Tuesday, July 22, 2014
C.A. Rejects Claim That Hospital Is Liable for Loss of Records
No Liability, Court Says, Absent Proof That Unauthorized Person Actually Viewed Medical Data
By a MetNews Staff Writer
A person whose confidential medical information was stolen from a hospital cannot state a cause of action under the Confidentiality of Medical Information Act without alleging the information was actually viewed by an unauthorized person, the Third District Court of Appeal ruled yesterday.
A health care provider’s mere non-possession is insufficient to allege a breach of confidentiality, Justice George W. Nicholson wrote.
Civil Code §56.36(b)(1), part of the act, provides for an award of $1,000 in nominal damages to a patient if the health care provider negligently releases medical information or records in violation of the act.
The plaintiffs in the putative class action sued when a thief stole a computer containing medical records of about 4 million patients from the hospital chain Sutter Health.
The plaintiffs sought a potential recovery of about $4 billion. Sutter Health demurred to the complaint and moved to strike the class allegations, but Sacramento Superior Court Judge David DeAlba overruled the demurrer and denied the motion to strike.
The Court of Appeal yesterday granted the defendants’ petition for a writ of mandate directing that the action be dismissed for failure to state a claim.
The act provides, in part:
“Every provider of health care . . . who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein. Any provider of health care . . . who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.”
Nicholson, writing for the appellate panel, explained that the act focuses on “the medical information, not the physical record,” so there can be no proof the act has been violated if the plaintiff cannot prove the information was viewed by someone not authorized to look at it.
The justice acknowledged that negligently storing medical information can result in an unauthorized person gaining possession of the data. “But the Confidentiality Act does not provide for liability for increasing the risk of a confidentiality breach,” the jurist said, only for failing to “preserve the confidentiality” of the records.
Subjecting a defendant to billions of dollars in liability for the negligent loss of medical records, even in a case where the thief never knew what was on the hard drive and wiped it clean, could not have been what the Legislature intended, the justice said.
Because the plaintiffs did not allege an essential element of the cause of action, and did not show how they could amend the complaint to make such an allegation, the action must be dismissed, he said. That result makes it unnecessary to address another issue raised by the defendants—the claim that the potential liability was so great as to deprive them of constitutional due process—the justice wrote.
The case is Sutter Health v. Superior Court (Atkins) 14 S.O.S. 3703.
Copyright 2014, Metropolitan News Company