BILL ANALYSIS ��
------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 439|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
------------------------------------------------------------
THIRD READING
Bill No: AB 439
Author: Skinner (D)
Amended: 8/7/12 in Senate
Vote: 21
SENATE JUDICIARY COMMITTEE : 4-1, 7/3/12
AYES: Evans, Harman, Corbett, Leno
NOES: Blakeslee
ASSEMBLY FLOOR : 78-0, 5/23/11 - See last page for vote
SUBJECT : Confidentiality of Medical Information Act
SOURCE : Author
DIGEST : This bill provides an affirmative defense for
specified actions taken under the Confidentiality of
Medical Information Act (CMIA) such an action, so that the
plaintiff may not be awarded nominal damages if the
defendant establishes that defense, as specified. This
bill applies to actions brought on or after January 1,
2013.
ANALYSIS : Existing law, the California Constitution,
provides that all people have inalienable rights, including
the right to pursue and obtain privacy. (California
Constitution Article I, Section 1)
Existing law prohibits a health care provider, health care
service plan, or contractor from disclosing medical
CONTINUED
�
AB 439
Page
2
information regarding a patient, enrollee, or subscriber
without first obtaining an authorization, except as
specified. (Civil Code (CIV) Section 56.10(a))
Existing law requires a health care provider, health care
service plan, or contractor to disclose medical information
if the disclosure is compelled as specified (CIV Section
56.10(b)) and permits a health care provider or service
plan to disclose medical information in specified
circumstances. (CIV Section 56.10(c))
Existing law defines "medical information" to mean any
individually identifiable information, in electronic or
physical form, in possession of or derived from a provider
of health care, health care service plan, pharmaceutical
company, or contractor regarding a patient's medical
history, mental or physical condition, or treatment.
Existing law defines "individually identifiable" to mean
that the medical information includes or contains any
element of personal identifying information sufficient to
allow identification of the individual, such as the
patient's name, address, electronic mail address, telephone
number, or social security number, or other information
that, alone or in combination with other publicly available
information, reveals the individual's identity. (CIV
Section 56.05(g))
Existing federal law, the Health Insurance Portability and
Accountability Act (HIPAA), specifies privacy protections
for patients' protected health information and generally
provides that a covered entity, as defined (health plan,
health care provider, and health care clearing house), may
not use or disclose protected health information except as
specified or as authorized by the patient in writing. (45
Code of Federal Regulations Section 164.500 et seq.)
Existing law requires a health care provider, health care
service plan, pharmaceutical company, or contractor who
creates, maintains, preserves, stores, abandons, destroys,
or disposes of medical records to do so in a manner that
preserves the confidentiality of the information contained
within those records. Existing law provides that any
health care provider of health care, health care service
plan, pharmaceutical company, or contractor who negligently
CONTINUED
�
AB 439
Page
3
creates, maintains, preserves, stores, abandons, destroys,
or disposes of medical records shall be subject to existing
remedies and penalties, as specified. (CIV Section 56.101)
Existing law provides that a plaintiff may bring an action
against any person or entity who has negligently released
his/her confidential information or records in violation of
the CMIA as follows:
nominal damages of $1,000; and
the amount of actual damages. (CIV Section 56.36(b))
Existing law specifies that in order to recover nominal
damages, it is not necessary that the plaintiff suffered or
was threatened with actual damages. (CIV Section 56.36(b))
This bill provides that, in an action brought by an
individual pursuant to the above provisions (CIV Section
56.36(b)) on or after January 1, 2013, a court shall award
any actual damages and reasonable attorney's fees and
costs, but may not award any nominal damages if the
defendant establishes all of the following as an
affirmative defense:
1. The defendant is a covered entity or business associate
as of January 1, 2012, as defined under HIPAA;
2. The defendant has complied with any obligations to
notify all persons entitled to receive notice regarding
the release of the information or records;
3. The release of confidential information or records was
solely to another covered entity or business associate;
4. The release of confidential information or records was
not an incident of medical identity theft, defined to
mean the use of an individual's personal information, as
defined in CIV Section 1798.80, without the individual's
knowledge or consent, to obtain medical goods or
services or to submit false claims for medical services;
5. The defendant took appropriate preventive actions to
protect the confidential information or records against
release consistent with the defendant's obligations
CONTINUED
�
AB 439
Page
4
under the CMIA, any other applicable state law, and
HIPAA, including:
developing and implementing security policies and
procedures;
designating a security official who is
responsible for developing and implementing its
security policies and procedures, including educating
and training the workforce; and
encrypting the information or records and
protecting against the release or use of the
encryption key and passwords, or transmitting the
information or records in a manner designed to
provide equal or greater protections against improper
disclosures;
6. The defendant took reasonable and appropriate corrective
action after the release of the confidential records or
information, and the covered entity or business
associate that received the information or records
destroyed or returned the information or records in the
most expedient time possible and without unreasonable
delay, consistent with any measures necessary to
determine the scope of the breach and restore the
reasonable integrity of the data system. If the
information or records could not be destroyed or
returned because of the technology utilized, the
defendant may establish that fact;
7. The covered entity or business associate that received
the confidential information or records, or any of its
agents, independent contractors, or employees,
regardless of the scope of the employee's employment,
did not retain, use, or release the information or
records;
8. After the release of the information or records, the
defendant took reasonable and appropriate action to
prevent a future similar release of confidential
information or records; and
9. The defendant has not previously established an
CONTINUED
�
AB 439
Page
5
affirmative defense pursuant to this bill, or the court
determines, in its discretion that application of the
affirmative defense is found to be compelling and
consistent with the purposes of this section to promote
reasonable conduct in light of all the facts.
This bill provides that a court may consider the equity of
the situation, including whether the defendant had
previously violated CMIA, regardless of whether an action
had previously been brought, in determining whether the
affirmative defense may be established.
This bill provides that a plaintiff shall be entitled to
recover reasonable attorney's fees and costs without regard
to an award of actual or nominal damages or the imposition
of administrative fines or civil penalties.
This bill specifies that in an action brought by an
individual pursuant to CIV Section 56.36(b) on or after
January 1, 2013, in which the defendant establishes the
affirmative defense, a defendant shall not be liable for
more than one judgment on the merits under this subdivision
for releases arising out of the same event, transaction, or
occurrence.
FISCAL EFFECT : Appropriation: No Fiscal Com.: No
Local: No
SUPPORT : (Verified 8/7/12)
California Association of Health Plans
California Association of Physician Groups
California Chamber of Commerce
California Healthcare Institute
California Hospital Association
California Pharmacists Association
California Retailers Association
McKesson Corporation
National Association of Chain Drug Stores
ARGUMENTS IN SUPPORT : The author writes:
AB 439 establishes an affirmative defense against
liability for nominal damages under the CMIA. The
CONTINUED
�
AB 439
Page
6
defense is narrowly crafted to strike a balance between
the need to preserve strong deterrents to protect
against careless release of confidential patient
information and the need to recognize the real
complexities imposed on California businesses by current
privacy laws.
The CMIA allows patients whose medical information is
released in violation of the act to sue for damages. In
addition to actual damages, nominal damages of $1,000
are permitted. When a health care provider's improper
release of information involves many patients, current
law authorizes a large award of nominal damages since
$1,000 may be recovered for each patient affected. This
may result under current law despite the fact that the
health care provider has taken appropriate steps to
protect the information before its release and also
taken corrective actions after the release-even if the
patients suffered no actual provable damages from the
violation.
ASSEMBLY FLOOR : 78-0, 5/23/11
AYES: Achadjian, Alejo, Allen, Ammiano, Atkins, Beall,
Bill Berryhill, Block, Blumenfield, Bonilla, Bradford,
Brownley, Buchanan, Butler, Charles Calderon, Campos,
Carter, Cedillo, Chesbro, Conway, Davis, Dickinson,
Donnelly, Eng, Feuer, Fletcher, Fong, Fuentes, Furutani,
Beth Gaines, Galgiani, Garrick, Gatto, Gordon, Grove,
Hagman, Halderman, Hall, Harkey, Hayashi, Roger
Hern�ndez, Hill, Huber, Hueso, Huffman, Jeffries, Jones,
Knight, Lara, Logue, Bonnie Lowenthal, Ma, Mansoor,
Mendoza, Miller, Mitchell, Monning, Morrell, Nestande,
Nielsen, Norby, Olsen, Pan, Perea, V. Manuel P�rez,
Portantino, Silva, Skinner, Smyth, Solorio, Swanson,
Torres, Valadao, Wagner, Wieckowski, Williams, Yamada,
John A. P�rez
NO VOTE RECORDED: Cook, Gorell
RJG:k 8/8/12 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
CONTINUED
�
AB 439
Page
7
**** END ****
CONTINUED