THE DOCTOR IS IN, BUT YOUR MEDICAL INFORMATION IS OUT TRENDS IN CALIFORNIA PRIVACY CASES RELATING TO RELEASE OF MEDICAL INFORMATION
By Joseph R. Tiffany II, Connie J. Wolfe, Ph.D. and Allen Briskin1
Privacy breaches continue to be big news. In California, breaches of health care information are particularly sensitive, due to a number of state laws that provide legal remedies not available in other jurisdictions. While California’s Civil Code sections 1798.29, 1798.82 and its Unfair Competition Law ("UCL")2 are often relied on to remedy breaches of privacy, California also has the Confidentiality of Medical Information Act ("CMIA"),3 providing that an individual may recover $1,000 in nominal damages (plus actual damages if any) based on the negligent release of medical information by a health care provider or other covered party. As health care providers have moved toward the storage of medical data in large electronic databases containing information regarding many thousands of individuals, the potential number of people who may be affected by a single unauthorized release of medical information and the accompanying potential liability have skyrocketed. Until the past two years, however, there was little published authority interpreting the CMIA’s definition of "medical information" or its prohibition on the "release" of such information. California courts have now provided guidance on these two critical issues affecting the potential liability of providers and others who sustain health care data breaches.
I. SCOPE OF THE CMIA
The CMIA, enacted in 1981 and since amended several times, obligates any "provider of health care, health care service plan, pharmaceutical company or contractor" to maintain "medical information . . . in a manner that preserves the confidentiality of the information contained therein."4 "Contractors" under the CMIA include medical groups, independent practice associations, certain pharmaceutical benefits managers and medical service organizations. The CMIA has recently been broadened to cover businesses that are "organized for the purpose of maintaining medical information" and "any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information" (e.g., personal health record vendors), even though such entities are excluded from the definition of "provider of health care for purposes of any law other than this part, [section 56.06]."5