California court limits liability for loss of certain patient information under CMIA
By Joseph R Tiffany, Connie J Wolfe PhD and Allen Briskin
California appellate courts are clarifying potential liability under California’s Confidentiality of Medical Information Act, Cal. Civ. Code § 56 et seq (CMIA) of healthcare providers, health plans, pharmaceutical companies and others for the unauthorised disclosure of medical information. The CMIA provides that an individual may recover $1,000 (£584) nominal damages (plus actual damages if any) from a healthcare provider or other covered party that negligently releases that individual’s medical information. In data breaches involving large numbers of records and individuals, the potential liability can be enormous even without proof of any damages.
In a significant decision for healthcare providers and other holders of medical information, the California Court of Appeal recently decided that the CMIA’s civil liability provisions do not cover the theft of a hospital index containing personal identifying information unless the index also includes information relating to medical history, mental or physical condition or treatment. Eisenhower Medical Center v Superior Court (Malanche), No. E058378, 2014 WL 2115216, at *1 (Cal. Ct. App. May 21, 2014). In Eisenhower, the plaintiffs sought damages for a class of more than 500,000 individuals, which could amount to total nominal damages of more than $500m without any showing of actual injury. While the CMIA continues to impose significant obligations upon those within its coverage, this decision dramatically reduces the liability risk arising from the release of one type of information.
Under the CMIA, a provider of healthcare, healthcare service plan, pharmaceutical company or contractor is obligated to maintain ‘medical information… in a manner that preserves the confidentiality of the information contained therein’, and any such party ‘who negligently… maintains, preserves, stores, abandons, destroys or disposes of medical information’ is subject to specified remedies. Cal. Civ. Code § 56.101. Such remedies include nominal damages of $1,000 and/or actual damages from ‘any person or entity who has negligently released confidential information or records…’ Cal. Civ. Code § 56.36(b). The CMIA defines the term ‘medical information’ as follows…
Click on the link below to read the rest of the Pillsbury briefing.
News from Pillsbury Winthrop Shaw Pittman
News from The Lawyer
Briefings from Pillsbury Winthrop Shaw Pittman
The US House of Representatives has passed HR 3696, the National Cybersecurity and Critical Infrastructure Protection Act.
For the first time in more than 30 years, the Equal Employment Opportunity Commission (EEOC) has overhauled its guidance on pregnancy discrimination issues.