California Court of Appeals, Second District, Seventh Division
Order File Date November 13, 2013
ORIGINAL PROCEEDINGS in mandate. Kenneth R. Freeman, Judge. Los Angeles County Super. Ct. No. BC494928
Office of the General Counsel, University of California, Charles F. Robinson, Karen J. Petrulakis, Margaret L. Wu; Munger, Tolles & Olson, Bradley S. Phillips and Michelle A. Friedland, for Petitioner.
Lois J. Richardson, for California Hospital Association, as Amicus Curiae on behalf of Petitioner.
Pillsbury Winthrop Shaw Pittman, Kevin M. Fong and Sarah G. Flanagan, for Lucile Packard Children’s Hospital and Stanford Hospital and Clinics, as Amici Curiae on behalf of Petitioner.
Francisco J. Silva and Lisa Matsubara, for California Medical Association as Amicus Curiae on behalf of Petitioner.
Bartko, Zankel, Bunzel & Miller, Robert H. Bunzel, William I. Edlund, Michael D. Abraham, Simon R. Goodfellow, for Sutter Health, Sutter Medical Foundation and Sutter Connect, as Amicus Curiae on behalf of Petitioner.
No appearance for Respondent.
Kabateck Brown Kellner, Brian S. Kabateck, Richard L. Kellner; Ernst Law Group, Don A. Ernst, Taylor Ernst, for Real Party in Interest.
ORDER MODIFYING OPINION AND DENYING REHEARING
It is ordered that the opinion filed here on October 15, 2013 be modified as follows:
1. On page 17, delete footnote 12 in its entirety and replace it with:
12. We recognize “release” in section 56.36, subdivision (b), is used in the active, not passive, voice: An action may be brought “against any person or entity who has negligently released confidential information..., ” rather than brought by a person whose confidential information has been released. However, that a patient may need to plead and prove the health care provider engaged in some affirmative conduct leading to an unauthorized third party’s access to confidential information does not mean, as the Regents argues, the negligent conduct must involve a communicative act.
2. On page 24, at the end the paragraph before the disposition, after the sentence ending “demurrer should have been sustained without leave to amend and the case dismissed.” add as footnote 15 the following footnote:
15. In a petition for rehearing Platter for the first time requests leave to amend the complaint to allege the confidentiality of her personal information on the encrypted external hard drive was breached as a result of the Regents’s negligence. Specifically, Platter asserts “within months” of the loss of the external hard drive an unauthorized telephone account was opened using the same personal information that was contained on the hard drive. Because she had not previously been the victim of identity theft, Platter contends it is a reasonable inference the two events are related and the unidentified individual who opened the telephone account is either the unknown thief who stole the hard drive or someone who obtained Platter’s information from the thief.
We acknowledge leave to amend should be granted when the plaintiff has demonstrated a “reasonable possibility” she can amend her claim to state a viable cause of action (see Schifando v. City of Los Angeles, supra, 31 Cal.4th at p. 1081), even if no similar request was made in the trial court. (See Code Civ. Proc., § 472c, subd. (a); Schultz v. Harney (1994) 27 Cal.App.4th 1611, 1623.) But here Platter’s request is too late, coming only after she admitted in her return to the Regents’s petition she had not alleged that any person accessed, viewed or used the confidential information on the external hard drive and then failed to suggest any possible amendment to the complaint in her briefing in this court or even at oral argument when questioned about the possible significance of a release of confidential information that was not thereafter accessed by an unauthorized individual. (See Reynolds v. Bement (2005) 36 Cal.4th 1075, 1091-1092 [argument regarding possible amendment of complaint not properly raised for first time in petition for rehearing].) Moreover, Platter concedes there are other means by which her personal information may have been obtained, and the Regents has presented information the theft of the external hard drive occurred in Hawaii, not Southern California as Platter has assumed and where the identity theft apparently took place. Under the circumstances there are simply too many layers of speculation required for these minimal facts to be considered sufficient to overcome the deficiency in Platter’s complaint. (See Sandler v. Sanchez (2012) 206 Cal.App.4th 1431, 1437 [leave to amend should not be granted where amendment would be futile]; Vaillette v. Fireman’s Fund Ins. Co. (1993) 18 Cal.App.4th 680, 685 [same].)
There is no change in judgment. The parties’ petitions for rehearing are denied.
PERLUSS, P. J.
The Confidentiality of Medical Information Act (CMIA) (Civ. Code, § 56 et seq.) prohibits health care providers and related entities from disclosing medical information regarding a patient without authorization except in certain specified instances. (§ 56.10.) A patient may bring an action for actual damages, nominal (statutory) damages of $1, 000, or both against any person or entity that negligently released confidential medical information concerning him or her in violation of CMIA. (§ 56.36, subd. (b).) In addition, any person or entity that negligently disclosed medical information in violation of CIMA is subject to an administrative fine or civil penalty. (§ 56.36, subd. (c).)
Under CMIA every health care provider who creates, maintains or disposes of medical information is also required to do so in a manner that preserves the confidentiality of that information. (§ 56.101, subd. (a).) Any provider who negligently creates, maintains or disposes of medical information is “subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.” (§ 56.101, subd. (a).)
Does this statutory scheme authorize a private cause of action for damages based solely on the negligent maintenance or storage of medical information even if the patient’s confidential records were never viewed or otherwise accessed by an unauthorized individual? Specifically, has a cause of action for nominal or statutory damages of $1, 000 been adequately pleaded by real party in interest and putative class plaintiff Melinda Platter, who has alleged the Regents of the University of California, through its UCLA Health System, failed to have reasonable systems and controls in place to prevent the removal of protected medical information from one of its hospitals and, as a result, negligently lost possession of that information?
Ruling a damage claim may be stated under section 56.101, subdivision (a), based on a health care provider’s negligent maintenance or storage of an individual’s medical information without regard to whether it resulted in any actual release or disclosure of the information, respondent Los Angeles Superior Court overruled the Regents’s demurrer to Platter’s complaint. Although we do not agree with the Regents’s argument an affirmative communicative act by the health care provider is an essential element of Platter’s claim, we hold, by incorporating the remedy specified in section 56.36, subdivision (b), section 56.101 allows a private right of action for negligent maintenance only when such negligence results in unauthorized or wrongful access to the information. Because Platter cannot allege her information was improperly viewed or otherwise accessed, we grant the Regents’s petition and issue a writ of mandate to the superior court directing it to vacate its order overruling the Regents’s demurrer and to enter a new order sustaining the demurrer without leave to amend and dismissing the action.
FACTUAL AND PROCEDURAL BACKGROUND
1. The Loss of the Encrypted External Hard Drive and Platter’s ...