Filed 5/21/14
CERTIFIED FOR PUBLICATION
IN THE COURT OF APPEAL OF THE STATE OF CALIFORNIA
FOURTH APPELLATE DISTRICT
DIVISION TWO
EISENHOWER MEDICAL CENTER,
Petitioner, E058378
v. (Super.Ct.No. INC1108128)
THE SUPERIOR COURT OF OPINION
RIVERSIDE COUNTY,
Respondent;
CARMEN MALANCHE et al.,
Real Parties in Interest.
ORIGINAL PROCEEDINGS; petition for writ of mandate. Harold W. Hopp,
Judge. Petition granted.
Horvitz & Levy, Lisa Perrochet, Steven S. Fleischman; Baker & Hostetler,
Michael R. Matthias and Dawn Kennedy for Petitioner.
No appearance for Respondent.
1
Harris & Ruble, Alan Harris, Priya Mohan and Dave Zelenski for Real Parties in
Interest.
Petitioner Eisenhower Medical Center (EMC) seeks writ review of an order
denying its motion for summary adjudication of a cause of action under the
Confidentiality of Medical Information Act (CMIA). (Civ. Code, § 56 et seq.)1 We
grant EMC’s petition, concluding that a health care provider cannot be held liable under
the relevant portions of the CMA for the release of an individual’s personal identifying
information that is not coupled with that individual’s medical history, mental or physical
condition, or treatment.
FACTUAL AND PROCEDURAL BACKGROUND
A computer was stolen from EMC on March 11, 2011, containing an index of over
500,000 persons to whom EMC had assigned a clerical record number dating back to the
1980’s. The information included each person’s name, medical record number (MRN),
age, date of birth, and last four digits of the person’s Social Security number (SSN). This
information on the computer was password protected but not encrypted. A couple of
weeks later, EMC sent out notice to these individuals informing them of the theft.
Real parties in interest (Plaintiffs) are a few of the individuals whose names were
on the index. They filed the underlying action as a putative class action against EMC
seeking nominal damages of $1,000 each under the CMIA. The complaint also includes
1 Further statutory references are to the Civil Code, unless otherwise stated.
2
a second cause of action for violation of the Customer Records Act (CRA) (Civ.Code,
§ 1798.82), which requires notification to consumers when security systems are breached.
EMC moved for summary judgment or adjudication contending that the theft of
the computer did not result in a disclosure of medical information of any of the listed
persons. Information about an individual’s medical history, condition, or treatment is
saved only on EMC’s servers located in the data center. The index that was on the stolen
computer is a subset of information from its master patient index and can be used in case
of a power outage or network failure to look up the patient’s MRN so that a hard copy of
the medical records can be located. The MRN is sequential and contains no coded
information. Thus, EMC argues that the index did not contain medical information
within the meaning of the CMIA, which requires a disclosure of “individually identifiable
information” (which it concedes the index contained) with information “regarding a
patient’s medical history, mental or physical condition, or treatment.” (§ 56.05, former
subd. (g).)
EMC also pointed out that, upon inquiry, a general acute care hospital may
disclose without consent the name, address, age, sex, and a general description of the
reasons for treatment of a patient. (§ 56.16.)
As for the second cause of action under the CRA, EMC contended that it did not
disclose “personal information,” which includes a person’s name and either of five data
elements, including SSN and medical information. A truncated SSN does not qualify, it
argued. In any case, it provided timely notice as required under the CRA.
3
Plaintiffs’ opposition first contended that the summary judgment motion is moot
because after filing it, they amended the complaint to allege two other computers were
stolen in January 2011 resulting in violations of the CMIA. Plaintiffs also argued that
EMC had reported the theft of the computer as a breach to federal authorities, the
Department of Health and Human Services (HHS), so it must be considered a breach of
the CMIA. Plaintiffs primarily argued that the mere fact that a person’s name is on the
index reveals that he or she was a patient and, thus, there has been a release of medical
history. Finally, they assert that the information on the index could be used to hack into
the database and perhaps access a patient’s medical information.
The trial court denied summary judgment and adjudication. First, it noted that the
motion did not address recent amendments to the complaint regarding additional
incidents. Its denial was based principally on its belief that the fact that a person was a
patient at the hospital is medical information within the meaning of the CMIA. Its order
stated that it found EMC had not sustained its burden of proof that there were no triable
issues of fact.
DISCUSSION
EMC seeks review only as to the first cause of action for breach under the CMIA
arising from the March 2011 theft. It does not challenge the denial of summary
adjudication as to the causes of action arising from the January thefts or under the CRA.2
We reject plaintiffs’ assertion that EMC’s motion was rendered moot by the
2
amendments regarding the January 2011 theft. When plaintiffs sought leave to file the
[footnote continued on next page]
4
EMC contends that “medical information” as defined under the CMIA is
substantive information regarding a patient’s medical condition or history that is
combined with individually identifiable information. It notes here there was a disclosure
or release of “individually identifiable information,” but not medical information. We
agree. We note the issue thus drawn is a narrow one and does not require this court to
determine whether there is a distinction between a disclosure or release of medical
information under the CMIA, whether EMC was negligent in handling its computer
records, or whether unauthorized persons actually viewed plaintiffs’ medical records.3
[footnote continued from previous page]
second amended complaint adding these allegations, their counsel agreed that EMC
would not have to refile its motion since the legal issues raised were the same whether
framed by the first or second amended complaint. Even in the introductory portion of
their response to this petition, plaintiffs state that it is logical for this court to resolve the
writ as though the allegations relating to the January and the March computer thefts are
separate causes of action as the trial court said it would do at a hearing on December 18,
2012. Plaintiffs further indicate in their response that the second amended complaint
could be treated as though it articulated four separate causes of action, two dealing with
the January incident and two dealing with the March incident. Its response “is prepared
as though the writ is directed to only the March breach.” This indicates more than a
forfeiture of the mootness, but an express waiver.
3 In the recent decision from the Second District, Regents of University of
California v. Superior Court (2013) 220 Cal.App.4th 549, a distinction was drawn
between the terms “disclose” and “release.” That court concluded that “release” does not
require a showing of an affirmative communicative act by a health care provider. It went
on to hold that under section 56.36, subdivision (b), as incorporated into section 56.101,
more than an allegation of loss of possession by a health care provider is necessary to
state a cause of action for negligent maintenance or storage of confidential medical
information. What is required, according to Regents, is pleading, and ultimately proving,
that the confidential nature of the plaintiff’s medical information was breached as a result
of the health care provider’s negligence. The plaintiff in Regents could not maintain her
cause of action because she could not allege that her medical records had, in fact, been
viewed by an unauthorized person. The sole issue raised in our case is what constitutes
[footnote continued on next page]
5
The CMIA provides that no health care provider shall disclose or release medical
information regarding a patient of the provider without first obtaining authorization. It
specifically provides that an individual may recover $1,000 nominal damages against any
person or entity who has negligently released his confidential medical information. The
individual does not have to show that he suffered or was threatened with actual damages
in order to recover the $1,000. (§ 56.36, subd. (b)(1).)
Section 56.05, former subdivision (g), defines “medical information” as “any
individually identifiable information, in electronic or physical form, in possession of or
derived from a provider of health care, health care service plan, pharmaceutical company,
or contractor regarding a patient’s medical history, mental or physical condition, or
treatment. ‘Individually identifiable’ means that the medical information includes or
contains any element of personal identifying information sufficient to allow identification
of the individual, such as the patient’s name, address, electronic mail address, telephone
number, or social security number, or other information that, alone or in combination
with other publicly available information, reveals the individual’s identity.”
In arriving at this conclusion, we apply some fundamental rules of statutory
construction. The first rule is that the courts will adopt the plain meaning of the statute
unless it would be repugnant to the obvious purpose of the statute. (Lungren v.
[footnote continued from previous page]
“medical information” so we need not reach the issues decided in Regents. Without
expressing an opinion on the matter, we will use the term “release” for the sake of
uniformity and convenience.
6
Deukmejian (1988) 45 Cal.3d 727,735 [“Words used in a statute or constitutional
provision should be given the meaning they bear in ordinary use. [Citations.] If the
language is clear and unambiguous there is no need for construction, nor is it necessary to
resort to indicia of the intent of the Legislature (in the case of a statute) or of the voters
(in the case of a provision adopted by the voters).”].) It is clear from the plain meaning
of the statute that medical information cannot mean just any patient-related information
held by a healthcare provider, but must be “individually identifiable information” and
also include “a patient’s medical history, mental or physical condition, or treatment.”
This definition does not encompass demographic or numeric information that does not
reveal medical history, diagnosis, or care. As amicus Sutter Health notes, the Legislature
has made distinctions between demographic information and medical information in
several statutes, Penal Code sections 530.5, 530.55 and Civil Code section 1798.82.
Another rule of statutory construction is to give effect, whenever possible, to the
statute as a whole, and to every word and clause thereof, leaving no part of the provision
useless or deprived of meaning. (California Assn. of Psychology Providers v. Rank
(1990) 51 Cal.3d 1, 18.) Applying these rules, the mere fact that a person may have been
a patient at the hospital at some time is not sufficient. If interpreted as plaintiffs wish,
then release by a health care provider of personal identification would be sufficient
whether or not there was a release of substantive information regarding that person’s
medical condition, history, or treatment. Under that construction, the fact that an
individual’s name is on a list released by doctor X or clinic Y is sufficient to violate the
7
law because then it is assumed that the individual was a patient of the latter at some point.
Such a construction does not comport with the plain and reasonable meaning of the
statute and would render meaningless the clause “regarding a patient’s medical history,
mental or physical condition, or treatment.”
Plaintiffs assert that a patient’s medical history must include the fact that one has
had medical treatment of sufficiently serious nature to warrant assignment of a medical
record number and inclusion in EMC’s permanent index of EMC patients. However,
there is no showing that assignment of a medical record number signifies that a person
has had medical treatment. It may simply mean that the person appeared at the hospital
and some basic demographic information was taken. He or she may or may not have
been examined and received treatment. Even accepting that the person was treated, this
fact that he or she was a patient is not in itself medical information as defined in section
56.05, former subdivision (g), for the reasons discussed ante.4 Plaintiffs also argue that a
person’s name on the index with an MRN indicates that a hard copy of his or her medical
record was generated. Confirmation that a person’s medical record exists somewhere is
not medical information as defined under the CMIA.
4 It was remarked during oral argument that in some cases the very fact that a
person is or was a patient of certain health care providers, such as an AIDS clinic, is more
revelatory of the nature of that person’s medical condition, history, or treatment. We are
not presented with, and express no opinion concerning, such a situation.
8
In this regard, it is noteworthy that the CMIA allows acute care hospitals to
disclose certain patient information upon demand under section 56.16.5 Thus, section
56.16 allows hospitals to reveal medical information as long as it fits with the described
categories of general description of the reason for the treatment, the general nature of the
injury, and the general condition of the patient, as well as nonmedical information.
(Garrett v. Young (2003) 109 Cal.App.4th 1393, 1405.) While section 56.16 applies only
when there has been a request for information, it does lend some support for the belief
that the mere fact that a person is or was a patient is not accorded the same level of
privacy as more specific information about his medical history.
Lastly, plaintiffs have contended that EMC’s report to HHS of the theft of the
desktop computer as a breach of health information is an admission that the index
constitutes medical information within the meaning of section 56.05, former subdivision
(g). However, the definition of “individually identifiable health information”6 under
5 Formerly, this section applied to all traditional health care providers but has now
been restricted to acute care hospitals.
6 “Individually identifiable health information is information that is a subset of
health information, including demographic information collected from an individual, and:
(1) Is created or received by a health care provider, health plan, employer, or health care
clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an
individual; the provision of health care to an individual; or the past, present, or future
payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be
used to identify the individual.” (45 C.F.R. 160.103 (2012).)
9
federal law differs markedly from that in the CMIA, so that it does not follow that EMC
has conceded that the index contains medical information as defined in the latter statute.7
In sum, we conclude that under the CMIA a prohibited release by a health care
provider must include more than individually identifiable information but must also
include information relating to medical history, mental or physical condition, or treatment
of the individual.
DISPOSITION
Let a peremptory writ of mandate issue directing the Superior Court of Riverside
County to set aside its order denying summary adjudication as to the first cause of action
for breach under the CMIA arising from the March 2011 theft and to issue a new order
granting the motion in accordance with the views expressed herein.
7 It should also be noted that the trial court sustained EMC’s evidentiary objection
to the evidence plaintiffs presented on this point—their attorney’s declaration attaching
printouts of information off the HHS website.
10
Petitioner is directed to prepare and have the peremptory writ of mandate issued,
copies served, and the original filed with the clerk of this court, together with proof of
service on all parties.
EMC is to recover its costs.
CERTIFIED FOR PUBLICATION
McKINSTER
Acting P. J.
We concur:
RICHLI
J.
KING
J.
11