BILL NUMBER: AB 439AMENDED BILL TEXT AMENDED IN SENATE JUNE 15, 2012 AMENDED IN SENATE JUNE 28, 2011 AMENDED IN ASSEMBLY MAY 18, 2011 AMENDED IN ASSEMBLY APRIL 7, 2011 INTRODUCED BY Assembly Member Skinner FEBRUARY 14, 2011 An act to amend Section 56.36 of the Civil Code, relating to health care information. LEGISLATIVE COUNSEL'S DIGEST AB 439, as amended, Skinner. Health care information. Existing law, the Confidentiality of Medical Information Act (CMIA), prohibits a health care provider, a contractor, or a health care service plan from disclosing medical information, as defined, regarding a patient of the provider or an enrollee or subscriber of the health care service plan without first obtaining an authorization, except as specified. In addition to other remedies available, existing law authorizes an individual to bring an action against any person or entity who has negligently released his or her confidential records in violation of those provisions for nominal damages of $1,000. This bill would specify that, in an action brought on or after January 1,20122013 , a court may not award nominal damages if the defendant establishes specified factors as an affirmative defense, including, but not limited to, that it is a covered entity or business associate , as defined,andthat it has complied with any obligations to notify persons entitled to receive notice regarding the release of the information , and that it has taken appropriate preventative actions to protect the confidential information or records against release consis tent with federal law, as specified . The bill would provide that if an affirmative defense is established as described above, the defendant shall be liable on a second or subsequent violation within 36 months for specified civil penalties. The bill would, for purposes of the provisions above, provide that a "violation" includes all releases or disclosures arising out of the same event, transaction, or occurrence. The bill would also make a technical, nonsubstantive change. Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 56.36 of the Civil Code is amended to read: 56.36. (a) Any violation of the provisions of this part that results in economic loss or personal injury to a patient is punishable as a misdemeanor. (b) In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following: (1) Except as provided in subdivision (e), nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages. (2) The amount of actual damages, if any, sustained by the patient. (c) (1) In addition, any person or entity that negligently discloses medical information in violation of the provisions of this part shall also be liable, irrespective of the amount of damages suffered by the patient as a result of that violation, for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation. (2) (A) Any person or entity, other than a licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part shall be liable for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation. (B) Any licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part shall be liable on a first violation, for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation, or on a second violation for an administrative fine or civil penalty not to exceed ten thousand dollars ($10,000) per violation, or on a third and subsequent violation for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation. Nothing in this subdivision shall be construed to limit the liability of a health care service plan, a contractor, or a provider of health care that is not a licensed health care professional for any violation of this part. (3) (A) Any person or entity, other than a licensed health care professional, who knowingly or willfully obtains or uses medical information in violation of this part for the purpose of financial gain shall be liable for an administrative fine or civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation and shall also be subject to disgorgement of any proceeds or other consideration obtained as a result of the violation. (B) Any licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part for financial gain shall be liable on a first violation, for an administrative fine or civil penalty not to exceed five thousand dollars ($5,000) per violation, or on a second violation for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation, or on a third and subsequent violation for an administrative fine or civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation and shall also be subject to disgorgement of any proceeds or other consideration obtained as a result of the violation. Nothing in this subdivision shall be construed to limit the liability of a health care service plan, a contractor, or a provider of health care that is not a licensed health care professional for any violation of this part. (4) Nothing in this subdivision shall be construed as authorizing an administrative fine or civil penalty under both paragraphs (2) and (3) for the same violation. (5) Any person or entity who is not permitted to receive medical information pursuant to this part and who knowingly and willfully obtains, discloses, or uses medical information without written authorization from the patient shall be liable for a civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation. (d) In assessing the amount of an administrative fine or civil penalty pursuant to subdivision (c), the Office of Health Information Integrity, licensing agency, or certifying board or court shall consider any one or more of the relevant circumstances presented by any of the parties to the case including, but not limited to, the following: (1) Whether the defendant has made a reasonable, good faith attempt to comply with this part. (2) The nature and seriousness of the misconduct. (3) The harm to the patient, enrollee, or subscriber. (4) The number of violations. (5) The persistence of the misconduct. (6) The length of time over which the misconduct occurred. (7) The willfulness of the defendant's misconduct. (8) The defendant's assets, liabilities, and net worth. (e) (1) In an action brought by an individual pursuant to subdivision (b) on or after January 1,20122013, in which the defendant establishes the affirmative defense in paragraph (2) , the court shall award any actual damages and reasonable attorney's fees and costs, but may not award nominal damages,for a violation of this partif the defendant establishes all of the following as an affirmative defense:. (2) The defendant is entitled to an affirmative defense if all of the following are established: (A) The defendant is a covered entity or business associate , as defined in Section 160.103 of Title 45 of the Code of Federal Regulations. (B) The defendant has complied with any obligations to notify all persons entitled to receive notice regarding the release of the information or records. (C) The release of confidential information or records was solely toanotherother coveredentityentities or business associates . (D) The defendant took appropriate preventive actions to protect the confidential information or records against release, retention, or use by any person or entity other than the covered entity that received the information or records,consistent with the defendant's obligations pursuant to Parts 160, 162, and 164 of Title 45 of the Code of Federal Regulations, including, but not limited to: (i) Developing and implementing security policies and procedures. (ii) Designating a security official who is responsible for developing and implementing its security policies and procedures, including educating and training the workforce. (iii) Encrypting the information or records, and protecting against the release or use of the encryption key and passwords, or transmitting the information or records in a manner designed to providesimilarequal or greater protections against improper disclosures.(E) The defendant took appropriate corrective action after the release of the confidential records or information, and the covered entity that received the information or records immediately destroyed or returned the information or records.(F)(E) The coveredentityentities or business associates that received the confidential information or records did not retain, use, or release the information or records.(G) The defendant has not been found liable for a violation of this part within the three years preceding the alleged violation, or the court determines that application of the affirmative defense is found to be compelling and consistent with the purposes of this section to promote reasonable conduct in light of all the facts.(2)(3) In an action under this subdivision, a plaintiff shall be entitled to recover reasonable attorney's fees and costs without regard to an award of actual or nominal damages or the imposition of civil penalties under paragraph (4) . (4) If a defendant establishes the affirmative defense, the defendant shall be liable on a second violation within 36 months for a civil penalty of one hundred thousand dollars ($100,000) per violation, or on a third and subsequent violation within 36 months for a civil penalty of two hundred fifty thousand dollars ($250,000) per violation.(3)(5) A defendant shall not be liable for more than one judgment on the merits for a violation of this subdivision. (6) For purposes of this subdivision, "violation" includes all releases or disclosures arising out of the same event, transaction, or occurrence. (f) (1) The civil penalty pursuant to subdivision (c) shall be assessed and recovered in a civil action brought in the name of the people of the State of California in any court of competent jurisdiction by any of the following: (A) The Attorney General. (B) Any district attorney. (C) Any county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance. (D) Any city attorney of a city. (E) Any city attorney of a city and county having a population in excess of 750,000, with the consent of the district attorney. (F) A city prosecutor in any city having a full-time city prosecutor or, with the consent of the district attorney, by a city attorney in any city and county. (G) The Director of the Office of Health Information Integrity may recommend that any person described in subparagraphs (A) to (F), inclusive, bring a civil action under this section. (2) If the action is brought by the Attorney General, one-half of the penalty collected shall be paid to the treasurer of the county in which the judgment was entered, and one-half to the General Fund. If the action is brought by a district attorney or county counsel, the penalty collected shall be paid to the treasurer of the county in which the judgment was entered. Except as provided in paragraph (3), if the action is brought by a city attorney or city prosecutor, one-half of the penalty collected shall be paid to the treasurer of the city in which the judgment was entered and one-half to the treasurer of the county in which the judgment was entered. (3) If the action is brought by a city attorney of a city and county, the entire amount of the penalty collected shall be paid to the treasurer of the city and county in which the judgment was entered. (4) Nothing in this section shall be construed as authorizing both an administrative fine and civil penalty for the same violation. (5) Imposition of a fine or penalty provided for in this section shall not preclude imposition of any other sanctions or remedies authorized by law. (6) Administrative fines or penalties issued pursuant to Section 1280.15 of the Health and Safety Code shall offset any other administrative fine or civil penalty imposed under this section for the same violation. (g) For purposes of this section, "knowing" and "willful" shall have the same meanings as in Section 7 of the Penal Code. (h) No person who discloses protected medical information in accordance with the provisions of this part shall be subject to the penalty provisions of this part.