Page 4
C.A. Declines to Read Strict Liability Into Confidentiality Law
Opinion Says Statute Providing That Health Facilities ‘Shall Prevent’ Unlawful Disclosure of Patients’ Information Does Not Mandate That Group is Responsible for Breaches Made Despite Reasonable Precautions
By a MetNews Staff Writer
The Third District Court of Appeal held yesterday that a California law providing that a health facility “shall prevent” the unlawful disclosure of patients’ medical information does not impose a strict liability standard such that the company may be held responsible every time an employee shares private data, regardless of any reasonable precautions taken.
Yesterday’s opinion, by Justice Peter A. Krause, says an administrative law judge erred in finding that a UCLA-affiliated psychiatric hospital was properly assessed a $75,000 penalty by the California Department of Public Health after an employee shared, on social media, photographs of electronic records kept at the facility despite the establishment having provided consistent messaging regarding the importance of safeguarding patients’ information.
At issue is Health and Safety Code §1280.15, which provides that “[a]…health facility…shall prevent unlawful or unauthorized…disclosure of, patients’ medical information,…consistent with Section 1280.18” and authorizes administrative penalties of “up to…$25,000…per patient whose medical information was unlawfully…disclosed.”
Subdivision (a) of 1280.18 specifies that “[e]very provider of health care shall establish and implement appropriate…safeguards to protect the privacy of a patient’s medical information” and “shall reasonably safeguard confidential medical information.”
Krause declared:
“[The] statutory framework incorporates the standards from section 1280.18 into section 1280.15. Specifically, it requires health facilities to prevent unauthorized access to, use of, and disclosure of patients’ medical information consistent with section 1280.18 by implementing ‘appropriate’ safeguards and ‘reasonably safeguard[ing]’ that information. Thus, this section incorporates the ‘appropriate’ and ‘reasonabl[e]’ standards from section 1280.18 into section 1280.15.”
Social Media Post
The question arose after a newly hired clinical care employee, Kevin Yang, used his personal cell phone to photograph patients’ records while accessing a health record system at Resnick Neuropsychiatric Hospital of UCLA in November 2016. He redacted the images to obscure the names and diagnoses, but the personal information of 10 patients remained partially visible in an Instagram post he publicized after his shift.
Resnick, located on the university’s Westwood campus, asserted that Yang ignored training and persistent reminders on the importance of keeping patients’ information confidential.
Yang deleted the post after it was discovered by another employee. He was eventually terminated from Resnick due to the disclosure.
The department launched an investigation and issued an administrative penalty notice to the facility based on a breach of §1280.15, citing a fine of $7,500 per patient disclosure. Yang did not face any such consequences.
After Resnick requested a hearing to appeal the department’s decision, Administrative Law Judge Jean-Pierre Francillette found that the penalty was not an abuse of discretion because she opined that “the [L]egislature intended the legal standard for a violation of section 1280.15, subdivision (a), to be that of strict liability.”
Resnick filed a petition for a writ of administrative mandamus, arguing that §1280.15 did not impose strict liability on health care facilities and requesting a declaratory judgment that the section cannot be violated unless the standard set forth in §1280.18 is also breached. On Nov. 7, 2023, Sacramento Superior Court Judge Stephen P. Acquisto granted the petition.
Yesterday’s decision, joined in by Acting Presiding Justice Harry E. Hull Jr. and Justice Stacy E. Boulware Eurie, affirms the ensuing judgment.
Plain Language
The department argued that the plain language of §1280.15 makes clear that the provision imposes strict liability for the unlawful disclosure of medical records, citing the phrase “shall prevent.” Krause acknowledged that “[c]ourts generally interpret the word ‘shall’ as giving rise to a mandatory duty,” but opined:
“[O]ur analysis…does not end by reading the phrase…in isolation. We must consider the meaning in its larger context.”
Looking to that broader context, he opined:
“[I]t is reasonable to interpret the provision of section 1280.15 requiring consistency with section 1280.18 as modifying the requirement that health facilities ‘shall prevent’ improper use or disclosure of medical information….This reading would be functionally the same as stating that a health facility ‘shall prevent, consistent with section 1280.18, unlawful or unauthorized access to, and use or disclosure of, patients’ medical information, as defined in Section 56.05 of the Civil Code.’ We find this to be the most reasonable reading of the statute’s plain language.”
Rejecting the argument that the phrase “consistent with Section 1280.18” modifies “medical information,” he reasoned:
“Both statutes do reference medical information. However, we conclude there could be no need to include the language ‘consistent with Section 1280.18’ to clarify that both statutes concern medical information or even the same type of medical information, or that they are ‘complementary in how they protect medical information.’ Such a provision would be wholly superfluous and of no operative effect. There is no need for section 1280.15 to specify that a health facility shall prevent unauthorized disclosure of medical information that is consistent with the type of medical information that is also referenced in section 1280.18.”
Reasonableness Standard
Addressing the department’s contention that the Legislature could have explicitly drafted the section to impose a reasonableness standard if that was the body’s intent, Krause remarked:
“[T]he same can be said of imposing strict liability. The mere mandate that health facilities ‘shall prevent’ disclosure is not a conclusive indicator of strict liability when the Legislature could have used plain language to that effect.”
He wrote:
“[N]otwithstanding its ‘shall prevent’ language, we find that section 1280.15 is not a strict liability statute that establishes a violation in every case of unauthorized access and use or disclosure. For an actionable violation, the health facility must have failed to comply with section 1280.18, subdivision (a).”
Krause added:
“This interpretation effectuates the legislative intent to protect patients’ medical information while not penalizing health facilities that have undertaken all reasonable steps within their power to safeguard that information.”
The case is Regents of the University of California v. State Department of Public Health, 2025 S.O.S. 2551.
Hospitals affiliated with UCLA have faced criticism over the years relating to the handling of celebrity medical records. In 2011, the UCLA Health System was fined $865,500 by the U.S. Department of Health and Human Services over allegations that employees improperly accessed the confidential information of two famous patients.
In 2009, actress Farrah Fawcett (now deceased) set up a sting operation to prove that someone at a UCLA health care facility was leaking information about her cancer treatment to the National Enquirer and publicly criticized the entity for failing to protect her privacy from nosy employees.
Copyright 2025, Metropolitan News Company