BILL ANALYSIS ��
AB 439
Page 1
Date of Hearing: May 10, 2011
ASSEMBLY COMMITTEE ON JUDICIARY
Mike Feuer, Chair
AB 439 (Skinner) - As Amended: April 7, 2011
As Proposed to be Amended
SUBJECT : HEALTH CARE INFORMATION
KEY ISSUE : SHOULD CALIFORNIA RECOGNIZE A NEW AFFIRMATIVE
DEFENSE AGAINST SPECIFIED LIABILITY WHEN A COVERED ENTITY HAS
ACTED APPROPRIATELY?
FISCAL EFFECT : As currently in print this bill is keyed
non-fiscal.
SYNOPSIS
This bill reflects the author's substantial and ongoing efforts
to establish a fair and balanced policy regarding the protection
of confidential medical information and records. It seeks to
preserve the important deterrence and compensation values of
existing law while avoiding undue penalties for companies that
conduct themselves responsibly. As proposed to be amended, the
bill reflects the current state of the author's negotiations
with interested stakeholders subject to further potential
revisions as discussions continue.
SUMMARY : Establishes an affirmative defense against specified
liability under the California Medical Information Act.
Specifically, this bill :
1)Provides that in an action brought by an individual(s)
pursuant to Civil Code section 56.36(b)(1) on or after January
1, 2012, the court shall award any actual damages, and
reasonable attorneys' fees and costs, but may not award
nominal damages for a violation of this part if the defendant
establishes all of the following as an affirmative defense:
a) The defendant is a covered entity, as defined in Section
160.103 of Title 45 of the Code of Federal Regulations;
b) The defendant has complied with any obligations to
notify all persons entitled to receive notice regarding the
�
AB 439
Page 2
release of the information or records;
c) The release of confidential information or records was
solely to another covered entity;
d) The defendant took appropriate preventive actions to
protect the confidential information or records against
release, retention, or use by any person or entity other
than the covered entity that received the information or
records, including but not limited (1) to developing and
implementing security policies and procedures; (2)
designating a security official who is responsible for
developing and implementing its security policies and
procedures, including educating and training the workforce;
(3) encryption of the information or records; and (4)
protection against the release or use of the encryption key
and passwords;
e) The defendant took appropriate corrective action after
the release of the confidential records or information and
the covered entity that received the information or records
immediately destroyed or returned the information or
records;
f) The covered entity that received the confidential
information or records did not retain, use, or release the
information or records; and
g) The defendant has not previously violated this part.
1)Provides that a defendant shall not be liable for more than
one judgment on the merits for a violation of this section.
EXISTING LAW provides that in addition to any other remedies
available at law, any individual may bring an action against any
person or entity who has negligently released confidential
information or records concerning him or her in violation of
this part, for either or both of the following: (1) nominal
damages of one thousand dollars ($1,000). In order to recover
under this paragraph, it shall not be necessary that the
plaintiff suffered or was threatened with actual damages; (2)
the amount of actual damages, if any, sustained by the patient.
COMMENTS : A negligent release of confidential medical
information or records may be remedied by an action for damages
under the California Medical Information Act (CMIA). In
addition to an award of actual damages, the CMIA allows recovery
�
AB 439
Page 3
of nominal damages of $1,000 for each violation. Prompted by a
recent law suit, the author is concerned that this general rule
may lead to inappropriate results in particular types of cases
where the defendant has conducted itself reasonably, and a
measure of damages that may be out of proportion to the gravity
of the harm or the financial penalty needed to deter careless
behavior. The bill does not seek to change the outcome or the
law applicable to any pending case, but to revise the law to
avoid incongruous results in future cases.
The author has conducted extensive negotiations among interested
stakeholders in this highly sensitive area over many months. As
proposed to be amended, the bill reflects what the author
believes to be an emerging consensus, subject to further
revisions as her negotiations proceed.
Author's Proposed Amendments. In order to accomplish the goals
of this bill without undermining the important structure and
incentives of the CMIA, the author proposes to substitute the
following amendments for the current contents of the bill,
acknowledging that there are still to be further discussions
with interested stakeholders and the Committee as the bill moves
forward:
Amend Civil Code Section 56.36(b) to read:
(b) In addition to any other remedies available at law, any
individual may bring an action
against any person or entity who has negligently released
confidential information or
records concerning him or her in violation of this part, for
either or both of the following:
(I) Except as provided in subdivision (e), Nominal nominal
damages of one thousand
dollars ($1,000). In order to recover under this paragraph,
it shall not be necessary that
�
AB 439
Page 4
the plaintiff suffered or was threatened with actual
damages.
(2) The amount of actual damages, if any, sustained by the
patient.
Add new Civil Code Section 56.36(e) to read:
(e)(1) In an action brought by an individual(s) pursuant to
subdivision (b)(1) on or after January 1, 2012, the court shall
award any actual damages, and reasonable attorneys' fees and
costs, but may not award nominal damages for a violation of this
part if the defendant establishes all of the following as an
affirmative defense:
a. The defendant is a covered entity, as defined in
Section 160.103 of Title 45 of the Code of Federal
Regulations;
b. The defendant has complied with any obligations to
notify all persons entitled to receive notice regarding
the release of the information or records;
c. The release of confidential information or records
was solely to another covered entity;
d. The defendant took appropriate preventive actions to
protect the confidential information or records against
release, retention, or use by any person or entity other
than the covered entity that received the information or
records, including but not limited (1) to developing and
implementing security policies and procedures; (2)
designating a security official who is responsible for
developing and implementing its security policies and
�
AB 439
Page 5
procedures, including educating and training the
workforce; (3) encryption of the information or records;
and (4) protection against the release or use of the
encryption key and passwords;
e. The defendant took appropriate corrective action
after the release of the confidential records or
information and the covered entity that received the
information or records immediately destroyed or returned
the information or records;
f. The covered entity that received the confidential
information or records did not retain, use, or release
the information or records; and
g. The defendant has not previously violated this part.
(e)(2) A plaintiff in an action under this subdivision shall be
entitled to recover reasonable attorney's fees and costs without
regard to an award of actual or nominal damages.
(e)(3) A defendant shall not be liable for more than one
judgment on the merits for a violation of this section.
REGISTERED SUPPORT / OPPOSITION :
Support
None on file
Opposition
None on file
Analysis Prepared by : Kevin G. Baker / JUD. / (916) 319-2334