BILL ANALYSIS �Ó
AB 439
Page 1
CONCURRENCE IN SENATE AMENDMENTS
AB 439 (Skinner)
As Amended August 24, 2012
Majority vote
-----------------------------------------------------------------
|ASSEMBLY: |78-0 |(May 23, 2011) |SENATE: |37-0 |(August 28, |
| | | | | |2012) |
-----------------------------------------------------------------
Original Committee Reference: JUD.
SUMMARY : Establishes an affirmative defense against specified
liability under the Confidentiality of Medical Information Act.
Specifically, this bill provides that:
1)In an action brought by an individual pursuant to the
Confidentiality of Medical Information Act, on or after
January 1, 2013, the court shall award any actual damages, and
reasonable attorneys' fees and costs, but may not award
nominal damages for a violation of this part if the defendant
establishes all of the following as an affirmative defense:
a) The defendant is a covered entity, as defined in Code of
Federal Regulations Section 160.103 of Title 45;
b) The defendant has complied with any obligations to
notify all persons entitled to receive notice regarding the
release of the information or records;
c) The release of confidential information or records was
solely to another covered entity or business associate;
d) The release of confidential medical information was not
an incident of identity theft, as defined;
e) The defendant took appropriate preventive actions to
protect the confidential information or records against
release, retention, or use by any person or entity other
than the covered entity that received the information or
records, including, but not limited to,:
i) Developing and implementing security policies and
procedures;
�
AB 439
Page 2
ii) Designating a security official who is responsible
for developing and implementing its security policies and
procedures, including educating and training the
workforce;
iii) Encryption of the information or records, or
transmitting the records in a manner designed to achieve
equal or greater protection of the medical information.
f) The defendant took reasonable and appropriate corrective
action after the release of the confidential records or
information and the covered entity that received the
information or records destroyed or returned the
information or records without unreasonable delay;
g) The covered entity that received the confidential
information or records did not retain, use, or release the
information or records; and,
h) After release of the records the defendant took
reasonable and appropriate steps to prevent a future
similar release.
i) The defendant has not previously established an
affirmative defense pursuant to the provisions above, or,
in the court's discretion, application of the prior
affirmative defense is found to be compelling and
consistent with the purposes of this section to promote
reasonable conduct in light of the all the facts.
2)A defendant shall not be liable for more than one judgment on
the merits for a violation of this subdivision.
3)In determining whether the affirmative defenses is
established, the court shall consider the equity of the
situation, including whether the defendant as previously
violated this part, regardless of whether an action was
brought, and the nature of the violation.
4)A plaintiff shall be entitled to recover reasonable attorney's
fees and costs without regard to an actual award of nominal or
actual damages or the imposition of administrative fines or
civil penalties.
The Senate amendments :
�
AB 439
Page 3
1)Specify that the encryption element of the above defense may
be met by transmitting the information in a manner designed to
offer equal or greater protection of the information.
2)Require, as an additional condition of establishing an
affirmative defense, that after release of the records the
defendant took reasonable and appropriate steps to prevent a
future similar release.
3)Specify that in determining whether an affirmative defense is
established, the court shall consider the equity of the
situation, including whether the defendant has previously
violated this part, regardless of whether an action was
brought, and the nature of the violation.
4)Specify that a plaintiff shall be entitled to recover
reasonable attorney's fees and costs without regard to an
actual award of nominal or actual damages or the imposition of
administrative fines or civil penalties.
5)Make technical amendments.
AS PASSED BY THE ASSEMBLY , this bill was substantially similar
to the version approved by the Senate.
FISCAL EFFECT : None
COMMENTS : A negligent release of confidential medical
information or records may be remedied by an action for damages
under the Confidentiality of Medical Information Act (CMIA). In
addition to an award of actual damages, the CMIA allows recovery
of nominal damages of $1,000 for each violation. Prompted by a
recent law suit, the author is concerned that this general rule
may lead to inappropriate results in particular types of cases
where the defendant has conducted itself reasonably, and a
measure of damages that may be out of proportion to the gravity
of the harm or the financial penalty needed to deter careless
behavior. The bill does not seek to change the outcome or the
law applicable to any pending case, but to revise the law to
avoid incongruous results in future cases.
This bill would permit a defendant that has released information
to establish an affirmative defense in order to avoid the
imposition of purely nominal damages, and its sets forth the
�
AB 439
Page 4
required elements for establishing that defense. While the
specific required elements of the affirmative defense are listed
above, suffice to say that, in general, the bill would permit an
affirmative defense where the defendant has complied with all
notification requirements, has only released the information to
another covered entity or business associate, and where both the
releasing and receiving entities take reasonable and appropriate
steps to stop any further release or disclosure of the
information.
Analysis Prepared by : Thomas Clark/ JUD. / (916) 319-2334
FN: 0005752