Balancing Patient Care and Patient Privacy Under California’s Confidentiality of Medical Information Act

Imagine you are an attorney at a law firm. The firm keeps confidential client files in your office, behind locked doors, and there is a security guard in the building lobby. One night, a burglar breaks into your office and takes, among other things, some confidential client files that are in sealed envelopes. The envelopes are later discovered, unopened, in a trash bin. Did you “release” confidential client information to the burglar? Did you “disclose” it to anyone?

The common-sense answer is “no,” because the burglar stole the files and no one actually looked at them. That is precisely how the California Courts of Appeal have, sensibly, interpreted California’s medical privacy statute, the Confidentiality of Medical Information Act (CMIA).

Statute Provisions

In order to prove that confidential patient information has been “disclosed” or “released”—and therefore to have a cause of action under the CMIA—a plaintiff must prove both that a health-care provider committed some affirmative, negligent act and that the information was actually viewed by an unauthorized person. These interpretations of the CMIA provide health-care providers with crucial protections against unwarranted lawsuits and potentially ruinous damage awards in situations where a third-party has hacked into or otherwise used wrongful means to gain access to an electronic medical records database.

The CMIA is codified at Cal. Civil Code § 56.10. Section 56.10, subdivision (a) provides, “No provider of health care, health care service plan, or contractor shall disclose medical information regarding a patient … without first obtaining an authorization [with certain exceptions].” Section 56.35 provides that “a patient whose medical information has been used or disclosed in violation of Section 56.10 … and who has sustained economic loss or personal injury therefrom” may bring an action for compensatory damages, punitive damages, and attorneys’ fees. Section 56.36, subdivision (b) provides, “any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her” for nominal damages of $1,000 and/or actual damages.

The UCLA Case

In Regents of the University of California v. Superior Court, a University of California Los Angeles-affiliated physician’s encrypted external hard drive containing personally identifiable medical information, along with an index card with his password, had been stolen as part of a home-invasion robbery. The hard drive was never found, and there was no evidence that the burglars had actually viewed any of the medical information. After UCLA provided notice to the 16,000 patients whose information was contained on the hard drive, as required by federal and state law, one patient brought a class action seeking statutory nominal damages totaling $16 million from UCLA.

The California Second District Court of Appeal in Regents held that the plaintiff had failed to state a claim under the CMIA because “she cannot allege her medical records were, in fact, viewed by an unauthorized individual.” For that reason, she could not allege “that the confidential nature of [her] medical information was breached,” even assuming that UCLA had been negligent.¹Regents of the University of California v. Super. Ct., 220 Cal. App. 4th 549 (2013) see previous article. The Regents court held that UCLA’s demurrer should therefore have been sustained without leave to amend. The Third District Court of Appeal later followed this ruling, holding that patients could not state a CMIA claim based upon theft of a health-care provider’s computer containing medical records of four million patients “because [plaintiffs] do not allege that the stolen medical information was actually viewed by an unauthorized person.”²Sutter Health v. Super. Ct., 227 Cal. App. 4th 1546 (2014) see previous article.

The requirement that CMIA plaintiffs prove that their medical information has actually been viewed by an unauthorized person is a potent protection for health-care providers. Many instances of unauthorized access to medical records—and those involving the biggest volume of records—arise from either hacking into or theft of a provider’s computers. Because a plaintiff will not, in most of those instances, be able to allege or prove that anyone actually viewed the medical records, any CMIA claims should be subject to demurrer or, at a minimum, summary judgment.

The Regents court adopted two other, equally important interpretations of the CMIA. First, the Court of Appeal interpreted “disclose,” as used in Section 56.10, subdivision (a), as denoting “an affirmative act of communication.”

Second, the Regents court interpreted “release,” as used in Section 56.36, subdivision (b), as requiring pleading and proof that “the health care provider engaged in some affirmative conduct leading to an unauthorized third party’s access to confidential information,” although not necessarily an affirmative “communicative” act. (There is a strong argument that the Regents court’s distinction between “disclose” and “release” in CMIA is misplaced and that both should be interpreted to require an affirmative communicative act. “Disclose” is defined in related statutes to include “release,” meaning that “release” cannot be broader than “disclose”; and CMIA itself uses the two words interchangeably.)

These interpretations of “disclose” and “release” provide additional potent protections for health-care providers. Where a third-party gains access to confidential medical records by wrongful means, such as hacking or theft, there will typically be no affirmative conduct by the provider. The plaintiffs will undoubtedly allege that the provider was negligent for having failed to protect the information more robustly, but the provider will have a strong argument that such failure, even if negligent, was not an “affirmative” act, communicative or otherwise.

Recent Rulings

Two very recent decisions illustrate the importance of the Regents court’s interpretation of the CMIA.

In the first case, a patient had brought a class action based upon theft from a University of California San Francisco medical facility of desktop computers containing medical information. The complaint sought statutory damages of $1,000 for each of approximately 10,000 patients, or $10 million.

The University sought dismissal of the complaint, under Regents, for failure adequately to allege that the records had actually been viewed by an unauthorized person. The trial court overruled the University’s demurrer, but, on Sept. 3, 2015, the First District Court of Appeal issued a writ ordering the trial court to sustain the demurrer.

In the second case, the medical records of a UCLA patient had been wrongly accessed by the medical staff of a UCLA-affiliated (but not employed) physician, using log-in credentials the physician had shared with his staff, in violation of UCLA policy and agreements he had signed. One of those staff members—a romantic rival of the plaintiff’s—sent the plaintiff’s sensitive lab report to the father of the plaintiff’s unborn child and another woman. The plaintiff sued UCLA under the CMIA, alleging UCLA had negligently released her records and seeking more than $1 million in emotional-distress damages.

On Sept. 3, 2015, a jury in the case returned a verdict for UCLA, finding, based on an instruction that “release” requires affirmative conduct, that UCLA had not “released” the plaintiff’s medical records .

These two decisions illustrate the importance of the Regents opinion for health-care providers.

Conclusion

The advent of electronic medical records has vastly improved patient care, by making information about patients’ medical history more readily available to their doctors. But it has also created additional privacy concerns—in the health-care context as in others—because electronic information can be accessed in ways that paper files could not. Medical centers across the country have consistently balanced these competing effects by requiring log-in credentials to access electronic-records databases, training those who are given credentials never to share the credentials or to access information they do not need for patient care, and requiring signed agreements from them. Restricting health-care professionals’ access to patients’ medical records more severely could, in many situations, interfere with patient care and even be dangerous for the patients.

These policies, while reasonable, cannot guarantee that individuals with bad motives will never be able to obtain unauthorized access to patient information. One cannot eliminate entirely the risk that there will be criminal hackers or a few bad actors who abuse the privilege of their log-in credentials, just as there will be criminals and bad actors in every other situation. The Regents opinion provides protection for health-care providers who are victimized by criminals or the few who abuse their privileges, ensuring that, in the absence of affirmative, negligent conduct by the provider and actual viewing of a plaintiff’s medical information, they will not be subjected to liability for either actual or “nominal” damages under CMIA.