For nearly two decades, hospitals licensed by the California Department of Public Health (CDPH) have been frustrated by CDPH’s application of strict liability to penalize licensed entities under Health & Safety Code § 1280.1. The CDPH’s strict-liability standard applied in this context essentially equates to: “If a hospital had a breach, that is conclusive evidence that it did not have appropriate safeguards in place to protect medical information.” As any entity that has experienced any incident – from a single mis-mailed record to an employee looking up their child’s hospital room to full-on cybersecurity breach – understands, even well-implemented, robust controls cannot prevent the human errors that are often the precursor to these incidents.
On September 23, 2025, the California Third District Court of Appeal affirmed that CDPH’s perfect-or-else standard was erroneous. The holding affirms what entities have been fighting for all these years: Section 1280.15 does not require absolute prevention of any and all privacy breaches, but rather that regulated entities implement appropriate safeguards to reasonably safeguard medical information.
Importantly, as a published Court of Appeal decision, the opinion is binding on superior courts statewide unless and until there is contrary published authority or review.
Background and Posture
The case at issue – The Regents of the University of California (the Regents) v. CDPH – arose from CDPH’s assessment of a $75,000 penalty against Resnick Neuropsychiatric Hospital at UCLA (Resnick) after a Resnick employee posted a partially redacted image of 10 patients’ information to Instagram. CDPH’s theory was, essentially, that because the employee posted the image, Resnick automatically was in violation of Health and Safety Code §1280.15 because it did not prevent the exposure of patient information. In front of the administrative law judge (the ALJ), Resnick provided evidence that it had administered HIPAA/privacy training to employees (including the employee at issue), had required employees (including the employee at issue) to sign confidentiality agreements, and took corrective actions after the incident (including ultimately terminating the employee at issue).
Resnick argued that these actions evidenced compliance with Section 1280.15, because although Section 1280.15 states that covered entities shall prevent such incidents, they must do so consistent with Section 1280.18. Section 1280.18, in turn, requires the implementation of reasonable and appropriate safeguards to protect the privacy of patient medical information. The ALJ upheld CDPH’s strict‑liability interpretation of Section 1280.15. The Regents appealed the ruling by filing in the state district court a petition for writ of administrative mandate. The district court granted the Regents’ petition, finding no violation absent proof the hospital failed to maintain reasonable safeguards under Section 1280.18. CDPH then appealed.
The Court’s Analysis and Holding
The appeals court addressed the question as follows:
Does the “shall prevent” language denote a strict-liability statute, such that any failure to prevent disclosure constitutes a violation of section 1280.15? Or, as the trial court ruled, does the “consistent with Section 1280.18” language require that a violation of section 1280.15 must be supported by a concomitant violation of section 1280.18’s mandate that health facilities establish appropriate safeguards to protect the privacy of patient medical information and reasonably safeguard confidential medical information, effectively importing a reasonableness standard from section 1280.18 into section 1280.15?
Opinion at p. 2. In holding that Section 1280.15 is not a strict‑liability statute, the court applied the following reasoning:
- Plain‑language analysis controls. The court read Section 1280.15 “in its entirety” and focused on the phrase “consistent with Section 1280.18.” Because Section 1280.18 repeatedly uses reasonableness and appropriate safeguards, importing strict liability into Section 1280.15 would contradict the text to which Section 1280.15 expressly ties itself.
- Avoiding absurd results. Imposing penalties despite a facility’s robust safeguards and immediate remedial actions would yield absurd consequences – a result the canon of statutory construction disfavors.
- No deference to CDPH’s strict‑liability view. CDPH’s long-standing interpretation received no controlling deference because the statutory text was clear and unambiguous.
Why This Matters for Hospitals and Facilities Subject to Health and Safety Code § 1280.15
In our experience, CDPH has been aggressive in assessing penalties against California entities for privacy and security incidents that occurred despite robust controls implemented by licensed entities. This ruling changes the dynamic between CDPH and entities in the crosshairs in three significant ways:
- Enforcement burden shifts to safeguards evidence. CDPH must now prove that a provider’s safeguards were not “appropriate” or not “reasonable” under Section 1280.18 before imposing penalties under Section 1280.15. In our experience, CDPH has not historically addressed these questions and instead has only pointed to the fact that the privacy incident happened. It is not clear whether CDPH has the expertise to assess, particularly in cybersecurity incidents, whether the controls were reasonable and/or appropriate to prevent the incident from occurring. However, entities should be ready with subject matter experts and supporting evidence to provide CDPH with clear evidence of sufficient controls, similar to what is often requested and provided in response to Office for Civil Rights investigations under HIPAA.
- Rebutting overbroad deficiency statements. This opinion undercuts CDPH’s approach of framing any unauthorized disclosure as a per se violation of Section 1280.15. Historically, CDPH has issued broad deficiency statements that are often devoid of any specific deficiency finding, other than that the incident happened in spite of specific pushback and requests by the licensed entity for clarification. While crafting more specific deficiency statements could present a challenge to CDPH going forward, it is truly a benefit to all (patients, providers, and CDPH) to actually identify the specific (alleged) insufficient control so that providers can remediate the issue and, presumably, better protect patient information.
- Assess currently in-progress CDPH enforcement actions. If licensed entities received a notice of deficiency prior to this ruling and are currently negotiating with CDPH or awaiting a hearing with the ALJ, it may be prudent to approach CDPH about how CDPH will proceed moving forward in light of the Regents case.
Practical Compliance Checklist (Map Your Facts to Section 1280.18)
When preparing for a CDPH investigation under Section 1280.15 and Section 1280.18, we recommend taking inventory of all the entity did to try to prevent the incident from occurring:
- Employee training and vendor management: Gather evidence of all current and historic HIPAA/CMIA training, signed confidentiality acknowledgments, and the like, that are administered to the entire workforce and, where relevant, the particular employee(s) involved in an incident. Where a vendor is involved, gather contractual requirements, including HIPAA business associate agreements, communications about training, quality assurance procedures, and the vendor’s own training and administrative safeguards.
- Technical safeguards: Take a broad approach to thinking about what technical safeguards were in place and relevant to the incident. For example, if an email account with patient information was compromised, think more broadly than just your password or multifactor authentication implementation. Think about data loss prevention, what logging was turned on, cybersecurity firms engaged to help find compromises early, phishing training, etc., and obtain and retain evidence in support of these actions.
- Administrative safeguards: As with the technical safeguards, a broad approach to administrative safeguards is also necessary. Showing evidence of a robust privacy program, not just policies that apply to the specific issue being investigated, can help undermine a narrative that the entity was playing whack-a-mole or had a narrow view of its privacy obligations.Again, we recommend obtaining and retaining evidence to support the implementation of the privacy program and other administrative safeguards to demonstrate more than just simply compliance.
- Prompt remediation and corrective action: It is better to remediate issues found before being told by a regulator to do so. Rapid internal reporting, investigation, patient notification, workforce discipline and systemic fixes should all happen proactively. The message conveyed is that there is nothing left for CDPH to direct the entity to do, thus, no new reasonable security controls that have not already been implemented and, therefore, no reason for a penalty. We also recommend regularly reviewing your compliance with HIPAA and CMIA to ensure that you are assessing current privacy and security risks and implementing additional technical, administrative and physical safeguards that you identify, even in the absence of an incident.
[View source.]
