BILL ANALYSIS ��
SENATE JUDICIARY COMMITTEE
Senator Noreen Evans, Chair
2011-2012 Regular Session
AB 439 (Skinner)
As Amended June 15, 2012
Hearing Date: July 3, 2012
Fiscal: No
Urgency: No
SK
SUBJECT
Confidentiality of Medical Information Act
DESCRIPTION
Existing law provides that a plaintiff may bring an action for a
violation of the Confidentiality of Medical Information Act
(CMIA) and may recover nominal damages of $1,000. This bill
would provide an affirmative defense for such an action, so that
the plaintiff may not be awarded nominal damages if the
defendant establishes that defense, as specified. This bill
would apply to actions brought on or after January 1, 2013.
(This analysis reflects author's amendments to be offered in
Committee.)
BACKGROUND
In 1999, the Legislature passed and the Governor signed SB 19
(Figueroa, Ch. 526, Stats. 1999) which, among other things,
prohibited disclosure of confidential medical information and
created a cause of action to permit a plaintiff to recover
limited damages, including nominal damages, when his or her
confidential records are
negligently released.
In August 2010, a complaint was filed against, among others,
McKesson Corporation, owner of RelayHealth, alleging that the
defendants improperly disclosed confidential patient information
to the wrong pharmacy for marketing purposes. That case spurred
a legislative effort by McKesson to address its concerns that
existing law's nominal damages provision did not sufficiently
(more)
�
AB 439 (Skinner)
Page 2 of ?
recognize an inadvertent disclosure of information from one
specified Health Insurance Portability and Accountability Act
(HIPAA) covered entity to another when the entity receiving the
mistakenly sent information does not use, retain, or release the
information. While that case has since settled, this bill would
create an affirmative defense against liability for nominal
damages under the CMIA, as described in more detail below.
CHANGES TO EXISTING LAW
Existing law , the California Constitution, provides that all
people have inalienable rights, including the right to pursue
and obtain privacy. (Cal. Const. art. I, Sec. 1.)
Existing law prohibits a health care provider, health care
service plan, or contractor from disclosing medical information
regarding a patient, enrollee, or subscriber without first
obtaining an authorization, except as specified. (Civ. Code
Sec. 56.10(a).)
Existing law requires a health care provider, health care
service plan, or contractor to disclose medical information if
the disclosure is compelled as specified (Civ. Code Sec.
56.10(b)) and permits a health care provider or service plan to
disclose medical information in specified circumstances. (Civ.
Code Sec. 56.10(c).)
Existing law defines "medical information" to mean any
individually identifiable information, in electronic or physical
form, in possession of or derived from a provider of health
care, health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, mental or
physical condition, or treatment. Existing law defines
"individually identifiable" to mean that the medical information
includes or contains any element of personal identifying
information sufficient to allow identification of the
individual, such as the patient's name, address, electronic mail
address, telephone number, or social security number, or other
information that, alone or in combination with other publicly
available information, reveals the individual's identity. (Civ.
Code Sec. 56.05(g).)
Existing federal law , the Health Insurance Portability and
Accountability Act (HIPAA), specifies privacy protections for
patients' protected health information and generally provides
that a covered entity, as defined (health plan, health care
provider, and health care clearing house), may not use or
�
AB 439 (Skinner)
Page 3 of ?
disclose protected health information except as specified or as
authorized by the patient in writing. (45 C.F.R. Sec. 164.500
et seq.)
Existing law requires a health care provider, health care
service plan, pharmaceutical company, or contractor who creates,
maintains, preserves, stores, abandons, destroys, or disposes of
medical records to do so in a manner that preserves the
confidentiality of the information contained within those
records. Existing law provides that any health care provider of
health care, health care service plan, pharmaceutical company,
or contractor who negligently creates, maintains, preserves,
stores, abandons, destroys, or disposes of medical records shall
be subject to existing remedies and penalties, as specified.
(Civ. Code Sec. 56.101.)
Existing law provides that a plaintiff may bring an action
against any person or entity who has negligently released his or
her confidential information or records in violation of the CMIA
as follows:
nominal damages of $1,000; and
the amount of actual damages. (Civ. Code Sec. 56.36(b).)
Existing law specifies that in order to recover nominal damages,
it is not necessary that the plaintiff suffered or was
threatened with actual damages. (Civ. Code Sec. 56.36(b).)
This bill would provide that, in an action brought by an
individual pursuant to the above provisions (Civ. Code Sec.
56.36(b)) on or after January 1, 2013, a court shall award any
actual damages and reasonable attorney's fees and costs, but may
not award any nominal damages if the defendant establishes all
of the following as an affirmative defense:
the defendant is a covered entity or business associate as of
January 1, 2012, as defined under HIPAA;
the defendant has complied with any obligations to notify all
persons entitled to receive notice regarding the release of
the information or records;
the release of confidential information or records was solely
to another covered entity or business associate;
the release of confidential information or records was not an
incident of medical identity theft, defined to mean the use of
an individual's personal information, as defined in Civil Code
�
AB 439 (Skinner)
Page 4 of ?
Section 1798.80, without the individual's knowledge or
consent, to obtain medical goods or services or to submit
false claims for medical services;
the defendant took appropriate preventive actions to protect
the confidential information or records against release
consistent with the defendant's obligations under the CMIA,
any other applicable state law, and HIPAA, including:
o developing and implementing security policies and
procedures;
o designating a security official who is responsible for
developing and implementing its security policies and
procedures, including educating and training the workforce;
and
o encrypting the information or records and protecting
against the release or use of the encryption key and
passwords, or transmitting the information or records in a
manner designed to provide equal or greater protections
against improper disclosures;
the defendant took reasonable and appropriate corrective
action after the release of the confidential records or
information, and the covered entity or business associate that
received the information or records destroyed or returned the
information or records in the most expedient time possible and
without unreasonable delay, consistent with any measures
necessary to determine the scope of the breach and restore the
reasonable integrity of the data system. If the information
or records could not be destroyed or returned because of the
technology utilized, the defendant may establish that fact;
the covered entity or business associate that received the
confidential information or records, or any of its agents,
independent contractors, or employees, regardless of the scope
of the employee's employment, did not retain, use, or release
the information or records;
after the release of the information or records, the defendant
took reasonable and appropriate action to prevent a future
similar release of confidential information or records; and
the defendant has not previously established an affirmative
defense pursuant to the bill, or the court determines, in its
discretion that application of the affirmative defense is
found to be compelling and consistent with the purposes of
this section to promote reasonable conduct in light of all the
�
AB 439 (Skinner)
Page 5 of ?
facts.
This bill would provide that a court may consider the equity of
the situation, including whether the defendant had previously
violated CMIA, regardless of whether an action had previously
been brought, in determining whether the affirmative defense may
be established.
This bill would provide that a plaintiff shall be entitled to
recover reasonable attorney's fees and costs without regard to
an award of actual or nominal damages or the imposition of
administrative fines or civil penalties.
This bill would specify that in an action brought by an
individual pursuant to Section 56.36(b) on or after January 1,
2013 in which the defendant establishes the affirmative defense,
a defendant shall not be liable for more than one judgment on
the merits under this subdivision for releases arising out of
the same event, transaction, or occurrence.
COMMENT
1. Stated need for the bill:
The author writes:
AB 439 establishes an affirmative defense against liability
for nominal damages under the CMIA. The defense is narrowly
crafted to strike a balance between the need to preserve
strong deterrents to protect against careless release of
confidential patient information and the need to recognize the
real complexities imposed on California businesses by current
privacy laws.
The CMIA allows patients whose medical information is released
in violation of the act to sue for damages. In addition to
actual damages, nominal damages of $1,000 are permitted. When
a health care provider's improper release of information
involves many patients, current law authorizes a large award
of nominal damages since $1,000 may be recovered for each
patient affected. This may result under current law despite
the fact that the health care provider has taken appropriate
steps to protect the information before its release and also
taken corrective actions after the release-even if the
patients suffered no actual provable damages from the
violation.
�
AB 439 (Skinner)
Page 6 of ?
2. Bill held in Committee last year
Last year, this Committee heard this bill on July 5, 2011. At
the time the bill was heard by the Committee, a number of
significant privacy concerns were raised by the Committee and,
as a result, the bill was held in Committee without
recommendation.
The bill has since been amended although many of the privacy
concerns remain with respect to the current version of the bill
that is in print. As a result, the author and stakeholders have
been working to develop a compromise to address the concerns
raised. That language is reflected in this analysis.
3. Concerns raised by consumer and privacy groups and other
stakeholders
A number of consumer and privacy groups are opposed to the
current version of the bill. The proposed amendments in this
analysis are intended to address their concerns, as described in
more detail below. At the time of the writing of this analysis,
however, it is not yet known whether these groups will remove
their opposition as a result of the proposed amendments.
The Consumer Attorneys of California are opposed to the bill as
currently in print, but have indicated that they will remove
their opposition if the proposed amendments are taken.
4. Permitting a court discretion to allow the affirmative defense
This bill would create an affirmative defense against liability
for nominal damages under the CMIA provided that the defendant
meets a number of specified conditions. For example, among
other requirements, the defendant must be a "covered entity" or
"business associate" as defined under HIPAA and the release of
confidential information or records must have been solely to
another covered entity or business associate. In addition, the
defendant must have been in compliance with its obligations
under CMIA, other applicable state law, or HIPAA with respect to
taking appropriate preventive actions to protect the information
or records against release. The defendant must also have taken
reasonable and appropriate corrective action after the release
and the covered entity or business associate that received the
information must have destroyed or returned the information or
records, as specified (See Comment 6 for additional discussion
�
AB 439 (Skinner)
Page 7 of ?
of this provision). Under the proposed amendments, the
affirmative defense would only apply if the covered entity or
business associate that received the confidential information or
records, or any of its agents, independent contractors, or
employees, did not retain, use, or release the information or
records. Furthermore, after the release the defendant must
have taken action to prevent a similar release in the future.
The affirmative defense would only apply if the defendant had
not previously established the affirmative defense pursuant to
the bill. However, the affirmative defense could apply for a
second or subsequent violation if the court, in its discretion,
determines that application of the affirmative defense to a
second or subsequent violation is compelling and consistent with
the purposes of CMIA's liability provisions to promote
reasonable conduct in light of all of the facts.
With respect to a first violation, the proposed amendments would
also allow judicial discretion by allowing the court to consider
the equity of the situation. This provision is intended to
allow a court to deny the application of the affirmative
defense-even if the defendant successfully establishes the nine
items (subdivision (e)(2)(A)-(I)) required under the defense-in
cases where there is some circumstance that makes application of
the defense inequitable and unfair. By way of example, the
proposed amendments provide that a court may consider, among
other things, whether the defendant had previously violated the
CMIA regardless of whether an action had previously been
brought.
This additional judicial discretion is intended to address
concerns raised by consumer and privacy groups that nominal
damages would be completely eliminated if the defendant
established the affirmative defense. On this point, the
Consumer Federation of California and World Privacy Forum write
that the most recent version of the bill "carve�s] out massive
exemptions to the requirement for nominal damages, eliminating
the important disincentive that CMIA creates for the health care
industry's lax security standards. Instead of allowing a judge
discretion in imposing damages for first offenses based on a
thorough review of the circumstances surrounding the breach, the
�June 15, 2012] amendments eliminate nominal damages entirely."
As noted above, the proposed amendments described in this
analysis are intended to address this concern so that this
"important disincentive" is not eliminated. The amendments are
also intended to carry out the objective stated by CALPIRG that
�
AB 439 (Skinner)
Page 8 of ?
"�r]estoring judicial discretion in determining nominal damages
provides a reasonable balance between business interests and
patients' privacy rights."
5. Extending the bill to also include "business associates"
This bill would permit a "covered entity" to assert an
affirmative defense to a plaintiff's claim for nominal damages
for a violation of the CMIA. The term "covered entity" is not
one used in the CMIA; rather it is used in the federal HIPAA and
its implementing regulations (45 C.F.R. 160.103). Under federal
law, a covered entity is defined to mean a health plan, health
care clearinghouse, or health care provider who transmits
electronic health information.
�
AB 439 (Skinner)
Page 9 of ?
As amended June 15, 2012, this bill would provide that a covered
entity's "business associate" may also obtain the affirmative
defense provided that the business associate establishes the
required elements. Like the term "covered entity," the CMIA
does not use the term "business associate." Instead, that term
is used and defined under federal law which provides that a
business associate is a person who, on behalf of a covered
entity, performs or assists in performing a function or activity
involving the use or disclosure of individually identifiable
health information, including, among other things, claims
processing or administration, billing, or any other function or
activity regulated by HIPAA. (45 C.F.R. 160.103.) A business
associate may also provide other services to the covered entity
such as legal, actuarial, or accounting services where the
provision of the service involves the disclosure of individually
identifiable health information from the covered entity. (Id.)
With respect to the bill's inclusion of business associates, the
Consumer Federation of California and World Privacy Forum write
that expanding "the affirmative defense against damages to a
multitude of 'business associates' of HIPAA covered entities
that either commit a privacy breach, or that receive
unauthorized private medical records ... would give a free pass
to share records improperly to numerous businesses with little
knowledge of, or regard for, medical privacy rules, including
marketing corporations, data processing firms, billing and
mailing houses, data aggregators, and others that perform
services for HIPAA covered entities."
It is important to note, however, that, effective February 17,
2010, business associates are directly regulated by HIPAA and
required to comply with the administrative, physical, and
technical safeguards contained in HIPAA's regulations.
Specifically, the Health Information Technology for Economic and
Clinical Health (HITECH) Act, which was part of the American
Recovery and Reinvestment Act of 2009 (Public Law 111-5, 123
Stat. 227), now:
Require�s] business associates to comply directly with
Security Rule provisions directing implementation of
administrative, physical and technical safeguards for
electronic protected health information ("e- PHI"); and
development and enforcement of related policies, procedures,
and documentation standards (including designation of a
security official).
�
AB 439 (Skinner)
Page 10 of ?
Impose�s] on business associates an obligation to directly
comply with HIPAA's business associate safeguards, including
limiting use and disclosure of PHI as specified in the
agreement or as required by law; facilitating access,
amendment and accounting of disclosures; opening books and
records to DHHS; and returning or destroying PHI, if feasible,
upon contract termination. ("HITECH Implications for Business
Associate Agreements: What Should You Do and When Should You
Do It?" Rachel Nosowsky, Esq., American Bar Association (ABA)
Health eSource, June 2009, Vol. 5, No. 10,
�as of July
1, 2012] (citations omitted).)
In addition, under the HITECH Act, business associates are
"subject to compliance reviews and complaint investigations by
the Office of Civil Rights and are subject to the same civil and
criminal penalties as are covered entities." ("Business
Associate Contracts," Chap. 11, California Hospital Association,
California Health Information Privacy Manual 2009.) Prior to
passage of the HITECH Act, business associates "were required by
contract to agree to certain safeguards regarding use or
disclosure of PHI �protected health information]. After HITECH,
�they are] required by law to develop and implement written
privacy and security policies and procedures regarding handling
of PHI." ("The HITECH ACT: Implications to HIPAA Covered
Entities and Business Associates," Linn F. Freedman, Esq.,
�as of July 1,
2012].)
Many business associates are also already subject to the CMIA,
even though the statute does not use that term. Under the CMIA,
a health care provider may disclose medical information to a
person or entity that provides billing, claims management,
medical data processing, or other administrative services for
providers of health care or health care service plans. (Civil
Code Section 56.10(c)(3).) Furthermore, the CMIA expressly
prohibits the entity who received the information from further
disclosing the information in a way that would violate the CMIA.
(Id.)
6. Requiring a defendant to take corrective action after a breach
The proposed amendments would largely reinsert language that was
stricken in the most recent version of the bill with respect to
�
AB 439 (Skinner)
Page 11 of ?
requiring a defendant to take corrective action after a breach.
A number of consumer groups raised concern that this language
was stricken. For example, Consumer Action wrote "�t]he
amendments . . . even eliminate the requirement that the entity
that committed the privacy breach take corrective action
following the records' release."
The proposed amendments would reinsert this language by
providing that-in order to establish the affirmative defense-the
defendant must have taken reasonable and appropriate corrective
action after the release of the confidential records or
information, and the covered entity or business associate that
received the information or records destroyed or returned the
information or records in the most expedient time possible and
without unreasonable delay, consistent with any measures
necessary to determine the scope of the breach and restore the
reasonable integrity of the data system.
This language is directly based on existing law, Civil Code
Section 1798.82, which is California's landmark security breach
statute. As a result, the proposed amendments would require the
covered entity or business associate that received the
information or records to have destroyed or returned the
information or records in a timely manner. It should be noted
that even if there was some delay in the destruction or return
of the information or records, the bill, as proposed to be
amended, would still require that the covered entity or business
associate that received the confidential information or records,
or any of its agents, independent contractors, or employees,
regardless of the scope of the employee's employment, did not
retain, use, or release the information or records.
7. Liability for more than one judgment on the merits
As noted earlier, this bill was spurred by litigation against
McKesson Corporation for improperly disclosing confidential
patient information to the wrong pharmacy. Supporters of this
bill argue that the evolution towards electronic health records
increases the likelihood that numerous records will be involved
when there is a negligent breach. On this point, McKesson
writes "? this provision of the CMIA creates potentially
bankrupting exposure for accidental disclosures of even a modest
volume of medical information, whether it is in the form of
electronic health records, prescription data, or other type of
medical data. This liability might have been manageable in the
era of paper records, but today medical information is
�
AB 439 (Skinner)
Page 12 of ?
frequently stored and transferred electronically (sometimes
hundreds of thousands of records-or more-at a time)."
Under existing law, Civil Code Section 56.36(b), claims for a
negligent release of confidential information or records in
violation of the CMIA may be brought on an individual or class
basis. The nominal damage amount of $1,000 contained in Section
56.36(b) is for the release of each individual person's record
and, therefore, could result in a large damage award, depending
on how many records were released. In contrast, the new
subdivision (e), proposed to be added by this bill, would
provide for an affirmative defense for the same event,
transaction, or occurrence regardless of how many records were
released. As a result, the proposed amendments would specify
that in an action brought by an individual pursuant to Section
56.36(b) on or after January 1, 2013 in which the defendant
establishes the affirmative defense, a defendant shall not be
liable for more than one judgment on the merits under this
subdivision for releases arising out of the same event,
transaction, or occurrence.
8. Other privacy protections contained in the proposed amendments
The proposed amendments contain a number of other protections to
help to address privacy concerns as described below.
Inclusion of agents, independent contractors, or employees :
Under the proposed amendments, in order to claim the
affirmative defense, the defendant would be required to
establish that any agents, independent contractors, or
employees of a covered entity or business associate that
received the confidential information or records, regardless
of the scope of the employee's employment, did not retain,
use, or release the information or records;
Actions to prevent future breach : Under the proposed
amendments, the defendant would be required to establish that,
after the release of the information or records, the defendant
took reasonable and appropriate action to prevent a future
similar release of confidential information or records;
Precise cross references to HIPAA and state law : In response
to concerns raised by several privacy groups, the proposed
amendments would more precisely tie the proposed bill to the
defendant's obligations under the CMIA, any other applicable
�
AB 439 (Skinner)
Page 13 of ?
state law, and HIPAA; and
Breach resulting in medical identity theft : The Consumer
Federation of California and World Privacy Forum raised
concerns that, under the current version of the bill, a
defendant would not be responsible for nominal damages even if
the violation resulted in medical identity theft. As a result
of these concerns, the proposed amendments would specify that,
in order to claim the affirmative defense, a defendant must
establish that the release of confidential information or
records was not an incident of medical identity theft. As a
result, the affirmative defense would not apply if the release
resulted in medical identity theft.
The proposed amendments would further specify that medical
identity theft is the use of an individual's personal
information, as defined in Civil Code Section 1798.80, without
the individual's knowledge or consent, to obtain medical goods
or services, or to submit false claims for medical services.
9. Bill does not apply to pending litigation
Although this bill was prompted by a lawsuit against, among
others, McKesson Corporation, the bill does not apply to any
pending litigation. Instead, the bill specifies that its
provisions would apply in an action brought by a plaintiff on or
after January 1, 2013.
Support : California Association of Health Plans; California
Association of Physician Groups; California Chamber of Commerce;
California Healthcare Institute; California Hospital
Association; California Pharmacists Association; California
Retailers Association; McKesson Corporation; National
Association of Chain Drug Stores
Opposition : California Alliance for Retired Americans; CALPIRG;
Consumer Action; Consumer Attorneys of California (unless
amended); Consumer Federation of California; Consumer Watchdog;
Electronic Frontier Foundation; World Privacy Forum
�
AB 439 (Skinner)
Page 14 of ?
HISTORY
Source : Author
Related Pending Legislation : None Known
Prior Legislation : None Known
Prior Vote :
Assembly Floor (Ayes 78, Noes 0)
Assembly Judiciary Committee (Ayes 10, Noes 0)
**************