Medical records disclosure: Rampant transgressions yet elusive liability

Challenges to privacy and data breach claims after UCLA and Eisenhower

2014 August

Despite an exponential rise in privacy violations not only throughout California but nationwide, two recent California appellate decisions have resulted in serious setbacks to plaintiffs seeking to establish liability against medical providers in connection with data breaches involving patient medical-health information pursuant to the California Confidentiality of Medical Information Act.

The California Confidentiality of Medical Information Act, as most readers may already know, makes it unlawful for any healthcare provider, service plan, or contractor to disclose patient medical information without proper authorization, except subject to certain emergency and legal exceptions. California Health and Safety Code section 130203(a), similarly requires healthcare providers to establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient’s medical information and to safeguard confidential medical information from any unauthorized access, unlawful access, use, or disclosure. Under California Health and Safety Code section 130201(e), “unauthorized access” is defined as the inappropriate review or viewing of patient medical information without direct need for diagnosis, treatment, or other lawful use.

The CMIA is California’s counterpart to HIPAA (Pub.L. 104-191, 110 Stat. 1936), for which there exists no enabling legislation authorizing private action. Only the Office of Civil Rights for the Department of Health and Human Services can initiate administration proceedings in connection with the violation of HIPAA’s regulations.

CMIA’s requirements

CMIA’s requirements for healthcare providers are just as onerous, however, requiring very specific conditions to be met before a release of medical information is considered properly authorized:

• The release must be either handwritten by the person who signs it or in a typeface no smaller than 14-point type, as required by Civil Code section 56.11(a).

• The release must be clearly separate from any other language present on the same page and executed by a signature which serves no other purpose than to execute the authorization, as required by Civil Code section 56.11(b).

• The release must be signed and dated by the patient (if an adult), the patient’s legal representative (if the patient is a minor or an adult who lacks decision-making capacity), or the beneficiary or personal representative of a deceased patient, as required by Civil Code section 56.11(c).

• The release must state the specific uses and limitations on the medical information being disclosed, as required by Civil Code section 56.11(d).

• The release must state the name or functions of the person or entity that is being permitted to disclose the medical information, as required by Civil Code section 56.11(e).

• The release must state the names or functions of the persons or entities authorized to receive the medical information, as required by Civil Code section 56.11(f).

• The release must state the specific uses and limitations on the use of the medical information by the persons or entities authorized to receive the medical information, as required by Civil Code section 56.11(g).

• The release must state the specific date after which the person or entity disclosing the information no longer is permitted to do so, as required by Civil Code section 56.11(h).

• The release must explicitly advise the person signing the authorization of the right to receive a copy of it, as required by Civil Code section 56.11(i).

These are not optional requirements. The California Supreme Court has specifically stated that “the authorization requirements found in section 56.11 are detailed and demanding, reflecting the Legislature’s interest in assuring that medical information may be disclosed only for a narrowly defined purpose, to an identified party, for a limited period of time.” The statute also says that “[a]ny waiver by a patient of the provisions of [the CMIA] is contrary to public policy, and is unenforceable and void, except as authorized by Civ. Code § 56.11[.]” Under section 56.36, anyone who suffers economic loss or personal injury from the disclosure to recover their full compensatory damages, or nominal damages of $1,000; punitive damages not to exceed $3,000; attorney’s fees not to exceed $1,000; and costs.

Eisenhower Medical Center v. Superior Court

Unfortunately, despite what might otherwise be a moderately strong statute with rigorous standards, the recent California Court of Appeal cases interpreting CMIA are headed towards rendering CMIA toothless.

In May, 2014, the California Court of Appeal, Fourth District, issued a ruling in Eisenhower Medical Center v. Superior Court (2014) __ Cal.App.4th __, __ Cal.Rptr.3d __, which holds that the Rancho Mirage-based Eisenhower Medical Center was not liable for a data breach involving the private information of more than a half-million patients. The case arose following the theft from Eisenhower’s facilities of computers containing the ages, birth dates, social security numbers, medical record numbers, and names of patients. The case came upon appeal after the Superior Court of Riverside denied the hospital’s request for summary judgment arguing that the breach did not result in the actual disclosure of medical data.

At issue in the appeal was the question of whether the release of the type of information above constituted individually-identifiable “medical information.” The Court held that it did not, because medical information is not “just any patient-related information,” but must be “individually-identifiable information” that includes the patient’s “medical history, mental or physical condition, or treatment.” Because the data breach at issue in Eisenhower only resulted in the disclosure of demographic information and the patient’s medical record number, the Court refused to find that a release of medical information had occurred – even though the data breach implicitly linked each identified individual to receiving treatment at Eisenhower. The Court determined that there was insufficient “medical information” released about patients.

In addition, the Court’s opinion was also shaped by the fact that an exception exists in CMIA authorizing medical providers to release certain information about a particular patient being treated at the facility upon demand. This exception permits treatment providers to reveal medical information, including a general description of the reason for treatment, general nature of the injury, general condition of the patient, and nonmedical information. (Garrett v. Young (2003) 109 Cal.App.4th 1393, 1405.) As a result, the Eisenhower Court refused to uphold the Riverside trial court’s ruling, and reversed.

UCLA Regents v. Superior Court

The Eisenhower decision is the second case in recent months that has created roadblocks for plaintiffs’ privacy and data breach claims in the medical context. Last October, in Regents of University of California v. Superior Court (2013) 220 Cal.App.4th 549 [Division 7 of the Second District Court of Appeal similarly rejected privacy violation claims raised in a $16 million class action brought against UCLA Health System in connection with a 2011 data breach.], the events stemmed from a November, 2011, notification provided to more than 16,000 patients by Regents of the University of California, advising them that an encrypted hard drive containing their confidential medical information, along with an index card containing the password, was stolen during a robbery at a physician’s home.

The plaintiffs, represented in part by CAALA’s own Brian Kabateck and Richard Kellner, alleged that UCLA failed to exercise due care on the part of Regents, in part, for permitting the physician to take home and store confidential medical information at his home. Although Regents’ demurrer was initially overruled, Regents sought a writ of mandate, which was granted, and in October, 2013, led to the reversal of the order overruling the demurrer and sustaining Regents’ demurrer without leave to amend. In UCLA, the Court heightened the pleading standards for CMIA claims, requiring litigants to plead and ultimately “prove” that private patient medical information was not only lost, but also actually “released” for access by third parties. “[W]e believe the Legislature intended… more than an allegation of loss of possession by the health care provider is necessary to state a cause of action for negligent maintenance or storage of confidential medical information,” the Court held.

The problem with the UCLA Court’s holding, of course, is that it is extremely difficult to ever prove that negligently-stored information was actually released into the hands of a third party – since there is little hope of tracking down the thief to ascertain what was done or not done with the information. It would be akin to conditioning negligent bailment claims on a requirement that the victim plead and prove what was done with the missing property subject to the bailment – it is utterly irrelevant. It is inconsequential what ultimately happens to the property, or in this case, private medical information – the point is that the entity charged with responsibility for its safekeeping was not successful in preserving its confidentiality, and should be held responsible. Furthermore, the statutory language of CMIA itself undermines the notion that actual misuse of the data must be pled or proven – that is the very purpose of the statutory nominal damages of $1,000. Nominal damages are awarded in the absence of actual damage, meaning no damages have to be proven or sustained in order to succeed on CMIA.

Where does this leave the viability of privacy claims? Certainly, much more difficult to plead and succeed upon. The solution may ultimately have to be legislative in nature. However, for the time being, privacy practitioners should make sure to undertake the following steps:

• Adjust intake/screening on data breach cases to investigate whether the subject data of the breach was encrypted, required special software to open, view, or access.

• Ensure that data breached includes information about patient medical history, mental or physical condition, or treatment, not just demographics.

• Adjust intake/screening to inquire about consequences of the data breach, i.e., does victim have any facts to support allegations that data breach was actually accessed by a third party (i.e., actual or suspected identity theft, increase in telemarketing calls, misuse of credit information, etc.).

• Ensure allegations of improper release and wrongful acquisition of data are properly pled in the Complaint to withstand demurrer.

Privacy violations are too important and too pervasive in the medical, financial, and consumer payment processing contexts to ignore, even despite new hurdles. With some adjustments and a little luck, privacy practitioners should press on and continue holding information storage facilities, medical treatment providers, data clearinghouses, and others accountable for the private medical information they are federally obligated to protect.