A new law that amends the California Confidentiality of Medical Information Act (CMIA) may provide some relief to HIPAA covered entities and business associates, some of whom have faced class action lawsuits seeking millions in statutory damages under the CMIA for large-scale data breaches. Because the CMIA—unlike HIPAA—creates a private right of action for individuals whose medical information has been breached, and because the CMIA provides for nominal damages of $1,000 even in the absence of actual damages to the individual whose information has been disclosed, the law increasingly has been the basis for class action lawsuits filed in California following medical data breaches. For example, last year a class action lawsuit seeking $20 million in damages under the CMIA, based on a data breach involving 20,000 patients’ records, was filed against Stanford Hospital & Clinics in Palo Alto.
The new law (AB 439) amends the CMIA to create an affirmative defense against liability for nominal damages. As discussed below, the affirmative defense is fairly narrow and applies only if, in addition to certain other requirements, the disclosure of information was by a HIPAA covered entity or business associate to another covered entity or business associate.
Under the amendment, which applies to claims brought on or after January 1, 2013, a court may not award nominal damages under the CMIA if the defendant establishes all of the following as an affirmative defense:
1. The defendant is a covered entity or business associate as defined under HIPAA;
2. The defendant has complied with any obligations to notify all persons entitled to receive notice regarding the release of the information or records;
3. The release of confidential information or records was solely to another covered entity or business associate;
4. The release of confidential information or records was not an incident of “medical identity theft” (which is defined as the use of an individual’s personal information, without the individual’s knowledge or consent, to obtain medical goods or services, or to submit false claims for medical services);
5. The defendant took appropriate preventive actions to protect the confidential information or records against release consistent with its obligations under the CMIA or other applicable state law and HIPAA, including but not limited to:
a. Developing and implementing security policies and procedures;
b. Designating a security official who is responsible for developing and implementing its security policies and procedures, including educating and training the workforce; and
c. Encrypting the information or records, and protecting against the release or use of the encryption key and passwords, or transmitting the information or records in a manner designed to provide equal or greater protections against improper disclosures.
6. The defendant took reasonable and appropriate corrective action after the release of the confidential information or records, and the covered entity or business associate that received the confidential information or records destroyed or returned the confidential information or records in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system;
7. The covered entity or business associate that received the confidential information or records, or any of its agents, independent contractors, or employees, regardless of the scope of the employee’s employment, did not retain, use, or release the information or records;
8. After the release of the confidential information or records, the defendant took reasonable and appropriate action to prevent a future similar release of confidential information or records; and
9. The defendant has not previously established this affirmative defense, or the court determines, in its discretion, that application of the affirmative defense is compelling and consistent with the purpose of promoting reasonable conduct in light of all the facts.
Additionally, in determining whether the affirmative defense is available, the court is to consider the equity of situation, including whether the defendant has previously violated the CMIA and the nature of any prior violation. If the defendant successfully establishes the affirmative defense, the plaintiff is entitled to recover reasonable attorney’s fees and costs, and the defendant may only be held liable for one judgment on the merits for releases of confidential information or records arising out of the same event, transaction, or occurrence.
The new law should provide some comfort to HIPAA covered entities and business associates that are subject to the CMIA, particularly in light of the potentially significant liability associated with the statute’s nominal damages provisions. Covered entities and business associates should be cognizant, however, of the limited nature of the affirmative defense, which is unlikely to apply to a "typical" data breach involving a lost or stolen laptop or an intrusion by a computer hacker.