What you do not know about the Privacy of Health Data in California?
The California Civil Code § 56 et seq. codifies the Confidentiality of Medical Information Act (“the CMIA” or “the Act”) to protect the confidentiality of individually identifiable medical information obtained from a patient by a health care provider.
The basic prohibition on disclosure by the CMIA is laid down in Civil Code § 56.10(a), which states that “provider of health care, health care plan or contractor shall disclose medical information concerning a patient of the health care provider or an inscriber or subscriber of a health care plan without first obtaining an authorization, except as provided for in subsection (b) or (c)”.
For example, Section 56.35 provides that a patient who has suffered economic loss or personal injury resulting from disclosure of his / her individually identifiable medical information may recover:
- compensatory damage;
- punitive damage (not to exceed $3,000);
- attorney’s fees (not to exceed $1,000); and
- litigation costs.
Similarly, Section 56.36(b) provides a remedy even for improper disclosure of the patient. Under that clause, a patient may bring an action against any person or entity who has negligently released his / her individually identifiable medical information, seeking:
- $1,000 nominal damages (no evidence of actual damage is required); and/or
- actual damages, if any.
The legislation specifies that these remedies are available at law, in addition to any other remedies.
Civil penalties and Administrative fines
A person or agency who breaches the CMIA in a reckless or malicious manner can also face administrative fines and/or civil sanctions. Section 56.36(c) imposes upon a negligent disclosure an administrative remedy or civil penalty of up to $2,500.
The section also imposes an administrative fine or civil penalty of up to $25,000 on any individual who knowingly and willfully “obtains, discloses or uses medical information in violation of [the CMIA]”. And where the violator knowingly or willingly obtains or uses information’ for financial benefit ‘ purposes, the administrative fine or civil penalty skyrockets of up to $250,000 plus disgorgement.
Does your employer need to secure the medical information they receive?
California law requires an employer obtaining medical information to “ensure confidentiality and security from unauthorized use and release of such information”. An employee suffering economic loss or personal injury because an employer refuses to preserve the confidentiality of their medical information may sue for damages and legal costs (California Civil Code Section 56.20). Sometimes, however, employees obtain health-related or medical information that does not explicitly fit within this provision.
Additionally, there are several exceptions to the requirement that employers protect the privacy and confidentiality of any medical information that they receive from employees. Such cases include (but are not limited to):
- judicial or administrative proceedings that require disclosure (for example, a court summons);
- where medical information is important to a lawsuit, arbitration or other dispute and you (the employee) raised the issue in the case;
- overseeing employee benefit benefits, such as disability and workers ‘ compensation, and assessing eligibility for disclosure. (California Civil Code Section 56.20- 56.245)