plan, pharmaceutical company,
or contractor who negligently creates, maintains, preserves,
stores, abandons, destroys, or disposes of medical records shall
be subject to existing remedies and penalties, as specified.
(Civ. Code Sec. 56.101.)
Existing law provides that a plaintiff may bring an action
against any person or entity who has negligently released his or
her confidential information or records in violation of the CMIA
as follows:
nominal damages of $1,000; and
the amount of actual damages. (Civ. Code Sec. 56.36(b).)
Existing law specifies that in order to recover nominal damages,
it is not necessary that the plaintiff suffered or was
threatened with actual damages. (Civ. Code Sec. 56.36(b).)
This bill would provide that, in an action brought by an
individual pursuant to the above provisions (Civ. Code Sec.
56.36(b)), a court shall award any actual damages and reasonable
attorney's fees and costs, but may not award any nominal damages
if the defendant establishes all of the following as an
affirmative defense:
�
AB 439 (Skinner)
Page 4 of ?
the defendant is a covered entity as defined under HIPAA;
the defendant has complied with any obligations to notify all
persons entitled to receive notice regarding the release of
the information or records;
the release of confidential information or records was solely
to another covered entity;
the defendant took appropriate preventive actions to protect
the confidential information or records against release,
retention, or use by any person or entity other than the
covered entity that received the information or records,
including:
o developing and implementing security policies and
procedures;
o designating a security official who is responsible for
those security policies and procedures; and
o encrypting the information or records and protecting
against the release or use of the encryption key and
passwords, or transmitting the information or records in a
manner designed to provide similar protections against
improper disclosures;
the defendant took appropriate corrective action after the
release of the confidential records or information, and the
covered entity that received the information or records
immediately destroyed or returned the information or records;
the covered entity that received the confidential information
or records did not retain, use, or release the information or
records; and
the defendant has not been found liable for a violation of
CMIA within the three years preceding the alleged violation,
or the court determines that application of the affirmative
defense is found to be compelling and consistent with the
purposes of this section to promote reasonable conduct in
light of all the facts.
This bill would provide that a plaintiff shall be entitled to
recover reasonable attorney's fees and costs without regard to
an award of actual or nominal damages.
This bill would specify that a defendant shall not be liable for
more than one judgment on the merits for a violation of these
provisions.
COMMENT
1. Stated need for the bill:
The author writes:
�
AB 439 (Skinner)
Page 5 of ?
AB 439 establishes an affirmative defense against liability
for nominal damages under the CMIA. The defense is narrowly
crafted to strike a balance between the need to preserve
strong deterrents to protect against careless release of
confidential patient information and the need to recognize the
real complexities imposed on California businesses by current
privacy laws.
The CMIA allows patients whose medical information is released
in violation of the act to sue for damages. In addition to
actual damages, nominal damages of $1,000 are permitted. When
a health care provider's improper release of information
involves many patients, current law authorizes a large award
of nominal damages since $1,000 may be recovered for each
patient affected. This may result under current law despite
the fact that the health care provider has taken appropriate
steps to protect the information before its release and also
taken corrective actions after the release-even if the
patients suffered no actual provable damages from the
violation.
2. Recent amendments raise privacy concerns
This bill would create an affirmative defense against liability
for nominal damages under CMIA provided that the defendant meets
a number of specified conditions. The bill was recently amended
on June 28, 2011, and those amendments raise significant
concerns about the bill's impact on patient privacy, as
described below.
a. Prior violations more than three years old
Prior to the June 28th amendments, this bill provided that a
defendant could establish the affirmative defense if, among
other things, the defendant had not previously violated the
CMIA (or in the judge's discretion, as specified). The most
recent amendments, however, revise that provision to instead
specify that in order to establish the defense, the defendant
must not have been found liable for a violation of CMIA within
the three years preceding the alleged violation. In other
words, a defendant may establish the affirmative defense if
the defendant has not violated CMIA within the previous three
years. If the defendant violated the CMIA outside of that
three-year window, however, the defendant could still be able
to take advantage of the affirmative defense, and the court,
�
AB 439 (Skinner)
Page 6 of ?
in evaluating whether the defendant met his or her burden of
proving the affirmative defense, would not be able to consider
those older violations. This revision was made to the bill in
an effort to address supporters' concern that, if the
defendant had previously violated CMIA, that defendant would
not be able to proceed with the affirmative defense (although
the judge would still have discretion to allow the defense
despite the defendant's prior violations of the act).
The policy question thus raised by this provision is whether
the court, in deciding whether to permit the defendant to
proceed with the affirmative defense, should be required to
disregard the defendant's privacy violations of the CMIA older
than three years. Committee staff is unaware-as are the
bill's main supporters-of similar provisions in the codes.
In addition, this bill would provide that a defendant could
still take advantage of the affirmative defense if the court
determines that application of the affirmative defense is
compelling and consistent with the purposes of CMIA's
liability provisions to promote reasonable conduct in light of
all of the facts.
The Consumer Attorneys of California (CAOC), previously
neutral on the bill, now have an oppose unless amended
position on the measure and write:
The amended language would not allow the court to consider
the defendant's past violations if they occurred more than
three years in the past. Specifically, it uses a
mechanical approach to strip the court of its discretion to
consider past conduct. Conversely, the bill would still
give the court discretion to disregard more recent
violations. Under this approach, it is entirely possible
that a defendant may have committed a string of violations
more than three years ago, but a court would not be able to
consider any of those violations, no matter how egregious.
This mechanical approach is completely unbalanced and
strips the court of its long-held discretion. The
amendment to AB 439 will weaken measures meant to prevent
releases of confidential information and provide greater
protection to the defendants who release it.
Staff notes that the bill would also specify that a defendant
shall not be liable for more than one judgment on the merits
for a violation of these provisions. This provision is
�
AB 439 (Skinner)
Page 7 of ?
intended to prevent "copycat" lawsuits.
In addition, existing law requires a court or administrative
agency, when imposing administrative fines or civil penalties
to consider circumstances that relate to prior violations over
time. For example, the court or agency must consider the
number of violations, the persistence of the conduct, the
length of time over which the misconduct occurred, and the
willfulness of the defendant's conduct. This bill, on the
other hand, would require the court to disregard such
information if it relates to prior violations within the
preceding three-year period.
In order to address the above concerns, the bill should be
amended to restore this provision to the May 18th version of
the bill. In an effort to address the concern raised by
supporters that a prior violation would preclude application
of the affirmative defense, the bill should also be amended to
relax somewhat the standard that a court must use in
determining whether a defendant may proceed with the
affirmative defense despite having previously violated CMIA.
The following amendments would achieve this:
Suggested amendments
1. On page 5, beginning on line 4, strike "been found
liable for a violation of this part within the three
years preceding the alleged violation, or the court
determines that" and insert "previously violated this
part, or, in the court's discretion, despite the prior
violation,"
2. On page 5, line 7, strike "compelling" and insert
"essential"
a. Alternative to encryption
This bill would provide that a defendant may avail itself of
the affirmative defense created by the bill as long as the
defendant meets several conditions, including that the
defendant has taken appropriate preventive actions to protect
the confidential information including, among other things,
encrypting the information or records and protecting against
the release or use of the encryption key and passwords. The
June 28th amendments also provided that, in the alternative,
appropriate preventive actions could also include transmitting
�
AB 439 (Skinner)
Page 8 of ?
the information or records in a manner designed to provide
similar protections against improper disclosures. According
to supporters, the amendment was intended to provide for
alternative methods of transmission besides encryption.
CAOC raises concerns about these amendments as well, writing:
Unfortunately, the phrase "similar protections" could mean
protections that are weaker. We recognize that it is
possible that current and future technologies may provide
the same or greater protection than encryption, but the
bill's amended language does nothing to ensure that
equivalent or superior methods are used. The current
language would weaken measures meant to prevent releases of
confidential information from ever happening, while
providing defendants protection from liability when they
use weaker protection methods.
It is important that the provisions of this bill do not
inadvertently weaken the strong protections of CMIA. For
example, it is recommended that health care providers not fax
patient information because of the possibility that the
records will remain on the recipient's fax machine, out in the
open. In addition, fax confirmations often contain the
information faxed, and fax machines store transmitted
information which can be later printed out. It is arguably
problematic if this bill were to allow a defendant to take
advantage of the affirmative defense and obtain liability
protection when that defendant implemented an alternative to
encryption such as faxing patient information.
In addition, the June 28th amendments are also weaker in that
they require that the alternative method simply be "designed
to provide" similar protections rather than actually
"providing" those protections. In order to address these
concerns, but still ensure that safe, secure alternative
technologies may be used, the bill should be amended as
follows:
Suggested amendment
On page 4, line 34, delete "or" and delete lines 35-36 and
insert "transmitting the information or records in a manner
that provides equivalent or superior protections to prevent
the improper release of information"
�
AB 439 (Skinner)
Page 9 of ?
3. Bill does not apply to pending litigation
Although this bill was prompted by a lawsuit against, among
others, McKesson Corporation, the bill does not apply to any
pending litigation. Instead, the bill specifies that its
provisions would apply in an action brought by a plaintiff on or
after January 1, 2012.
Support : California Association of Physician Groups; California
Healthcare Institute; California Hospital Association;
California Retailers Association; California Retired Teachers
Association; McKesson Corporation; National Association of Chain
Drug Stores
Opposition : Consumer Attorneys of California (unless amended)
HISTORY
Source : Author
Related Pending Legislation : None Known
Prior Legislation : None Known
Prior Vote :
Assembly Floor (Ayes 78, Noes 0)
Assembly Judiciary Committee (Ayes 10, Noes 0)
**************