California healthcare providers can breathe a sigh of relief. Recently, the California Court of Appeals held that plaintiffs suing under the Confidentiality of Medical Information Act (“CMIA”) may not recover statutory damages from a mere theft of medical information; rather, plaintiffs must allege that an unauthorized person actually viewed the confidential information. The case, Sutter Health v. Superior Court, — Cal. Rptr. 3d —, 2014 WL 3589699 (Cal. App. 3 Dist. July 21, 2014), materially limits the ability of plaintiffs to sue under the CMIA.
In Sutter Health, a thief stole a computer containing medical records of approximately four million patients. Though the computer was password-protected, the medical records themselves were stored in an unencrypted format. Significantly, plaintiffs did not allege that any unauthorized person actually viewed the stolen records, alleging only that there were “potential misuses of personal medical information” that “may not manifest” for numerous years. With CMIA statutory damages of $1,000 per patient, Sutter Health faced a potential exposure of $4 billion.
The Court held that plaintiffs had not stated a claim under the CMIA, and directed the trial court to dismiss the case with prejudice. Though the Court arrived at its conclusion through slightly different reasoning, the decision was in line with the decision in Regents of University of California v. Superior Court, 220 Cal. App. 4th 549 (2013). In Regents, the Court held that plaintiff had not stated a claim under the CMIA where an external hard drive containing confidential medical records along with the encryption password were stolen during a home invasion robbery, because plaintiff had not alleged that any unauthorized person viewed the medical records.
The Sutter Health court also clarified the scope of various provisions in the CMIA.
- CMIA Section 56.10: Section 56.10 generally prohibits “disclosure” of medical information absent patient authorization or as specifically permitted by the statute. The Court held that disclosure “implies an affirmative communicative act,” thus Sutter Health could not be liable under Section 56.10 because it did not intend to disclose any medical information to the thief who stole the computer.
- CMIA Section 56.101: Among other things, Section 56.101 requires that healthcare providers preserve the confidentiality of medical information. Here, the Court held that the language of the statute “makes it clear that preserving the confidentiality of the medical information, not necessarily preventing others from gaining possession of the paper-based or electronic information itself, is the focus of the legislation.” Mere loss of possession is insufficient to attach liability—there must be a breach of confidentiality. And to reduce any ambiguity, the Court clarified that “[n]o breach of confidentiality takes place until an unauthorized person views the medical information.”
- CMIA Section 56.36: Section 56.36 sets forth damages available for violations of the CMIA. It provides remedies where a healthcare provider has “negligently released confidential information or records concerning [a plaintiff] in violation of this part.” Because the Court found no breach of confidentiality—and thus no injury—plaintiffs could not recover under Section 56.36.
Under this guidance from the Court, CMIA covered businesses that recover stolen medical data should thus analyze the data to determine whether the confidentiality of that data has actually been compromised. Covered businesses should also consider revising breach response plans accordingly.
The Sutter Health decision thus further limits the ability of plaintiffs to recover under the CMIA. As the growth of electronic medical data continues—thereby increasing the risk of theft of that data—the decision no doubt provides some comfort to California healthcare providers and other entities subject to the CMIA.
Picture By Andreas Levers From Flickr