Stolen Patient Info on Hospital Computer Not Considered “Medical Information” by California Appellate Court
The California Court of Appeal lately held the discharge of a catalog identifying hospital patients didn’t constitute the discharge of medical information under California’s Confidentiality of Medical Information Act (CMIA), Civ. Code, § 56 et seq., since the index contained only demographic information and absolutely nothing “regarding a patient’s health background, mental or health, or treatment.” Eisenhower Clinic v. Superior Court (Malanche), Situation No. E058378 (Cal. Ct. Application. May 21, 2014). A Legal Court held that “a doctor can’t be held liable underneath the relevant servings of the CMIA for that discharge of a person’s personal identifying information that isn’t along with that individual’s health background, mental or health, or treatment.”
The situation came about whenever a computer stolen in the Eisenhower Clinic (EMC) contained a catalog identifying over 500,000 persons who was simply assigned record figures at EMC returning to the 1980s. The data was password-protected although not encrypted. The index contained “demographic” information, listing each person’s name, permanent medical record number, age, birth date, and last four digits from the person’s Ssn (SSN). When EMC gave the needed notice from the thievery, many of the listed individuals introduced a class action lawsuit seeking “nominal” damages of $1,000 for every class member underneath the CMIA-that could have totaled over fifty percent a billion dollars based on the amount of records-and asserting various other claims.
EMC moved for summary adjudication for the reason the computer thievery didn’t create a disclosure of “medical information” of the listed persons and searched for appellate review once the motion was denied. EMC contended the CMIA needs a disclosure not just of “individually identifiable information” (that was concededly contained around the index) but additionally information “regarding a patient’s health background, mental or health, or treatment.” A Legal Court agreed.
There wasn’t any dispute the index contained no information of the particularly medical nature. The plaintiffs’ primary argument was that inclusion of the person’s name around the index, standing alone, constituted a discharge of health background since it disclosed that she or he would be a patient. In rejecting this contention, a legal court found the mere disclosure a thief may once happen to be someone was inadequate to determine liability. Medical details are some thing than “any patient-related information” held with a provider. Underneath the CMIA, a prohibited release by a physician must reveal both “individually identifiable information” and “also include ‘a patient’s health background, mental or health, or treatment.’ This definition doesn’t encompass demographic or number information that doesn’t reveal health background, diagnosis, or care.” A Legal Court observed the plaintiffs’ argument would render the clause “regarding a patient’s health background, mental or health, or treatment” entirely meaningless. A Legal Court also noted that Civil Code Section 56.16 from the CMIA specifically authorizes hospitals to produce certain groups of medical details about someone upon request, together with a general description from the causes of treatment, the overall nature associated with a injuries, and also the patient’s general condition.
Eisenhower increases the growing body of law interpreting and usually narrowing the scope of liability underneath the CMIA. Eisenhower’s holding that patient identity along with other private information for example age doesn’t constitute medical information underneath the CMIA is a vital clarification from the statutory plan, as was the current ruling in Regents of College of California v. Superior Court, 220 Cal.Application.fourth 549 (2013). Within the Regents situation, a legal court ruled that no claim could be asserted underneath the CMIA unless of course private medical information really continues to be viewed by a few unauthorized person.
The Eisenhower Court specifically limited the achieve of their opinion to the details a footnote mentions the decision doesn’t address situations involving disclosure of the individual’s status like a patient of the specialized doctor, just like an AIDS clinic-which alone could reveal much more about that person’s medical problem, history, or treatment than the truth that the individual was assigned a clinical record number. In this situation, it may be hard for an offender provider to argue persuasively that no medical information was disclosed. Like many recent privacy cases, Eisenhower highlights the need for encrypting patient data, whatever its content.