Pillsbury Winthrop Shaw Pittman

California court limits liability for loss of certain patient information under CMIA

By Joseph R Tiffany, Connie J Wolfe PhD and Allen Briskin

California appellate courts are clarifying potential liability under California’s Confidentiality of Medical Information Act, Cal. Civ. Code § 56 et seq (CMIA) of healthcare providers, health plans, pharmaceutical companies and others for the unauthorised disclosure of medical information. The CMIA provides that an individual may recover $1,000 (£584) nominal damages (plus actual damages if any) from a healthcare provider or other covered party that negligently releases that individual’s medical information. In data breaches involving large numbers of records and individuals, the potential liability can be enormous even without proof of any damages.

In a significant decision for healthcare providers and other holders of medical information, the California Court of Appeal recently decided that the CMIA’s civil liability provisions do not cover the theft of a hospital index containing personal identifying information unless the index also includes information relating to medical history, mental or physical condition or treatment. Eisenhower Medical Center v Superior Court (Malanche), No. E058378, 2014 WL 2115216, at *1 (Cal. Ct. App. May 21, 2014). In Eisenhower, the plaintiffs sought damages for a class of more than 500,000 individuals, which could amount to total nominal damages of more than $500m without any showing of actual injury. While the CMIA continues to impose significant obligations upon those within its coverage, this decision dramatically reduces the liability risk arising from the release of one type of information.

Under the CMIA, a provider of healthcare, healthcare service plan, pharmaceutical company or contractor is obligated to maintain ‘medical information… in a manner that preserves the confidentiality of the information contained therein’, and any such party ‘who negligently… maintains, preserves, stores, abandons, destroys or disposes of medical information’ is subject to specified remedies. Cal. Civ. Code § 56.101. Such remedies include nominal damages of $1,000 and/or actual damages from ‘any person or entity who has negligently released confidential information or records…’ Cal. Civ. Code § 56.36(b). The CMIA defines the term ‘medical information’ as follows…

Click on the link below to read the rest of the Pillsbury briefing.

Sign in or Register to continue reading this article

Sign in


It's quick, easy and free!

It takes just 5 minutes to register. Answer a few simple questions and once completed you’ll have instant access.

Register now

Why register to The Lawyer


Industry insight

In-depth, expert analysis into the stories behind the headlines from our leading team of journalists.


Market intelligence

Identify the major players and business opportunities within a particular region through our series of free, special reports.


Email newsletters

Receive your pick of The Lawyer's daily and weekly email newsletters, tailored by practice area, region and job function.

More relevant to you

To continue providing the best analysis, insight and news across the legal market we are collecting some information about who you are, what you do and where you work to improve The Lawyer and make it more relevant to you.


Tower 42, Level 23
25 Old Broad Street