Filed 10/15/13
CERTIFIED FOR PUBLICATION
IN THE COURT OF APPEAL OF THE STATE OF CALIFORNIA
SECOND APPELLATE DISTRICT
DIVISION SEVEN
THE REGENTS OF THE UNIVERSITY B249148
OF CALIFORNIA,
(Los Angeles County
Petitioner, Super. Ct. No. BC494928)
v.
THE SUPERIOR COURT OF
LOS ANGELES COUNTY,
Respondent.
___________________________________
MELINDA PLATTER,
Real Party in Interest.
ORIGINAL PROCEEDINGS in mandate. Kenneth R. Freeman, Judge. Petition
granted.
Office of the General Counsel, University of California, Charles F. Robinson,
Karen J. Petrulakis, Margaret L. Wu; Munger, Tolles & Olson, Bradley S. Phillips and
Michelle A. Friedland, for Petitioner.
Lois J. Richardson, for California Hospital Association, as Amicus Curiae on
behalf of Petitioner.
Pillsbury Winthrop Shaw Pittman, Kevin M. Fong and Sarah G. Flanagan, for
Lucile Packard Children‟s Hospital and Stanford Hospital and Clinics, as Amici Curiae
on behalf of Petitioner.
Francisco J. Silva and Lisa Matsubara, for California Medical Association as
Amicus Curiae on behalf of Petitioner.
Bartko, Zankel, Bunzel & Miller, Robert H. Bunzel, William I. Edlund,
Michael D. Abraham, Simon R. Goodfellow, for Sutter Health, Sutter Medical
Foundation and Sutter Connect, as Amicus Curiae on behalf of Petitioner.
No appearance for Respondent.
Kabateck Brown Kellner, Brian S. Kabateck, Richard L. Kellner; Ernst Law
Group, Don A. Ernst, Taylor Ernst, for Real Party in Interest.
______________________
1
The Confidentiality of Medical Information Act (CMIA) (Civ. Code, § 56 et seq.)
prohibits health care providers and related entities from disclosing medical information
regarding a patient without authorization except in certain specified instances. (§ 56.10.)
A patient may bring an action for actual damages, nominal (statutory) damages of $1,000,
or both against any person or entity that negligently released confidential medical
information concerning him or her in violation of CMIA. (§ 56.36, subd. (b).) In
addition, any person or entity that negligently disclosed medical information in violation
of CIMA is subject to an administrative fine or civil penalty. (§ 56.36, subd. (c).)
Under CMIA every health care provider who creates, maintains or disposes of
medical information is also required to do so in a manner that preserves the
confidentiality of that information. (§ 56.101, subd. (a).) Any provider who negligently
creates, maintains or disposes of medical information is “subject to the remedies and
penalties provided under subdivisions (b) and (c) of Section 56.36.” (§ 56.101,
subd. (a).)
1
Statutory references are to the Civil Code unless otherwise indicated.
2
Does this statutory scheme authorize a private cause of action for damages based
solely on the negligent maintenance or storage of medical information even if the
patient‟s confidential records were never viewed or otherwise accessed by an
unauthorized individual? Specifically, has a cause of action for nominal or statutory
damages of $1,000 been adequately pleaded by real party in interest and putative class
plaintiff Melinda Platter, who has alleged the Regents of the University of California,
through its UCLA Health System, failed to have reasonable systems and controls in place
to prevent the removal of protected medical information from one of its hospitals and, as
a result, negligently lost possession of that information?
Ruling a damage claim may be stated under section 56.101, subdivision (a), based
on a health care provider‟s negligent maintenance or storage of an individual‟s medical
information without regard to whether it resulted in any actual release or disclosure of the
information, respondent Los Angeles Superior Court overruled the Regents‟s demurrer to
Platter‟s complaint. Although we do not agree with the Regents‟s argument an
affirmative communicative act by the health care provider is an essential element of
Platter‟s claim, we hold, by incorporating the remedy specified in section 56.36,
subdivision (b), section 56.101 allows a private right of action for negligent maintenance
only when such negligence results in unauthorized or wrongful access to the information.
Because Platter cannot allege her information was improperly viewed or otherwise
accessed, we grant the Regents‟s petition and issue a writ of mandate to the superior court
directing it to vacate its order overruling the Regents‟s demurrer and to enter a new order
sustaining the demurrer without leave to amend and dismissing the action.
FACTUAL AND PROCEDURAL BACKGROUND
1. The Loss of the Encrypted External Hard Drive and Platter’s Complaint for
Violation of CMIA
In a letter dated November 4, 2011 signed by Robert Gross, chief privacy officer
of the UCLA Health System & David Geffen School of Medicine, the Regents advised
certain patients treated at UCLA facilities that an encrypted external hard drive
containing some of their personally identifiable medical information had been stolen as
3
part of a home invasion robbery approximately two months earlier. The letter also
informed the recipients the password for the encrypted information was written on an
index card near the device and that card could not be located. The letter stated, “The
theft was reported to the police and there is no evidence suggesting that your information
has been accessed or misused.” A public notice regarding the incident was published in
2
the Los Angeles Times for three consecutive days on November 4-6, 2011.
On October 30, 2012 Platter filed a class action complaint in Los Angeles Superior
Court seeking damages from the Regents in a single cause of action for unlawful
disclosure of confidential medical information in violation of CMIA. Platter alleged she
had been treated on numerous occasions at Ronald Reagan UCLA Medical Center and
was one of more than 16,000 UCLA Health System patients who had been notified of the
loss of the external hard drive and the related password needed to decode the encrypted
data. According to Platter‟s complaint, a physician in the UCLA Faculty Practice Group
took the external hard drive, which contained patient names, dates of birth, addresses,
financial information and medical records, to his home and left it unsecured with the
encryption password. On or about September 6, 2011 the hard drive and written
password were taken from the physician‟s home. As of the date of the complaint neither
the hard drive nor the encryption password had been recovered.
Platter alleged the Regents had failed to exercise due care to prevent the release or
disclosure of her private medical information and that of the other putative class members
without their written authorization. Specifically, “It failed to have reasonable systems
and controls in place to prevent the removal of protected health information from the
hospital premises and as a result it negligently lost possession of the hard drive and
encryption passwords.” Platter did not allege she had suffered any actual damages, but
2
The superior court granted the Regents‟s request for judicial notice of the
November 4, 2011 letter and published public notices in considering its demurrer to the
complaint. The court carefully emphasized it was limiting judicial notice to the fact of
the existence of the letter and public notices, not the truth of any statements contained in
them.
4
sought statutory damages of $1,000 for herself and for each member of the putative class
3
pursuant to section 56.36, subdivision (b).
2. The Regents’s Demurrer; Platter’s Response
The Regents demurred to the complaint on January 18, 2013 pursuant to Code of
Civil Procedure section 430.10, subdivision (e), contending Platter had failed to state
facts sufficient to constitute a cause of action for statutory damages under CMIA because
that remedy was available only if a health care provider had negligently “disclosed” or
“released” confidential medical information and Platter had not alleged her medical
information was disclosed or released by the Regents within the meaning of CMIA. In its
memorandum of points and authorities the Regents asserted disclosure or release by a
health care provider under CMIA occurs only when the provider actively communicates
medical information to a third party without the patient‟s authorization: “A „disclosure‟
or „release‟ within the meaning of CMIA does not occur when a third party—through
burglary, computer hacking or otherwise—wrongfully obtains such information against
the health care provider‟s will.” Negligent storage or maintenance of medical
information by a health care provider without such active disclosure or release, the
Regents argued, could subject the health care provider to administrative discipline,
including fines or civil penalties, but not a private cause of action for damages under
section 56.36, subdivision (b).
In her response Platter disputed the Regents‟s construction of the governing
statutes. According to Platter, CMIA provides a cause of action for statutory damages in
any case where it can be proved a health care provider‟s negligence was the proximate
cause of an unauthorized third party obtaining confidential patient information, whether
the third party is a thief or the intended recipient of the provider‟s affirmative or
intentional act of communication.
3
Platter described the putative class as “All patients whose confidential information
and/or records in the UCLA Health System was [sic] accessible from the hardware, data,
or password lost on or around September 6, 2011.”
5
The Regents filed a reply memorandum. Both parties also submitted requests for
judicial notice to the superior court, including with their papers excerpts from the
legislative history of CMIA (in the request by Platter), as well as separate legislation
enacted to safeguard electronically stored medical information from unauthorized access
by third parties (in the request by the Regents).
3. The Superior Court’s Order Overruling the Demurrer but Striking Portions of
the Complaint
The superior court heard oral argument on April 11, 2013. On April 19, 2013 the
court issued a 16-page ruling and order, overruling the Regents‟s demurrer but striking a
portion of Platter‟s cause of action for violation of CMIA.
Relying upon what it concluded was the plain meaning of the terms at issue, the
court agreed with the Regents that, under the facts as alleged, there was no disclosure of
confidential information, a prerequisite to a claim for violation of section 56.10.
However, the court also ruled CMIA established two separate types of wrongful
conduct—wrongful disclosure of confidential medical information under section 56.10
and wrongful maintenance and storage of confidential information under section 56.101:
“[T]he negligent maintenance, preservation, and storage of confidential data under
§ 56.101 specifically provides the remedy of $1,000 in nominal damages . . . . This is
because the remedy portion of § 56.36(b) and (c) is incorporated by reference into
§ 56.101. As such, on the face of the statute, there is no requirement under § 56.101 that,
to be eligible for the $1,000 nominal damages (or, as the case may be, actual damages),
that there also have been a negligent release of the confidential information under
§ 56.36(b).”
Based on this analysis of the statutory scheme, the court overruled the demurrer,
finding Platter had stated a claim for violation of CMIA because she alleged the Regents
“failed to have reasonable systems and controls in place to prevent the removal of
protected health information from the hospital premises and as a result it negligently lost
possession of the hard drive and encryption passwords.” Nevertheless, because Platter
had not alleged any affirmative disclosure of confidential information by the Regents, the
6
court struck that portion of her CMIA claim premised on the allegation (in paragraph 46
of the complaint) that the Regents had “failed to exercise due care to prevent the release
or disclosure of private medical information of Plaintiff and the class members without
their written authorization.”
In an order filed April 30, 2013 pursuant to Code of Civil Procedure section 166.1,
the superior court indicated its belief the April 19, 2013 ruling and order addressed a
controlling question of law as to which there were substantial grounds for difference of
opinion and stated that immediate appellate resolution of the question of statutory
interpretation raised by the Regents‟s demurrer might materially advance the conclusion
of the litigation.
4. The Writ Proceedings
On June 4, 2013 the Regents petitioned this court for a writ of mandate directing
the superior court to vacate its order overruling the demurrer and to enter a new order
sustaining the demurrer without leave to amend and dismissing the action. The petition
argued the superior court‟s ruling would create a sweeping private right of action that was
not intended by the Legislature, emphasized the Regents‟s potential liability for $16
million in nominal damages under the superior court‟s interpretation of CMIA and
asserted the need to expend resources to defend this litigation, rather than resolve the
pure legal question raised through this writ proceeding, would create serious difficulties
for the Regents.
While initially considering the petition we received letter briefs from amici curiae
in support of the Regents‟s position from the Lucile Packard Children‟s Hospital and
Stanford Hospital and Clinic, the California Hospital Association and the California
Medical Association. Real party in interest Platter submitted an opposition to the petition
for writ of mandate, and the Regents‟s filed a reply. On June 25, 2013 we issued an order
to show cause why the relief requested in the petition should not be granted. On July 22,
2013 Platter filed her return to the petition, and on August 12, 2013 the Regents filed its
reply. On August 23, 2013 we received an amicus curiae brief in support of the Regents
7
from Sutter Health, Sutter Medical Foundation and Sutter Connect, LLC dba Sutter
Physician Services, which advised us, in part, the issue presented here is also currently
pending before the Third District Court of Appeal (Sutter Health v. Superior Court of
Sacramento County, C072591.)
DISCUSSION
1. The Propriety of Extraordinary Writ Relief
An order overruling a demurrer is not directly appealable and will rarely be
reviewed in a petition for extraordinary writ relief. (See, e.g., Brandt v. Superior Court
(1985) 37 Cal.3d 813, 816 [“we are reluctant to exercise our discretion to review rulings
at the pleading stage of a lawsuit”]; City of Huntington Park v. Superior Court (1995)
34 Cal.App.4th 1293, 1297.) However, when the question is purely legal and the issue
significant, relief by extraordinary writ is appropriate (Babb v. Superior Court (1971)
3 Cal.3d 841, 851; County of Santa Clara v. Superior Court (2009) 171 Cal.App.4th 119,
125-126; City of Huntington Park, at p. 1297.) Here, the issue of statutory construction
raised by the superior court‟s ruling and presented by the Regents‟s petition has not
previously been addressed by an appellate court and, based on the amici curiae
submissions we have received, appears to be of widespread interest. Accordingly, writ
review is appropriate.
2. Standard of Review
A demurrer tests the legal sufficiency of the factual allegations in a complaint.
We independently review the superior court‟s ruling on a demurrer and determine de
novo whether the complaint alleges facts sufficient to state a cause of action or discloses
a complete defense. (McCall v. PacifiCare of Cal., Inc. (2001) 25 Cal.4th 412, 415;
Aubry v. Tri-City Hospital Dist. (1992) 2 Cal.4th 962, 967.) We assume the truth of the
properly pleaded factual allegations, facts that reasonably can be inferred from those
expressly pleaded and matters of which judicial notice has been taken. (Evans v. City of
Berkeley (2006) 38 Cal.4th 1, 20; Schifando v. City of Los Angeles (2003) 31 Cal.4th
8
1074, 1081.) We liberally construe the pleading with a view to substantial justice
between the parties. (Code Civ. Proc., § 452; Schifando, at p. 1081.)
We also review de novo issues of statutory construction. (In re Tobacco II Cases
(2009) 46 Cal.4th 298, 311; People ex rel. Lockyer v. Shamrock Foods Co. (2000)
24 Cal.4th 415, 432.) In construing statutes “[o]ur fundamental task . . . is to ascertain
the intent of the lawmakers so as to effectuate the purpose of the statute[s]. [Citation.]
We begin by examining the statutory language, giving the words their usual and ordinary
meaning. [Citation.] If there is no ambiguity, then we presume the lawmakers meant
what they said, and the plain meaning of the language governs. [Citations.] If, however,
the statutory terms are ambiguous, then we may resort to extrinsic sources, including the
ostensible objects to be achieved and the legislative history. [Citation.] In such
circumstances, we „“select the construction that comports most closely with the apparent
intent of the Legislature, with a view to promoting rather than defeating the general
purpose of the statute, and avoid an interpretation that would lead to absurd
consequences.”‟” (Day v. City of Fontana (2001) 25 Cal.4th 268, 272; accord, People v.
Lawrence (2000) 24 Cal.4th 219, 230.)
3. The Controlling Statutes
Section 56.10, subdivision (a), provides, “No provider of health care, health care
service plan, or contractor shall disclose medical information regarding a patient of the
provider of health care or an enrollee or subscriber of a health care service plan without
4
first obtaining an authorization, except as provided in subdivision (b) or (c).”
Section 56.35 provides, “In addition to any other remedies available at law, a
patient whose medical information has been used or disclosed in violation of
Section 56.10 . . . and who has sustained economic loss or personal injury therefrom may
4
Section 56.10, subdivision (b), requires disclosure of medical information if
compelled, for example, by a court order or lawful search warrant. (§ 56.10, subd. (b)(1)
& (6).) Subdivision (c) permits disclosure in certain circumstances, for example to an
insurer to the extent necessary to allow responsibility for payment to be determined and
payment to be made. (§ 56.10, subd. (c)(2).)
9
recover compensatory damages, punitive damages not to exceed three thousand dollars
($3,000), attorneys‟ fees not to exceed one thousand dollars ($1,000), and the costs of
litigation.”
Section 56.36, subdivision (a), provides any violation of CMIA that results in
economic loss or personal injury to a patient is punishable as a misdemeanor.
Section 56.36, subdivision (b), provides, “In addition to any other remedies
available at law, any individual may bring an action against any person or entity who has
negligently released confidential information or records concerning him or her in
violation of this part, for either or both of the following: [¶] (1) Except as provided in
subdivision (e), nominal damages of one thousand dollars ($1,000). In order to recover
under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened
with actual damages. [¶] (2) The amount of actual damages, if any, sustained by the
patient.”
Section 56.36, subdivision (c), establishes a schedule of escalating administrative
fines and civil penalties for unauthorized negligent and willful disclosure or use of
confidential patient information in violation of CMIA.
Section 56.101, subdivision (a), provides, “Every provider of health care, health
care service plan, pharmaceutical company, or contractor who creates, maintains,
preserves, stores, abandons, destroys, or disposes of medical information shall do so in a
manner that preserves the confidentiality of the information contained therein. Any
provider of health care, health care service plan, pharmaceutical company, or contractor
who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of
medical information shall be subject to the remedies and penalties provided under
subdivisions (b) and (c) of Section 56.36.”
4. The Complaint Fails To State Facts Sufficient To Constitute a Cause of Action
for Statutory Damages Under CMIA
The superior court found, and the Regents does not dispute, Platter‟s complaint
adequately alleges the Regents violated the duty imposed by section 56.101,
subdivision (a), to maintain and store medical information in a manner that preserves the
10
confidentiality of that information. (Cf. Mack v. Soung (2000) 80 Cal.App.4th 966, 971
[all properly pleaded allegations deemed true for purposes of demurrer regardless of
plaintiff‟s ability to later prove them].) The Regents, therefore, is potentially “subject to
the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.”
(§ 56.101, subd. (a).) Section 56.36, subdivision (c), concerns administrative fines and
civil penalties and is not directly at issue in this case. Subdivision (b) authorizes an
individual action for damages (actual and/or $1,000 in nominal or statutory damages), but
what is the nature of that remedy as applied to the negligent maintenance or storage of
medical information? Specifically, who may bring the action, and what must he or she
plead and prove?
a. A cause of action for statutory damages based on negligent storage or
maintenance of confidential medical information requires pleading and
proof that the plaintiff’s confidential information has been released to a
third party
Obviously troubled by the implications of its conclusion that “disclose,” as used in
section 56.10, subdivision (a), and “release,” as used in section 56.36, subdivision (b), are
synonymous and that both require an affirmative communicative act, as the Regents had
argued—the issue we discuss in the following section of this opinion—the superior court
determined CMIA defined “two separate species of wrongful conduct” and “two separate
violations”: the wrongful disclosure of confidential medical information under section
56.10 and the wrongful maintenance and storage of confidential information under
section 56.101, subdivision (a). In the absence of proof of actual damages, the remedy
for the negligent release of information, which the court equated with its wrongful
disclosure, is $1,000 in nominal or statutory damages, as provided in section 56.36,
subdivision (b)(1). In addition, the court reasoned, the remedy for negligent
maintenance, preservation or storage of confidential information that does not cause
actual damage is again $1,000 in nominal damages because the remedy portion of section
56.36, subdivision (b), is incorporated into section 56.101. As such, the court concluded,
“there is no requirement under § 56.101 that, to be eligible for the $1,000 nominal
11
damages . . . , that there also have been a negligent release of the confidential information
under § 56.36(b).” In the court‟s view, section 56.101 merely incorporated the damages
available under section 56.36, subdivision (b), but did not import the affirmative elements
of the cause of action described in that subdivision, that is, the negligent release of
confidential information.
The superior court read section 56.101, subdivision (a)‟s incorporation of “the
remedies and penalties provided under subdivisions (b) and (c) of Section 56.36” far too
narrowly. The remedy provided in subdivision (b) is the right of an individual whose
confidential information has been released in violation of CMIA to bring a private cause
of action for nominal and/or actual damages. (See Legis. Counsel‟s Dig., Sen. Bill
No. 19 (1999-2000 Reg. Sess.) [“[t]he bill would provide that violation of the act would
be grounds for suspension o[r] revocation of a health care service plan‟s license and
would create a right of action to recover damages, as specified, for any individual whose
confidential information or records are negligently released . . .”].) By incorporating the
entire subdivision (b) “remedy,” and not simply the measure of damages described in
subdivision (b)(1) and (2), the Legislature plainly intended an action predicated on a
health care provider‟s negligent maintenance of confidential information in violation of
section 56.101 also plead and prove a release of that information.
This use of the term “remedy” to refer to the private cause of action itself, rather
than to the particular form of relief available, is hardly unusual. (See, e.g., Munson v.
Del Taco, Inc. (2009) 46 Cal.4th 661, 673 [addition of subd. (f) to section 51 of the
Unruh Civil Rights Act, which incorporated the Americans with Disabilities Act of 1990
(ADA), was intended to provide a person injured by violation of the ADA with the
“remedy” of a “private damages action”]; Lu v. Hawaiian Gardens Casino, Inc. (2010)
50 Cal.4th 592, 597 [discussing how courts determine whether Legislature intended to
create a private cause of action; “a statute may refer to a remedy or means of enforcing its
substantive provisions, i.e. by way of an action”]; id. at p. 604 [“„nothing we hold herein
would prevent the Legislature from creating additional civil or administrative remedies,
12
including, of course, creation of a private cause of action for violation of‟ [the Labor
Code section at issue]”]; see also San Diego Gas & Electric Co. v. Superior Court (1996)
13 Cal.4th 893, 916 [Pub. Util. Code, § 2106 “authorize[es] the traditional private remedy
of an action for damages brought by the injured party in superior or municipal court
against any public utility . . .”].) Moreover, when the Legislature simply wants to
incorporate the damage measure from one provision into another, it does so directly. For
example, Health and Safety Code section 130202, subdivision (a)(1), provides an
administrative fine may be assessed by the Office of Health Information Integrity “for
any violation of this division [concerning additional safeguards to protect the privacy of
patient information] in an amount as provided in Section 56.36 of the Civil Code.” Here,
in contrast, section 56.101, subdivision (a), does not refer to the “amount as provided”
but rather to the remedy specified in subdivision (b), an incorporation that includes more
than just the nominal damage amount available to a successful plaintiff.
Any lingering uncertainty about this interpretation of the elements of a private
cause of action based on negligent maintenance of medical records is dispelled by the
original language of Senate Bill No. 19 (1999-2000 Reg. Sess.), which added both
sections 56.101 and 56.36, subdivisions (b) and (c), to CMIA, effective January 1, 2000.
5
(Stats. 1999, ch. 526, §§ 3, 8, pp. 3647, 3650.) As enacted in 1999, in addition to
imposing a duty on health care providers to maintain and store medical records “in a
manner that preserves the confidentiality of the information contained therein,” section
56.101 stated, “Any provider of health care, health care service plan, or contractor who
negligently disposes, abandons or destroys medical records shall be subject to the
provisions of this part”—that is, to the provisions of CMIA. (Stats. 1999, ch. 526, § 3,
p. 3647; italics added.) Thus, as originally enacted under Senate Bill No. 19, negligent
preservation of confidential patient information would expose a health care provider not
5
Former section 56.36, making it a misdemeanor to violate CMIA if the violation
caused economic loss or personal injury to a patient, was redesignated in Senate Bill
No. 19 as section 56.36, subdivision (a). (Stats. 1999, ch. 526, § 8, p. 3650.)
13
only to administrative sanctions under new section 56.36, subdivision (c), but also to the
new private cause of action established in section 56.36, subdivision (b), as well as
potentially to a damage action under section 56.35 and a criminal (misdemeanor)
proceeding under section 56.36, subdivision (a). There was no separate, stand-alone
private cause of action for violation of section 56.101.
The following year, as part of legislation making technical and clarifying changes
to CMIA, section 56.101 was amended to substitute “negligently creates, maintains,
preserves, stores” for “negligently disposes”; and to replace “subject to the provisions of
this part” with “subject to the remedies and penalties provided under subdivisions (b) and
(c) of Section 56.36.” (Stats. 2000, ch. 1067, § 4, p. 8209, see Sen. Com. on Ins.,
Analysis of Sen. Bill No. 2094 (1999-2000 Reg. Sess.) [bill would make “clarifying and
conforming changes” to § 56.101].) This revision simply clarified which “provisions of
this part” contained the available remedies for violation of section 56.101; it did not
purport to create a new private cause of action for violations of that section. The
incorporation of section 56.36, subdivision (b)‟s remedy, therefore, necessarily included
the affirmative elements of the cause of action for negligent release of confidential
information.
Notwithstanding its conclusion that section 56.101 incorporated only the measure
of damages specified in section 56.36, subdivision (b), and not the other elements of
subdivision (b)‟s private cause of action, the superior court implicitly acknowledged the
flaw in its analysis and recognized that more than a bare allegation of negligent
maintenance of confidential information by a health care provider is required to recover
nominal or statutory damages. Thus, the superior court did not rule, and Platter herself
does not argue, a cause of action may be stated under section 56.101, subdivision (a), by
any patient of a health care provider who has negligently maintained or stored some of its
confidential medical records, let alone by someone who is not even a patient of the
provider. At the very least, the information potentially compromised as a result of the
negligent conduct must relate to the individual initiating the action, consistent with
14
section 56.36, subdivision (b)‟s requirement that the “confidential information or records
at issue concern[] him or her.” Yet this minimum threshold requirement must necessarily
be based on the incorporation of at least some of the affirmative elements of the private
damage remedy created by section 56.36, subdivision (b); there is no other statutory
6
ground on which it could stand.
Here, Platter has satisfied this initial pleading requirement, alleging (as reported in
the notice she received from UCLA Health System) that her confidential medical records
were among those on the external hard drive taken from the physician‟s home on
September 6, 2011. For the reasons discussed, however, more is required: Section 56.36,
subdivision (b), incorporated into section 56.101, subdivision (a), requires pleading and
proof that confidential information has been released in violation of CMIA to bring a
private cause of action for nominal and/or actual damages.
b. A cause of action for statutory damages based on negligent storage or
maintenance of confidential medical information requires pleading and
proof of a release of the information but not an affirmative communicative
act by the health care provider
Although we agree with the Regents an action for nominal damages under sections
56.101, subdivision (a), and 56.36, subdivision (b), requires pleading and proof of a
“release” of confidential information, that does not mean, as the Regents contends, an
6
Any broader interpretation of section 56.101 would, in effect, permit an otherwise
unaffected individual—one who has suffered no actual injury and thus without a genuine
beneficial interest in the action—to sue for statutory damages as a private attorney
general based on a threat to a stranger‟s personal right of privacy. (Cf. Lugosi v.
Universal Pictures (1979) 25 Cal.3d 813, 821 [right of privacy “„is purely a personal one;
it cannot be asserted by anyone other than the person whose privacy has been invaded,
that is, plaintiff must plead and prove that his privacy has been invaded‟”]; Moreno v.
Hanford Sentinel, Inc. (2009) 172 Cal.App.4th 1125, 1131 [right of privacy is “purely
personal” and “cannot be asserted by anyone other than the person whose privacy has
been invaded”]; People v. Dominguez (1981) 121 Cal.App.3d 481, 505 [state
constitutional right of privacy is personal and may not be asserted derivatively].)
Nothing in the legislative history suggests the Legislature intended to authorize such a
novel representative action.
15
affirmative communicative act by the health care provider is an essential element of
Platter‟s claim. Specifically, “release” as used in section 56.36, subdivision (b), is not
synonymous with “disclose” in section 56.10, subdivision (a); and the Regents posits a
false dichotomy between disclosure or release, on the one hand, and “unauthorized
„access‟ by third parties,” on the other hand.
i. “To disclose” and “to release” are not synonymous
CMIA does not define “disclose” or “release.” As a matter of their common or
ordinary dictionary meanings, however, “to disclose” and “to release” are not
synonymous. (See generally Angelucci v. Century Supper Club (2007) 41 Cal.4th 160,
168 [“[i]n interpreting a statute, we first consider its words, giving them their ordinary
meaning and construing them in a manner consistent with their context and the apparent
purpose of the legislation”].) “Disclose,” as the Regents explains, is an active verb,
denoting in the context of CMIA and the protections afforded confidential medical
7
information an affirmative act of communication. But “to release” is broader, including
not only “to give permission for publication, performance, exhibition or sale of” or “to
8
make available to the public,” the definitions identified by the superior court, and “to set
free from restraint, confinement, or servitude; to let go,” among the definitions proffered
9
by the Regents, but also “to cause or allow to move away or spread from a source or
7
See, e.g., American Heritage Dictionary Online (2013)
(as of Oct. 15, 2013) (“to
expose to view, as by removing a cover; uncover”; “to make known (something
heretofore kept secret)”; Merriam-Webster‟s Online Dictionary (2013)
(as of Oct. 15, 2013) (“to expose
to view”; “to make known or public”).
8
The superior court quoted Merriam-Webster‟s Online Dictionary
(checked as of Oct. 15, 2013).
9
Merriam-Webster‟s Online Dictionary (2013) (as of Oct. 15, 2013).
16
10 11
place of confinement” and “to allow or enable to escape from confinement.” “Allow
to spread” and “enable to escape” plainly do not connote affirmative acts propelling
information or a substance outward. (Cf. Health & Saf. Code, § 25926, subd. (d)
[legislative findings regarding asbestos abatement and control; “[w]hen [asbestos
materials] deteriorate or become loose, damaged, or friable, they release asbestos fibers
into the ambient air”].) Thus, under the usual and ordinary meaning of the statutory
language, a health care provider who has negligently maintained confidential medical
information and thereby allowed it to be accessed by an unauthorized third person—that
is, permitted it to escape or spread from its normal place of storage—may have
12
negligently released the information within the meaning of CMIA.
10
American Heritage Dictionary Online (2013)
(as of Oct. 15, 2013).
11
Oxford Dictionaries Online (2013)
(as of Oct. 15,
2013).
12
Any disclosure of information is necessarily a release of it. (Cf. § 1798.3,
subd. (c) [defining term for purpose of Information Practices Act of 1977; “[t]he term
„disclose‟ means to disclose, release, transfer, disseminate, or otherwise communicate all
of any part of any record orally, in writing, or by electronic or any other means to any
person or entity”]; Health & Saf. Code, § 120980, subd. (k) [defining term for purpose of
statute prohibiting unauthorized disclosure of HIV test results; “„[d]isclosed,‟ as used in
this section, means to disclose, release, transfer, disseminate, or otherwise communicate
all or part of any record orally, in writing, or by electronic means to any person or
entity”].) But the converse is not true: Not all releases of information necessarily involve
a disclosure—that is, an affirmative communicative act.
To the extent the Regents argues “disclose” and “release” are synonymous
because several statutory definitions of “disclose” include the word “release,” it is guilty
of the fallacy of formal logic known as affirming the consequent: If P then Q. Q.
Therefore, P. (To illustrate, if it is raining, then the streets are wet; the streets are wet;
therefore, it is raining.) (See generally The Fallacy Files, Affirming The Consequent <
http://www.fallacyfiles.org/afthecon.html> [as of Oct. 15, 2013].)
17
ii. Established principles of statutory construction require we ascribe
different meanings to different words used in the same statutory scheme
and avoid an interpretation that would render any provision superfluous
This plain meaning construction of sections 56.101 and 56.36, subdivision (b), is
reinforced by our obligation to interpret different terms used by the Legislature in the
same statutory scheme to have different meanings. (Roy v. Superior Court (2011)
198 Cal.App.4th 1337, 1352 [“„[w]hen the Legislature uses different words a part of the
same statutory scheme, those words are presumed to have different meanings‟”]; Romano
v. Mercury Ins. Co. (2005) 128 Cal.App.4th 1333, 1343 [same]; see also Brown v. Kelly
Broadcasting Co. (1989) 48 Cal.3d 711, 725 [“„when the Legislature has carefully
employed a term in one place and has excluded it in another, it should not be implied
where excluded‟”].) The Legislature elected to define the private cause of action created
by section 56.36, subdivision (b), in terms of a negligent release of information, rather
than a negligent disclosure. There is no reason to believe that decision was anything but
deliberate.
As discussed, both sections 56.101 and 56.36, subdivision (b), were added to
CMIA by Senate Bill No. 19 in 1999. Prior to that time the Legislature had provided a
private cause of action for a patient “whose medical information had been used or
disclosed in violation of Section 56.10 . . . and who has sustained economic loss or
personal injury therefrom.” Such an individual could recover both compensatory and
limited punitive damages in addition to any other remedies available at law. (Former
13
§ 56.35; Stats. 1981, ch. 782, § 2, p. 3049; italics added.)
The provisions in Senate Bill No. 19 expanded the private right of action for
individuals whose medical information had been compromised in several different ways.
First, new section 56.36, subdivision (b), created a private cause of action for the
negligent release of medical records, not only for their unauthorized disclosure or use.
13
Section 56.35 now provides a private damage remedy not only for violations of
section 56.10 but also for violations of sections 56.104, 56.20 and 56.26, subdivision (a).
(See Stats. 1999, ch. 527, § 4, pp. 3662-3663.) Otherwise, it remains unchanged.
18
(Stats. 1999, ch. 526, § 8, p. 3650.) Second, in addition to authorizing an action for
compensatory damages for the negligent release of confidential information or records in
subdivision (b)(2), section 56.36, subdivision (b)(1), expressly provides that nominal
(statutory) damages of $1,000 are available for a patient whose confidential information
was negligently released without proof “that the plaintiff suffered or was threatened with
actual damages.” Moreover, by virtue of section 56.101 health care providers are now
charged with the duty not only to refrain from unauthorized disclosures of confidential
medical information but also to maintain such information “in a manner that preserves
the confidentiality of the information contained therein” (former § 56.101, Stats. 1999,
ch. 526, § 3, p. 3647)—storage-related duties far broader than the duty created by
section 56.10.
For our purposes two aspects of this legislation bear emphasis. First,
section 56.36, subdivision (b)(2), permitting the recovery of actual damages for the
negligent release of confidential medical information or records, would be superfluous in
light of section 56.35, if “release” as used in section 56.36, subdivision (b), were
synonymous with “disclose” as used in sections 56.10 and 56.35. When interpreting a
statute, “„“[w]ords must be construed in context, and statutes must be harmonized, both
internally and with each other to the extent possible.” [Citation.] Interpretations that lead
to absurd results or render words surplusage are to be avoided.‟” (People v. Loeun
(1997) 17 Cal.4th 1, 9; accord, Dyna-Med, Inc. v. Fair Employment & Housing Com.
(1987) 43 Cal.3d 1379, 1387 [“A construction making some words surplusage is to be
avoided. The words of the statute must be construed in context, keeping in mind the
statutory purpose, and statutes or statutory sections relating to the same subject must be
harmonized, both internally and with each other, to the extent possible.”]; Reno v. Baird
(1998) 18 Cal.4th 640, 658 [“„[c]ourts should give meaning to every word of a statute if
possible, and should avoid a construction making any word surplusage‟”].)
Second, at the same time it created a private cause of action for the negligent
release of confidential medical information in section 56.36, subdivision (b), the
19
Legislature created a new system of administrative fines and civil penalties for the
negligent or willful use or disclosure of such information in violation of CMIA in
section 56.36, subdivision (c). Again, our obligation to interpret different terms used by
the Legislature in the same statutory scheme to have different meanings requires we
reject the Regents‟s argument that “to disclose” information and “to release” it within the
meaning of CMIA are synonymous and that both require an affirmative communicative
act. In sum, by incorporating the remedy provision of section 56.36, subdivision (b), in
section 56.101, the Legislature simply did not intend a private cause of action under
section 56.101 for negligent maintenance or disposal of confidential medical information
to be limited to instances in which the health care provider disseminated the information
through an affirmative communicative act.
Indeed, if an affirmative communicative act by the health care provider were
required to state a claim under sections 56.101—that is, if only the negligent disclosure of
that information, not just its negligent storage leading to unauthorized access, could
support an award of civil damages—the second sentence of former section 56.101 (now
section 56.101, subdivision (a)) expressly providing remedies for violations of
section 56.101 would be superfluous. The Regents attempts to avoid this untenable
conclusion by noting that section 56.101 applies to pharmaceutical companies, which are
not covered by section 56.10. Thus, it reasons, section 56.101 has independent
significance because a private cause of action now exists against pharmaceutical
companies that negligently maintain and release medical information. But
pharmaceutical companies were not added to section 56.101 until 2002. (Stats. 2002,
ch. 853, § 2, p. 5377.) This after-the-fact development does nothing to validate the
Regents‟s interpretation of section 56.101‟s remedial provisions—an interpretation that
would mean those provisions, when adopted in 1999, were simply redundant and thus
unnecessary.
Nor are we persuaded by the Regents‟s observation that the Legislature may create
certain duties that are not enforceable through any private cause of action. Although that
20
is certainly true (see, e.g., Lu v. Hawaiian Gardens Casino, Inc., supra, 50 Cal.4th at
p. 596), it does little to explain what the Legislature intended when it provided, first, that
violation of the duty imposed by section 56.101 was “subject to the provisions of this
part,” and, thereafter, that such violations were “subject to the remedies and penalties
provided under subdivisions (b) and (c) of Section 56.36.” As discussed, section 56.36,
subdivision (b), only provides for a private cause of action (for actual damages, nominal
or statutory damages, or both). The Legislature plainly created some form of private
cause of action for negligent maintenance or disposal of confidential medical
information; the issue presented here is not whether a private right of action exists to
enforce the duties created by section 56.101, but what are the elements of such a claim.
iii. Subsequent legislation to further protect confidential medical
information does not support the Regents’s cramped interpretation of
sections 56.101 and 56.36, subdivision (b)
Finally, we reject the Regents‟s argument that a private cause of action under
sections 56.101 and 56.36, subdivision (b), must include pleading and proof of an
affirmative disclosure by the health care provider because in 2008, some years after those
provisions were adopted, the Legislature enacted new regulatory safeguards for
confidential medical records that expressly addressed unlawful or unauthorized “access”
to such information, as well as its unauthorized use or disclosure. (Health & Saf. Code,
§§ 1280.15, 130200 et seq.; see Stats. 2008, ch. 605, § 2, pp. 4326-4327; Stats. 2008,
ch. 602, § 2, pp. 4303-4304.) Health and Safety Code section 1280.15, subdivision (a),
imposes on health care facilities and clinics a duty to prevent “unlawful or unauthorized
access to, and use or disclosure of, patients‟ medical information” and, in subdivision (b)
provides administrative remedies for the failure to report improper access, use or
disclosure. A finding of negligence is not necessary to trigger administrative sanctions.
Similarly, Health and Safety Code section 130203, subdivision (a), requires health care
providers to establish and implement appropriate administrative, technical and physical
safeguards to protect the privacy of a patient‟s medical information and to safeguard it
21
from “any unauthorized access or unlawful access, use, or disclosure.” Health and Safety
Code section 130202 authorizes imposition of administrative fines for any violation.
As noted, both of these additional, related regulatory schemes cover unauthorized
disclosure of confidential medical information, as well as improper access, and thus
unquestionably overlap with the protections provided by section 56.10. Nothing in these
statutes or their legislative history, however, suggests the Legislature, in providing these
additional protections for confidential medical information, intended to modify or
displace existing private remedies under sections 56.36 or 56.101 for the negligent
storage or disposal of such information.
To be sure, as the Regents observe, an Assembly committee analysis of Senate
Bill No. 541, which became Health and Safety Code section 1280.15, in explaining the
need for the legislation, commented that “CMIA prohibits, with exceptions, health care
providers . . . from disclosing medical information . . . . CMIA does not address „access‟
which could involve an individual „snooping‟ at a patient‟s records without a healthcare
related or other legally authorized purpose, but who does not disclose or otherwise use
the medical information.” (Assem. Com. on Health, Analysis of Sen. Bill No. 541 (2007-
2008 Reg. Sess.) as amended Aug. 13, 2008, p. 7.) But “„[t]he declaration of a later
Legislature is of little weight in determining the relevant intent of the Legislature that
enacted the law.‟” (Apple Inc. v. Superior Court (2013) 56 Cal.4th 128, 145.) Moreover,
the legislative history makes clear the concerns regarding “unauthorized access” and
“snooping” that prompted Senate Bill No. 541 were far broader than security breaches
caused by negligent maintenance of medical records. (See, e.g., Sen. Health Com.,
Analysis of Sen. Bill No. 541 (2007-2008 Reg. Sess.) as amended Aug. 21, 2008, pp. 6-7
[““DPH recently released a report indicating that more than 120 workers at the UCLA
Medical Center looked at celebrities‟ medical records and other personal information
without permission between January 2004 and June 2008, and that three continued to
look at one particular celebrity‟s records even after a crackdown on the unauthorized
access began in April 2008. . . . In May 2008, it was reported that hospitals and other
22
health care organizations commonly use patients‟ information for fundraising efforts
without their express permission.”]; Assem. Com. on Health, supra, at p. 7 [“[i]n
California, DPH indicates 127 people breached patient records at the University of
California Los Angeles (UCLA) Medical Center, including one individual who breached
939 times, and the medical information of more than 6,000 patients at University of
California San Francisco (UCSF) Medical Center was posted on the internet for more
than three months”].) The privacy portions of Senate Bill No. 541 were necessary, not
because any violation of CMIA necessarily requires an affirmative communicative act, as
the Regents contend, but because “CMIA does not clearly address unauthorized „access‟
to medical records by providers, which could involve an individual „snooping‟ at a
patient‟s records without having a legitimate reason for doing so.” (Sen. Health Com.,
supra, at p. 7, italics added.)
c. Pleading negligent maintenance and loss of possession of confidential
medical information is insufficient to state a cause of action under sections
56.101 and 56.36, subdivision (b)
Apparently recognizing that negligent storage or disposal of confidential
information alone is not actionable under sections 56.101 and 56.36, subdivision (b), in
overruling the Regents‟s demurrer the superior court quoted Platter‟s allegation (in
paragraph 46 of her complaint) that the Regents “failed to have reasonable systems and
controls in place to prevent the removal of protected health information from the hospital
premises and as a result it negligently lost possession of the hard drive and encryption
passwords.” (Italics added.) In her return to the writ petition Platter emphasizes the
italicized words and argues the allegation of a loss of possession of her confidential
medical information provides the necessary elements for her private cause of action
against the Regents.
Platter‟s pleading is honest. Because no one (except perhaps the thief) knows
what happened to the encrypted external hard drive and the password for the encrypted
information, she cannot allege her medical records were, in fact, viewed by an
unauthorized individual. But it is also deficient. Even under the broad interpretation of
23
“release” we believe the Legislature intended in section 56.36, subdivision (b), as
incorporated into section 56.101, more than an allegation of loss of possession by the
health care provider is necessary to state a cause of action for negligent maintenance or
storage of confidential medical information. (See generally Kirkwood v. Bank of America
(1954) 43 Cal.2d 333, 341 [“[w]ords may not be inserted in a statutory provision under
the guise of interpretation”]; Schroeder v. Irvine City Council (2002) 97 Cal.App.4th 174,
194 [same].) What is required is pleading, and ultimately proving, that the confidential
nature of the plaintiff‟s medical information was breached as a result of the health care
14
provider‟s negligence. Because Platter‟s complaint failed to include any such
allegation, the Regents‟s demurrer should have been sustained without leave to amend
and the case dismissed.
DISPOSITION
The petition is granted. Let a peremptory writ of mandate issue directing the
superior court to vacate its order overruling the Regents‟s demurrer and to enter a new
order sustaining the demurrer without leave to amend and dismissing Platter‟s action.
The parties are to bear their own costs in this proceeding.
PERLUSS, P. J.
We concur:
WOODS, J. ZELON, J.
14
Such a breach of confidentiality, of course, can occur whether or not the
information remains in the actual possession of the health care provider. Conversely, if a
provider properly disposes of medical records, as contemplated by section 56.101, it will
lose possession of the records without in any way compromising their confidentiality.
24