Wednesday, October 16, 2013
C.A. Rejects Class Action Over Loss of UCLA Medical Data
By KENNETH OFGANG, Staff Writer
A negligent release of medical data will not subject a health care provider to liability for statutory damages unless the data is actually used by an unauthorized person, the Court of Appeal for this district ruled yesterday.
Div. Seven granted writ relief to the University of California, ordering dismissal of Melinda Platter’s action under the Confidentiality of Medical Information Act.
Platter was among 16,000 patients of UCLA Medical Center who were notified in November 2011 that some personally identifiable medical information was on an external hard drive that was taken from the home of a former university physician in a home-invasion robbery two months earlier. The data was encrypted, but an index card with the password was taken as well.
The letter informed recipients that the police had been notified and that there was no indication any of the data had been used.
The university demurred to Platter’s complaint for violation of the CMIA. The statute provides, among other things, that a patient whose confidential medical information is negligently disclosed without authorization may recover statutory damages of $1,000 and/or actual damages.
Platter’s complaint sought $1,000 in statutory damages for herself and every member of the class. It did not allege that any confidential information had been improperly used.
Los Angeles Superior Court Judge Kenneth Freeman, in overruling the university’s demurrer, found that there was no violation of Civil Code Sec. 56.36(b), the provision of the act that authorizes an action for damages in the event of an unlawful disclosure. That provision does not apply if the records do not become public, the judge said.
The judge also ruled, however, that UCLA violated a provision that requires healthcare providers to treat medical information in a manner that preserves the information’s confidentiality. That provision is Sec. 56.101(a), and it provides for the same remedies as for a violation of Sec. 56.36(b).
Freeman reasoned that because Sec. 56.101(a) does not contain a limitation of damages to cases of actual disclosure, there was no requirement that the information have been actually disclosed for the plaintiff to prevail.
But Presiding Justice Dennis Perluss, writing for the Court of Appeal, disagreed.
Perluss rejected the university’s argument that there must be an actual communicative act by the provider for liability to be imposed. But he agreed with UC that there could be no liability without actual unauthorized use of the data.
“Even under the broad interpretation of “release” we believe the Legislature intended in section 56.36, subdivision (b), as incorporated into section 56.101, more than an allegation of loss of possession by the health care provider is necessary to state a cause of action for negligent maintenance or storage of confidential medical information.... What is required is pleading, and ultimately proving, that the confidential nature of the plaintiff’s medical information was breached as a result of the health care provider’s negligence. Because Platter’s complaint failed to include any such allegation, the Regents’s demurrer should have been sustained without leave to amend and the case dismissed. “
The case is Regents of the University of California v. Superior Court (Platter), 13 S.O.S. 5269.
Copyright 2013, Metropolitan News Company