The Confidentiality of Medical Information Act (CMIA) (Civ. Code, § 56 et seq.)
Under CMIA every health care provider who creates, maintains or disposes of medical information is also required to do so in a manner that preserves the confidentiality of that information. (§ 56.101, subd. (a).) Any provider who negligently creates, maintains or disposes of medical information is "subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36." (§ 56.101, subd. (a).)
Does this statutory scheme authorize a private cause of action for damages based solely on the negligent maintenance or storage of medical information even if the patient's confidential records were never viewed or otherwise accessed by an unauthorized individual? Specifically, has a cause of action for nominal or statutory damages of $1,000 been adequately pleaded by real party in interest and putative class plaintiff Melinda Platter, who has alleged the Regents of the University of California, through its University of California at Los Angeles (UCLA) health system (UCLA Health System), failed to have reasonable systems and controls in place to prevent the removal of protected medical information from one of its hospitals and, as a result, negligently lost possession of that information?
FACTUAL AND PROCEDURAL BACKGROUND
1. The Loss of the Encrypted External Hard Drive and Platter's Complaint for Violation of CMIA
In a letter dated November 4, 2011 signed by Robert Gross, chief privacy officer of the UCLA Health System and David Geffen School of Medicine, the Regents advised certain patients treated at UCLA facilities that an encrypted external hard drive containing some of their personally identifiable medical information had been stolen as part of a home invasion robbery approximately two months earlier. The letter also informed the recipients the password for the encrypted information was written on an index card near the device and that card could not be located. The letter stated, "The theft was reported to the police and there is no evidence suggesting that your information has been accessed or misused." A public notice regarding the incident was published in the Los Angeles Times for three consecutive days from November 4 to 6, 2011.
On October 30, 2012 Platter filed a class action complaint in Los Angeles Superior Court seeking damages from the Regents in a single cause of action for unlawful disclosure of confidential medical information in violation of CMIA. Platter alleged she had been treated on numerous occasions at Ronald Reagan UCLA Medical Center and was one of more than 16,000 UCLA Health System patients who had been notified of the loss of the external hard drive and the related password needed to decode the encrypted data. According to Platter's complaint, a physician in the UCLA Faculty Practice Group took the external hard drive, which contained patient names, dates of birth, addresses, financial information and medical records, to his home and left it unsecured with the encryption password. On or about September 6, 2011 the hard drive and written password were taken from the physician's home. As of the date of the complaint neither the hard drive nor the encryption password had been recovered.
2. The Regents's Demurrer; Platter's Response
The Regents demurred to the complaint on January 18, 2013 pursuant to Code of Civil Procedure section 430.10, subdivision (e), contending Platter had failed to state facts sufficient to constitute a cause of action for statutory damages under CMIA because that remedy was available only if a health care provider had negligently "disclosed" or "released" confidential medical information and Platter had not alleged her medical information was disclosed or released by the Regents within the meaning of CMIA. In its memorandum of points and authorities the Regents asserted disclosure or release by a health care provider under CMIA occurs only when the provider actively communicates medical information to a third party without the patient's authorization: "A `disclosure' or `release' within the meaning of CMIA does not occur when a third party — through burglary, computer hacking or otherwise — wrongfully obtains such information against the health care provider's will." Negligent storage or maintenance of medical information by a health care provider without such active disclosure or release, the Regents argued, could subject the health care provider to administrative discipline, including fines or civil penalties, but not a private cause of action for damages under section 56.36, subdivision (b).
In her response Platter disputed the Regents's construction of the governing statutes. According to Platter, CMIA provides a cause of action for statutory damages in any case where it can be proved a health care provider's negligence was the proximate cause of an unauthorized third party obtaining confidential patient information, whether the third party is a thief or the intended recipient of the provider's affirmative or intentional act of communication.
3. The Superior Court's Order Overruling the Demurrer but Striking Portions of the Complaint
The superior court heard oral argument on April 11, 2013. On April 19, 2013 the court issued a 16-page ruling and order, overruling the Regents's demurrer but striking a portion of Platter's cause of action for violation of CMIA.
Relying upon what it concluded was the plain meaning of the terms at issue, the court agreed with the Regents that, under the facts as alleged, there was no disclosure of confidential information, a prerequisite to a claim for violation of section 56.10. However, the court also ruled CMIA established two separate types of wrongful conduct — wrongful disclosure of confidential medical information under section 56.10 and wrongful maintenance and storage of confidential information under section 56.101: "[T]he negligent maintenance, preservation, and storage of confidential data under § 56.101 specifically provides the remedy of $1,000 in nominal damages.... This is because the remedy portion of § 56.36(b) and (c) is incorporated by reference into § 56.101. As such, on the face of the statute, there is no requirement under § 56.101 that, to be eligible for the $1,000 nominal damages (or, as the case may be, actual damages), that there also have been a negligent release of the confidential information under § 56.36(b)."
Based on this analysis of the statutory scheme, the court overruled the demurrer, finding Platter had stated a claim for violation of CMIA because she alleged the Regents "failed to have reasonable systems and controls in place to prevent the removal of protected health information from the hospital premises and as a result it negligently lost possession of the hard drive and encryption passwords." Nevertheless, because Platter had not alleged any affirmative disclosure of confidential information by the Regents, the court struck that portion of her CMIA claim premised on the allegation (in par. 46 of the complaint) that the Regents had "failed to exercise due care to prevent the release or disclosure of private medical information of Plaintiff and the class members without their written authorization."
4. The Writ Proceedings
On June 4, 2013 the Regents petitioned this court for a writ of mandate directing the superior court to vacate its order overruling the demurrer and to enter a new order sustaining the demurrer without leave to amend and dismissing the action. The petition argued the superior court's ruling would create a sweeping private right of action that was not intended by the Legislature, emphasized the Regents's potential liability for $16 million in nominal damages under the superior court's interpretation of CMIA and asserted the need to expend resources to defend this litigation, rather than resolve the pure legal question raised through this writ proceeding, would create serious difficulties for the Regents.
While initially considering the petition we received letter briefs from amici curiae in support of the Regents's position from the Lucile Packard Children's Hospital and Stanford Hospital and Clinic, the California Hospital Association and the California Medical Association. Real party in interest Platter submitted an opposition to the petition for writ of mandate, and the Regents filed a reply. On June 25, 2013 we issued an order to show cause why the relief requested in the petition should not be granted. On July 22, 2013 Platter filed her return to the petition, and on August 12, 2013 the Regents filed its reply. On August 23, 2013 we received an amicus curiae brief in support of the Regents from Sutter Health, Sutter Medical Foundation and Sutter Connect, LLC, doing business as Sutter Physician Services, which advised us, in part, the issue presented here is also currently pending before the Third District Court of Appeal (Sutter Health v. Superior Court (C072591)).
1. The Propriety of Extraordinary Writ Relief
An order overruling a demurrer is not directly appealable and will rarely be reviewed in a petition for extraordinary writ relief. (See, e.g., Brandt v. Superior Court (1985) 37 Cal.3d 813, 816 [210 Cal.Rptr. 211, 693 P.2d 796] ["we are reluctant to exercise our discretion to review rulings at the pleading stage of a lawsuit..."]; City of Huntington Park v. Superior Court (1995) 34 Cal.App.4th 1293,
2. Standard of Review
A demurrer tests the legal sufficiency of the factual allegations in a complaint. We independently review the superior court's ruling on a demurrer and determine de novo whether the complaint alleges facts sufficient to state a cause of action or discloses a complete defense. (McCall v. PacifiCare of Cal., Inc. (2001) 25 Cal.4th 412, 415 [106 Cal.Rptr.2d 271, 21 P.3d 1189]; Aubry v. Tri-City Hospital Dist. (1992) 2 Cal.4th 962, 967 [9 Cal.Rptr.2d 92, 831 P.2d 317].) We assume the truth of the properly pleaded factual allegations, facts that reasonably can be inferred from those expressly pleaded and matters of which judicial notice has been taken. (Evans v. City of Berkeley (2006) 38 Cal.4th 1, 20 [40 Cal.Rptr.3d 205, 129 P.3d 394]; Schifando v. City of Los Angeles (2003) 31 Cal.4th 1074, 1081 [6 Cal.Rptr.3d 457, 79 P.3d 569].) We liberally construe the pleading with a view to substantial justice between the parties. (Code Civ. Proc., § 452; Schifando, at p. 1081.)
3. The Controlling Statutes
Section 56.10, subdivision (a), provides, "No provider of health care, health care service plan, or contractor shall disclose medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan without first obtaining an authorization, except as provided in subdivision (b) or (c)."
Section 56.35 provides, "In addition to any other remedies available at law, a patient whose medical information has been used or disclosed in violation of Section 56.10 ... and who has sustained economic loss or personal injury therefrom may recover compensatory damages, punitive damages not to exceed three thousand dollars ($3,000), attorneys' fees not to exceed one thousand dollars ($1,000), and the costs of litigation."
Section 56.36, subdivision (a), provides any violation of CMIA that results in economic loss or personal injury to a patient is punishable as a misdemeanor.
Section 56.36, subdivision (b), provides, "In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following: [¶] (1) Except as provided in subdivision (e), nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages. [¶] (2) The amount of actual damages, if any, sustained by the patient."
Section 56.36, subdivision (c), establishes a schedule of escalating administrative fines and civil penalties for unauthorized negligent and willful disclosure or use of confidential patient information in violation of CMIA.
Section 56.101, subdivision (a), provides, "Every provider of health care, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical
4. The Complaint Fails to State Facts Sufficient to Constitute a Cause of Action for Statutory Damages Under CMIA
The superior court found, and the Regents does not dispute, Platter's complaint adequately alleges the Regents violated the duty imposed by section 56.101, subdivision (a), to maintain and store medical information in a manner that preserves the confidentiality of that information. (Cf. Mack v. Soung (2000) 80 Cal.App.4th 966, 971 [95 Cal.Rptr.2d 830] [all properly pleaded allegations deemed true for purposes of demurrer regardless of plaintiff's ability to later prove them].) The Regents, therefore, is potentially "subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36." (§ 56.101, subd. (a).) Section 56.36, subdivision (c), concerns administrative fines and civil penalties and is not directly at issue in this case. Subdivision (b) authorizes an individual action for damages (actual and/or $1,000 in nominal or statutory damages), but what is the nature of that remedy as applied to the negligent maintenance or storage of medical information? Specifically, who may bring the action, and what must he or she plead and prove?
a. A cause of action for statutory damages based on negligent storage or maintenance of confidential medical information requires pleading and proof that the plaintiff's confidential information has been released to a third party
Obviously troubled by the implications of its conclusion that "disclose," as used in section 56.10, subdivision (a), and "release," as used in section 56.36, subdivision (b), are synonymous and that both require an affirmative communicative act, as the Regents had argued — the issue we discuss in the following section of this opinion — the superior court determined CMIA defined "two separate species of wrongful conduct" and "two separate violations": the wrongful disclosure of confidential medical information under section 56.10 and the wrongful maintenance and storage of confidential information under section 56.101, subdivision (a). In the absence of proof of actual damages, the remedy for the negligent release of information, which the court equated with its wrongful disclosure, is $1,000 in nominal or
The superior court read section 56.101, subdivision (a)'s incorporation of "the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36" far too narrowly. The remedy provided in subdivision (b) is the right of an individual whose confidential information has been released in violation of CMIA to bring a private cause of action for nominal and/or actual damages. (See Legis. Counsel's Dig., Sen. Bill No. 19 (1999-2000 Reg. Sess.) 5 Stats. 1999, Summary Dig., p. 218 ["[t]he bill would provide that violation of the act would be grounds for suspension o[r] revocation of a health care service plan's license and would create a right of action to recover damages, as specified, for any individual whose confidential information or records are negligently released ..."].) By incorporating the entire subdivision (b) "remedy," and not simply the measure of damages described in subdivision (b)(1) and (2), the Legislature plainly intended an action predicated on a health care provider's negligent maintenance of confidential information in violation of section 56.101 also plead and prove a release of that information.
This use of the term "remedy" to refer to the private cause of action itself, rather than to the particular form of relief available, is hardly unusual. (See, e.g., Munson v. Del Taco, Inc. (2009) 46 Cal.4th 661, 673 [94 Cal.Rptr.3d 685, 208 P.3d 623] [addition of subd. (f) to § 51, part of the Unruh Civil Rights Act (§ 51 et seq.), which incorporated the Americans with Disabilities Act of 1990 (ADA; 42 U.S.C. § 12101 et seq.), was intended to provide a person injured by violation of the ADA with the "remedy" of a "private damages action"]; Lu v. Hawaiian Gardens Casino, Inc. (2010) 50 Cal.4th 592, 597 [113 Cal.Rptr.3d 498, 236 P.3d 346] [discussing how courts determine whether Legislature intended to create a private cause of action; "a statute may refer to a remedy or means of enforcing its substantive provisions, i.e., by way of an action"]; id. at p. 604 ["`nothing we hold herein would prevent the Legislature from creating additional civil or administrative remedies, including, of course, creation of a private cause of action for violation of [the Labor Code section at issue]"]; see also San Diego Gas & Electric Co. v. Superior Court (1996) 13 Cal.4th 893, 916 [55 Cal.Rptr.2d 724, 920 P.2d 669]
Any lingering uncertainty about this interpretation of the elements of a private cause of action based on negligent maintenance of medical records is dispelled by the original language of Senate Bill No. 19 (1999-2000 Reg. Sess.) (Sen. Bill No. 19), which added both sections 56.101 and 56.36, subdivisions (b) and (c), to CMIA, effective January 1, 2000. (Stats. 1999, ch. 526, §§ 3, 8, pp. 3647, 3650.)
The following year, as part of legislation making technical and clarifying changes to CMIA, section 56.101 was amended to substitute "negligently creates, maintains, preserves, stores" for "negligently disposes" and to replace "subject to the provisions of this part" with "subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36." (Stats. 2000, ch. 1067, § 4, p. 8209; see Sen. Com. on Ins., Analysis of Sen. Bill
b. A cause of action for statutory damages based on negligent storage or maintenance of confidential medical information requires pleading and proof of a release of the information but not an affirmative communicative act by the health care provider
i. "To disclose" and "to release" are not synonymous
CMIA does not define "disclose" or "release." As a matter of their common or ordinary dictionary meanings, however, "to disclose" and "to release" are not synonymous. (See generally Angelucci v. Century Supper Club (2007) 41 Cal.4th 160, 168 [59 Cal.Rptr.3d 142, 158 P.3d 718] ["[i]n interpreting a statute, we first consider its words, giving them their ordinary meaning and construing them in a manner consistent with their context and the apparent purpose of the legislation"].) "Disclose," as the Regents explains, is an active verb, denoting in the context of CMIA and the protections afforded confidential medical information an affirmative act of communication.
ii. Established principles of statutory construction require we ascribe different meanings to different words used in the same statutory scheme and avoid an interpretation that would render any provision superfluous
As discussed, both sections 56.101 and 56.36, subdivision (b), were added to CMIA by Senate Bill No. 19 in 1999. Prior to that time the Legislature had provided a private cause of action for a patient "whose medical information had been used or disclosed in violation of Section 56.10 ... and who has sustained economic loss or personal injury therefrom." Such an individual could recover both compensatory and limited punitive damages in addition to any other remedies available at law. (Former § 56.35; Stats. 1981, ch. 782, § 2, pp. 3040, 3049, italics added.)
The provisions in Senate Bill No. 19 expanded the private right of action for individuals whose medical information had been compromised in several different ways. First, new section 56.36, subdivision (b), created a private cause of action for the negligent release of medical records, not only for their unauthorized disclosure or use. (Stats. 1999, ch. 526, § 8, p. 3650.) Second, in addition to authorizing an action for compensatory damages for the negligent release of confidential information or records in subdivision (b)(2), section 56.36, subdivision (b)(1), expressly provides that nominal (statutory) damages of $1,000 are available for a patient whose confidential information was negligently released without proof "that the plaintiff suffered or was threatened with actual damages." Moreover, by virtue of section 56.101 health care providers are now charged with the duty not only to refrain from unauthorized disclosures of confidential medical information but also to maintain such information "in a manner that preserves the confidentiality of the information contained therein" (former § 56.101; Stats. 1999, ch. 526, § 3, p. 3647) — storage-related duties far broader than the duty created by section 56.10.
Indeed, if an affirmative communicative act by the health care provider were required to state a claim under sections 56.101 — that is, if only the negligent disclosure of that information, not just its negligent storage leading to unauthorized access, could support an award of civil damages — the second sentence of former section 56.101 (now § 56.101, subd. (a)) expressly providing remedies for violations of section 56.101 would be superfluous. The Regents attempts to avoid this untenable conclusion by noting that section 56.101 applies to pharmaceutical companies, which are not covered by section 56.10. Thus, it reasons, section 56.101 has independent significance because a private cause of action now exists against pharmaceutical companies that negligently maintain and release medical information. But pharmaceutical companies were not added to section 56.101 until 2002. (Stats. 2002, ch. 853, § 2, p. 5377.) This after-the-fact development does nothing to validate the
Nor are we persuaded by the Regents's observation that the Legislature may create certain duties that are not enforceable through any private cause of action. Although that is certainly true (see, e.g., Lu v. Hawaiian Gardens Casino, Inc., supra, 50 Cal.4th at p. 596), it does little to explain what the Legislature intended when it provided, first, that violation of the duty imposed by section 56.101 was "subject to the provisions of this part," and, thereafter, that such violations were "subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36." As discussed, section 56.36, subdivision (b), only provides for a private cause of action (for actual damages, nominal or statutory damages, or both). The Legislature plainly created some form of private cause of action for negligent maintenance or disposal of confidential medical information; the issue presented here is not whether a private right of action exists to enforce the duties created by section 56.101, but what are the elements of such a claim.
iii. Subsequent legislation to further protect confidential medical information does not support the Regents's cramped interpretation of sections 56.101 and 56.36, subdivision (b)
Finally, we reject the Regents's argument that a private cause of action under sections 56.101 and 56.36, subdivision (b), must include pleading and proof of an affirmative disclosure by the health care provider because in 2008, some years after those provisions were adopted, the Legislature enacted new regulatory safeguards for confidential medical records that expressly addressed unlawful or unauthorized "access" to such information, as well as its unauthorized use or disclosure. (Health & Saf. Code, §§ 1280.15, 130200 et seq.; see Stats. 2008, ch. 605, § 2; Stats. 2008, ch. 602, § 2.) Health and Safety Code section 1280.15, subdivision (a), imposes on health care facilities and clinics a duty to prevent "unlawful or unauthorized access to, and use or disclosure of, patients' medical information" and, in subdivision (b) provides administrative remedies for the failure to report improper access, use or disclosure. A finding of negligence is not necessary to trigger administrative sanctions. Similarly, Health and Safety Code section 130203, subdivision (a), requires health care providers to establish and implement appropriate administrative, technical and physical safeguards to protect the privacy of a patient's medical information and to safeguard it from "any unauthorized access or unlawful access, use, or disclosure." Health and Safety Code section 130202 authorizes imposition of administrative fines for any violation.
As noted, both of these additional, related regulatory schemes cover unauthorized disclosure of confidential medical information, as well as
To be sure, as the Regents observe, an Assembly Committee analysis of Senate Bill No. 541 (Reg. Sess. 2007-2008), which became Health and Safety Code section 1280.15, in explaining the need for the legislation, commented that "CMIA prohibits, with exceptions, health care providers ... from
c. Pleading negligent maintenance and loss of possession of confidential medical information is insufficient to state a cause of action under sections 56.101 and 56.36, subdivision (b)
Apparently recognizing that negligent storage or disposal of confidential information alone is not actionable under sections 56.101 and 56.36, subdivision (b), in overruling the Regents's demurrer the superior court quoted Platter's allegation (in par. 46 of her complaint) that the Regents "failed to have reasonable systems and controls in place to prevent the removal of protected health information from the hospital premises and as a result it negligently lost possession of the hard drive and encryption passwords." (Italics added.) In her return to the writ petition Platter emphasizes the italicized words and argues the allegation of a loss of possession of her confidential medical information provides the necessary elements for her private cause of action against the Regents.
The petition is granted. Let a peremptory writ of mandate issue directing the superior court to vacate its order overruling the Regents's demurrer and to enter a new order sustaining the demurrer without leave to amend and
Woods, J., and Zelon, J., concurred.
To the extent the Regents argues "disclose" and "release" are synonymous because several statutory definitions of "disclose" include the word "release," it is guilty of the fallacy of formal logic known as affirming the consequent: If P then Q. Q. Therefore, P. (To illustrate, if it is raining, then the streets are wet; the streets are wet; therefore, it is raining.) (See generally The Fallacy Files, Affirming The Consequent <http://www.fallacyfiles.org/afthecon.html> [as of Oct. 15, 2013].)