In its recent decision in Eisenhower Medical Center v. Superior Court, 226 Cal. App. 4th 430(Cal. App. 4th Dist. 2014), the Court of Appeal of California, Fourth District, had occasion to consider whether a medical facility’s disclosure of information concerning a patient that does not contain the medical treatment or history of the patient violates California’s Confidentiality of Medical Information Act.
On March 11, 2011, a computer was stolen from Eisenhower Medical Center (“EMC”) that contained an index of over 500,000 persons to whom EMC had assigned a clerical record number. The records dated back to the 1980’s. The information on the index was limited to each person’s name, medical record number, age, date of birth, and the last four digits of the person’s Social Security number. EMC subsequently advised the patients of the theft, and a number of those individuals filed suit. The suit was styled as a putative class action and sought nominal damages of $1,000 for EMC’s alleged violation of the Confidentiality of Medical Information Act (“CMIA”) (Cal. Civ. Code § 56 et seq.). The plaintiffs also included a cause of action for violation of the Consumer Records Act (“CRA”) (Cal. Civ. Code § 1798.82), which requires notification to consumers when security systems are breached.
EMC sought summary judgment on the basis that the theft of the computer did not result in a disclosure of medical information. The index contained on the stolen computer did not include information relating to the patient’s medical history, condition or treatment, as that information was contained on a separate server within EMC’s data center. The index on the computer only contained a subset of that information and was available in the event of a power outage or network failure so the hospital could locate a hard copy of the patient’s medical records. EMC argued that the index did not include medical information within the meaning of the CMIA, which requires a disclosure of information “regarding a patient’s medical history, mental or physical condition or treatment.” Cal. Civ. Code § 56.05.
With respect to the cause of action under the CRA, EMC submitted that it did not disclose any of five data elements that could identify the patients. Although a patient’s Social Security number was one of those data elements, the truncated Social Security numbers contained on the index did not qualify. EMC also argued that it complied with the notification requirements under the CRA.
Plaintiffs challenged EMC’s arguments, contending that the disclosure of the patient’s name on the index proved the he or she was a patient, thereby qualifying as a release of medical history. They also posited that the information contained on the index could be used to access the database and obtain a patient’s medical information.
The trial court denied summary judgment with respect to both claims, specifically noting that the fact that the plaintiffs were patients at the hospital constituted “medical information” in the context of the CMIA. EMC sought appellate review of that ruling only. On appeal, EMC argued that “medical information” under the CMIA is defined as a patient’s medical condition or history combined with individually identifiable information. Although it conceded that there was a disclosure of individually identifiable information, EMC insisted that there was no release of medical information within the ambit of the statute.
The court agreed with EMC, recognizing that the CMIA restricts information of medical information without the patient’s authorization. A violation of the statute warranted $1,000 in nominal damages regardless of the actual damages suffered by a claimant. The term “medical information” is defined by Section 56.05(g) to include “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.”
Construing the plain meaning of the statute, the court determined that “medical information” could not mean just any patient-related information held by a health care provider, but must be “individually identifiable information” and also include “a patient’s medical history, mental or physical condition, or treatment.” Thus, the mere disclosure of demographic information or numeric information that does not reveal the medical history or care received by a patient does not violate the CMIA. Simply because the index demonstrated that the plaintiffs were previously patients of the hospital did not qualify as the type of information that falls within the purview of the statute. The appellate court therefore concluded that EMC did not violate the CMIA as the release of information did not include the patients’ medical history, mental or physical condition, or treatment of the individual. Thus, EMC was entitled to summary judgment on the claim for violation of the CMIA.