California Court of Appeals, Second District, Seventh Division
ORIGINAL PROCEEDINGS in mandate. Kenneth R. Freeman, Judge. Los Angeles County Super. Ct. No. BC494928.
Office of the General Counsel, University of California, Charles F. Robinson, Karen J. Petrulakis, Margaret L. Wu; Munger, Tolles & Olson, Bradley S. Phillips and Michelle A. Friedland, for Petitioner.
Lois J. Richardson, for California Hospital Association, as Amicus Curiae on behalf of Petitioner.
Pillsbury Winthrop Shaw Pittman, Kevin M. Fong and Sarah G. Flanagan, for Lucile Packard Children’s Hospital and Stanford Hospital and Clinics, as Amici Curiae on behalf of Petitioner.
Francisco J. Silva and Lisa Matsubara, for California Medical Association as Amicus Curiae on behalf of Petitioner.
Bartko, Zankel, Bunzel & Miller, Robert H. Bunzel, William I. Edlund, Michael D. Abraham, Simon R. Goodfellow, for Sutter Health, Sutter Medical Foundation and Sutter Connect, as Amicus Curiae on behalf of Petitioner.
No appearance for Respondent.
Kabateck Brown Kellner, Brian S. Kabateck, Richard L. Kellner; Ernst Law Group, Don A. Ernst, Taylor Ernst, for Real Party in Interest.
PERLUSS, P. J.
The Confidentiality of Medical Information Act (CMIA) (Civ. Code, § 56 et seq.) prohibits health care providers and related entities from disclosing medical information regarding a patient without authorization except in certain specified instances. (§ 56.10.) A patient may bring an action for actual damages, nominal (statutory) damages of $1, 000, or both against any person or entity that negligently released confidential medical information concerning him or her in violation of CMIA. (§ 56.36, subd. (b).) In addition, any person or entity that negligently disclosed medical information in violation of CIMA is subject to an administrative fine or civil penalty. (§ 56.36, subd. (c).)
Under CMIA every health care provider who creates, maintains or disposes of medical information is also required to do so in a manner that preserves the confidentiality of that information. (§ 56.101, subd. (a).) Any provider who negligently creates, maintains or disposes of medical information is “subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.” (§ 56.101, subd. (a).)
Does this statutory scheme authorize a private cause of action for damages based solely on the negligent maintenance or storage of medical information even if the patient’s confidential records were never viewed or otherwise accessed by an unauthorized individual? Specifically, has a cause of action for nominal or statutory damages of $1, 000 been adequately pleaded by real party in interest and putative class plaintiff Melinda Platter, who has alleged the Regents of the University of California, through its UCLA Health System, failed to have reasonable systems and controls in place to prevent the removal of protected medical information from one of its hospitals and, as a result, negligently lost possession of that information?
Ruling a damage claim may be stated under section 56.101, subdivision (a), based on a health care provider’s negligent maintenance or storage of an individual’s medical information without regard to whether it resulted in any actual release or disclosure of the information, respondent Los Angeles Superior Court overruled the Regents’s demurrer to Platter’s complaint. Although we do not agree with the Regents’s argument an affirmative communicative act by the health care provider is an essential element of Platter’s claim, we hold, by incorporating the remedy specified in section 56.36, subdivision (b), section 56.101 allows a private right of action for negligent maintenance only when such negligence results in unauthorized or wrongful access to the information. Because Platter cannot allege her information was improperly viewed or otherwise accessed, we grant the Regents’s petition and issue a writ of mandate to the superior court directing it to vacate its order overruling the Regents’s demurrer and to enter a new order sustaining the demurrer without leave to amend and dismissing the action.
FACTUAL AND PROCEDURAL BACKGROUND
1. The Loss of the Encrypted External Hard Drive and Platter’s Complaint for Violation of CMIA
In a letter dated November 4, 2011 signed by Robert Gross, chief privacy officer of the UCLA Health System & David Geffen School of Medicine, the Regents advised certain patients treated at UCLA facilities that an encrypted external hard drive containing some of their personally identifiable medical information had been stolen as part of a home invasion robbery approximately two months earlier. The letter also informed the recipients the password for the encrypted information was written on an index card near the device and that card could not be located. The letter stated, “The theft was reported to the police and there is no evidence suggesting that your information has been accessed or misused.” A public notice regarding the incident was published in the Los Angeles Times for three consecutive days on November 4-6, 2011.
On October 30, 2012 Platter filed a class action complaint in Los Angeles Superior Court seeking damages from the Regents in a single cause of action for unlawful disclosure of confidential medical information in violation of CMIA. Platter alleged she had been treated on numerous occasions at Ronald Reagan UCLA Medical Center and was one of more than 16, 000 UCLA Health System patients who had been notified of the loss of the external hard drive and the related password needed to decode the encrypted data. According to Platter’s complaint, a physician in the UCLA Faculty Practice Group took the external hard drive, which contained patient names, dates of birth, addresses, financial information and medical records, to his home and left it unsecured with the encryption password. On or about September 6, 2011 the hard drive and written password were taken from the physician’s home. As of the date of the complaint neither the hard drive nor the encryption password had been recovered.
Platter alleged the Regents had failed to exercise due care to prevent the release or disclosure of her private medical information and that of the other putative class members without their written authorization. Specifically, “It failed to have reasonable systems and controls in place to prevent the removal of protected health information from the hospital premises and as a result it negligently lost possession of the hard drive and encryption passwords.” Platter did not allege she had suffered any actual damages, but sought statutory damages of $1, 000 for herself and for each member of the putative class pursuant to section 56.36, subdivision (b).
2. The Regents’s Demurrer; Platter’s Response
The Regents demurred to the complaint on January 18, 2013 pursuant to Code of Civil Procedure section 430.10, subdivision (e), contending Platter had failed to state facts sufficient to constitute a cause of action for statutory damages under CMIA because that remedy was available only if a health care provider had negligently “disclosed” or “released” confidential medical information and Platter had not alleged her medical information was disclosed or released by the Regents within the meaning of CMIA. In its memorandum of points and authorities the Regents asserted disclosure or release by a health care provider under CMIA occurs only when the provider actively communicates medical information to a third party without the patient’s authorization: “A ‘disclosure’ or ‘release’ within the meaning of CMIA does not occur when a third party—through burglary, computer hacking or otherwise—wrongfully obtains such information against the health care provider’s will.” Negligent storage or maintenance of medical information by a health care provider without such active disclosure or release, the Regents argued, could subject the health care provider to administrative discipline, including fines or civil penalties, but not a private cause of action for damages under section 56.36, subdivision (b).
In her response Platter disputed the Regents’s construction of the governing statutes. According to Platter, CMIA provides a cause of action for statutory damages in any case where it can be proved a health care provider’s negligence was the proximate cause of an unauthorized third party obtaining confidential patient information, whether the third party is a thief or the intended recipient of the provider’s affirmative or intentional act of communication.
The Regents filed a reply memorandum. Both parties also submitted requests for judicial notice to the superior court, including with their papers excerpts from the legislative history of CMIA (in the request by Platter), as well as separate legislation enacted to safeguard electronically stored medical ...