BILL ANALYSIS Ó AB 439 Page 1 CONCURRENCE IN SENATE AMENDMENTS AB 439 (Skinner) As Amended August 24, 2012 Majority vote ----------------------------------------------------------------- |ASSEMBLY: |78-0 |(May 23, 2011) |SENATE: |37-0 |(August 28, | | | | | | |2012) | ----------------------------------------------------------------- Original Committee Reference: JUD. SUMMARY : Establishes an affirmative defense against specified liability under the Confidentiality of Medical Information Act. Specifically, this bill provides that: 1)In an action brought by an individual pursuant to the Confidentiality of Medical Information Act, on or after January 1, 2013, the court shall award any actual damages, and reasonable attorneys' fees and costs, but may not award nominal damages for a violation of this part if the defendant establishes all of the following as an affirmative defense: a) The defendant is a covered entity, as defined in Code of Federal Regulations Section 160.103 of Title 45; b) The defendant has complied with any obligations to notify all persons entitled to receive notice regarding the release of the information or records; c) The release of confidential information or records was solely to another covered entity or business associate; d) The release of confidential medical information was not an incident of identity theft, as defined; e) The defendant took appropriate preventive actions to protect the confidential information or records against release, retention, or use by any person or entity other than the covered entity that received the information or records, including, but not limited to,: i) Developing and implementing security policies and procedures; AB 439 Page 2 ii) Designating a security official who is responsible for developing and implementing its security policies and procedures, including educating and training the workforce; iii) Encryption of the information or records, or transmitting the records in a manner designed to achieve equal or greater protection of the medical information. f) The defendant took reasonable and appropriate corrective action after the release of the confidential records or information and the covered entity that received the information or records destroyed or returned the information or records without unreasonable delay; g) The covered entity that received the confidential information or records did not retain, use, or release the information or records; and, h) After release of the records the defendant took reasonable and appropriate steps to prevent a future similar release. i) The defendant has not previously established an affirmative defense pursuant to the provisions above, or, in the court's discretion, application of the prior affirmative defense is found to be compelling and consistent with the purposes of this section to promote reasonable conduct in light of the all the facts. 2)A defendant shall not be liable for more than one judgment on the merits for a violation of this subdivision. 3)In determining whether the affirmative defenses is established, the court shall consider the equity of the situation, including whether the defendant as previously violated this part, regardless of whether an action was brought, and the nature of the violation. 4)A plaintiff shall be entitled to recover reasonable attorney's fees and costs without regard to an actual award of nominal or actual damages or the imposition of administrative fines or civil penalties. The Senate amendments : AB 439 Page 3 1)Specify that the encryption element of the above defense may be met by transmitting the information in a manner designed to offer equal or greater protection of the information. 2)Require, as an additional condition of establishing an affirmative defense, that after release of the records the defendant took reasonable and appropriate steps to prevent a future similar release. 3)Specify that in determining whether an affirmative defense is established, the court shall consider the equity of the situation, including whether the defendant has previously violated this part, regardless of whether an action was brought, and the nature of the violation. 4)Specify that a plaintiff shall be entitled to recover reasonable attorney's fees and costs without regard to an actual award of nominal or actual damages or the imposition of administrative fines or civil penalties. 5)Make technical amendments. AS PASSED BY THE ASSEMBLY , this bill was substantially similar to the version approved by the Senate. FISCAL EFFECT : None COMMENTS : A negligent release of confidential medical information or records may be remedied by an action for damages under the Confidentiality of Medical Information Act (CMIA). In addition to an award of actual damages, the CMIA allows recovery of nominal damages of $1,000 for each violation. Prompted by a recent law suit, the author is concerned that this general rule may lead to inappropriate results in particular types of cases where the defendant has conducted itself reasonably, and a measure of damages that may be out of proportion to the gravity of the harm or the financial penalty needed to deter careless behavior. The bill does not seek to change the outcome or the law applicable to any pending case, but to revise the law to avoid incongruous results in future cases. This bill would permit a defendant that has released information to establish an affirmative defense in order to avoid the imposition of purely nominal damages, and its sets forth the AB 439 Page 4 required elements for establishing that defense. While the specific required elements of the affirmative defense are listed above, suffice to say that, in general, the bill would permit an affirmative defense where the defendant has complied with all notification requirements, has only released the information to another covered entity or business associate, and where both the releasing and receiving entities take reasonable and appropriate steps to stop any further release or disclosure of the information. Analysis Prepared by : Thomas Clark/ JUD. / (916) 319-2334 FN: 0005752