August 2014 sycr.com

Authors:

Travis P. Brennan (949) 725-4271 tbrennan@sycr.com

Mohammed Elayan (949) 725-4077 melayan@sycr.com

California Ruling On Medical Privacy Law Should Please Big Hospitals But Not Specialty

Healthcare Providers Narrow judicial interpretations of compliance obligations are usually cause for relief among those bearing compliance costs and the risks of non-compliance. Then theres the recent decision on the scope of what constitutes patient medical information requiring protection under Californias Confidentiality of Medical Information Act (CMIA) in Eisenhower Medical Center v. Superior Court, May 21, 2014 Opinion, California Court of Appeal, Case No. E058378.

At first blush, the opinion from the 4th District Court of Appeal (the Court) (which encompasses Riverside County) is an unequivocal win for regulated healthcare providers. It reduces the scope of the types of information under the CMIA that providers must individually safeguard and that, if publicly but perhaps unintentionally disclosed, can result in liability. For large hospitals and other providers of general medical services, the ruling will likely make their data security obligations clearer, simpler, and maybe less expensive. Whats more, it reduces the threat to such providers of a crippling damages awardthe CMIA permits an award of $1,000 per affected individual without requiring proof of actual harm resulting from a data breach.

And thats where the new comfort should endwith large, general providers. For other providers who are known as being dedicated to specific services or treatments, the ruling contains a substantial caveat that actually makes privacy requirements more ambiguous, and may lead to a very different, and costly, application of the CMIA in other contexts.

A Potential Exception To The Court Of Appeals Otherwise Narrow Reading

Of Healthcare Providers Data Security Obligations Introduces Uncertainty For Future Litigation.

The CMIA defines, in relevant part, medical information as any individually identifiable information. regarding a patients medical history, mental or physical condition, or treatment. The act further defines the term individually identifiable information as including the patients name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individuals identity.

On May 21, 2014, the Court ruled that release of a medical centers index containing some personally identifiable patient information, but not information about medical history, mental or physical condition, or treatment, cannot constitute a violation of the CMIA because the information disclosed was not medical information under the act.

The case arose from common theft but led to massive legal exposure. In 2011, someone stole a computer from Eisenhower Medical Center containing the index of over 500,000 patients, which listed each patients age, birth date, last four digits of his or her Social Security Number, and an assigned medical number. The information was password-

protected, but not encrypted. Eisenhower Medical notified the affected individuals. About two weeks later, some of those individuals filed a class action lawsuit seeking nominal damages of $1,000 for each class member affected, as provided for under the CMIA. Potential total damages exceeded $500,000,000.

Eisenhower Medical filed a motion asking the trial court to decide, based on undisputed facts and without a trial, that the information disclosed did not constitute medical information under the CMIA and therefore did not expose Eisenhower Medical to liability. The court denied the motion, holding that the plaintiffs claim under the CMIA could proceed.

Challenging that ruling at the Court of Appeal, Eisenhower Medical argued that, under the CMIA, disclosure of medical information must not only include personally identifiable information but also information regarding a patients medical history, mental or physical condition, or treatment. The Court agreed and reversed the lower courts decision, removing the immediate threat of a nine-figure damages award.

The Court rejected the plaintiffs argument that the mere presence of a persons name on the index was sufficient to make Eisenhower Medical liable. To the Court, it was obvious from the plain meaning of the statute that medical information cannot mean just any patient-related information held by a healthcare provider, but must be individually identifiable information and also include a patients medical history, mental or physical condition, or treatment. (Emphasis added.) Furthermore, the definition of medical information does not encompass demographic or numeric information that does not reveal medical history, diagnosis, or care. The court stressed that the mere fact that a person is or was a patient is not accorded the same level of privacy as more specific information about his medical history.

This ruling clarifies that, generally, personal identifying patient information does not, alone, constitute medical information under the CMIA. That interpretation, in theory, further limits the scope of liability. Nevertheless, it is not hard to forecast future exceptions to the rule. In fact, the Court quietly described a potentially large exception in its opinion. In a footnote, the Court admitted that revealing that a person was a patient of certain health care providers, such as an AIDS clinic, may be a different matter altogether.

That footnote is not binding on future cases because it concerns a hypothetical set of facts not before the Court, but it leaves significant flexibility for courts applying the CMIA in different contexts. Future cases that involve large hospitals providing a full range of medical care are likely to follow the Courts general holding. But, courts in cases concerning providers that treat only some illnesses, or provide very specific services, might view a disclosure of only limited information differently because of the unique threat to privacy posed when disclosure of even those providers most basic information indicates a patients specific medical condition, history, or treatment. Indeed, any provider whose specialty is narrow enough to permit one to infer the nature of a patients illness or treatment merely from associating a patients name with that provider might, after the Eisenhower Medical ruling, effectively have a broader obligation to protect more basic patient data. In California, that group encompasses thousands of healthcare providers, big and small.

Heres What Specialty Providers Should Do.

In light of the uncertainty in potential application of the CMIA in other contexts, boards of directors, managers, and employees of specialty providers should not view the Eisenhower Medical ruling as a license to relax privacy compliance efforts in any respect. To the contrary, the ruling provides a reminder to develop and implement policies and practices sufficient to comply not just with the CMIA, but also with the current patchwork of other state and federal laws concerning privacy and data protection that are being enforced and litigated with increasing frequency.

By now, no provider should be starting from scratch in this regard. All healthcare providers should already ensure development, maintenance, and appropriate application of policies, procedures, and technology that protect patient information. Company boards and management should assess at least the following matters:

(1) what types of data about each patient are preserved; (2) what, among those data types, could potentially be considered personally

identifiable information; (3) where such data resides (e.g., on a drive at the providers office or on a server in

a different location that a contracted third party owns or maintains); (4) the nature and likelihood of the cyber and other security threats to such data; (5) the technology necessary to provide reasonable protection against such threats

including, but not limited to, data encryption; (6) the policies currently in place to secure data and report breaches; and (7) whether the companys view of what constitutes personally identifiable

information or its policies and procedures concerning data protection warrant modification in light of the Eisenhower Medical ruling or any other relevant developments in privacy and data protection law.

In fact, patient privacy and data security should be a routine part of internal risk management for healthcare providers. Statutory damages of the type available under the CMIA, and which dont require proof of harm, may gain in popularity in light of the difficulty inherent in proving measurable damage to patients or consumers resulting for the mere fact of a data breach. Devoting appropriate resources to regularly addressing privacy and data security matters need not be daunting, but failure to do so may have very tangible, and significant, consequences.

Travis P. Brennan (949) 725-4271 Tbrennan@sycr.com

Mohammed Elayan (949) 725-4077 melayan@sycr.com

This publication is provided for your convenience and does not constitute legal advice. It is prepared for the general information of our clients and other interested persons. This newsletter should not be acted upon in any specific situation without appropriate legal advice