Antitrust, UCL and Privacy

Competition: Spring 2015, Competition Vol. 24, No. 1

Content

THE DOCTOR IS IN, BUT YOUR MEDICAL INFORMATION IS OUT TRENDS IN CALIFORNIA PRIVACY CASES RELATING TO RELEASE OF MEDICAL INFORMATION

By Joseph R. Tiffany II, Connie J. Wolfe, Ph.D. and Allen Briskin1

Privacy breaches continue to be big news. In California, breaches of health care information are particularly sensitive, due to a number of state laws that provide legal remedies not available in other jurisdictions. While California’s Civil Code sections 1798.29, 1798.82 and its Unfair Competition Law ("UCL")2 are often relied on to remedy breaches of privacy, California also has the Confidentiality of Medical Information Act ("CMIA"),3 providing that an individual may recover $1,000 in nominal damages (plus actual damages if any) based on the negligent release of medical information by a health care provider or other covered party. As health care providers have moved toward the storage of medical data in large electronic databases containing information regarding many thousands of individuals, the potential number of people who may be affected by a single unauthorized release of medical information and the accompanying potential liability have skyrocketed. Until the past two years, however, there was little published authority interpreting the CMIA’s definition of "medical information" or its prohibition on the "release" of such information. California courts have now provided guidance on these two critical issues affecting the potential liability of providers and others who sustain health care data breaches.

I. SCOPE OF THE CMIA

The CMIA, enacted in 1981 and since amended several times, obligates any "provider of health care, health care service plan, pharmaceutical company or contractor" to maintain "medical information . . . in a manner that preserves the confidentiality of the information contained therein."4 "Contractors" under the CMIA include medical groups, independent practice associations, certain pharmaceutical benefits managers and medical service organizations. The CMIA has recently been broadened to cover businesses that are "organized for the purpose of maintaining medical information" and "any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information" (e.g., personal health record vendors), even though such entities are excluded from the definition of "provider of health care for purposes of any law other than this part, [section 56.06]."5

Join CLA to access this page

Join

Log in

Forgot Password

Enter the email associated with you account. You will then receive a link in your inbox to reset your password.

Personal Information

Select Section(s)

CLA Membership is $99 and includes one section. Additional sections are $99 each.

Payment