SAN FRANCISCO — A hospital that lost control of a computer containing the names, birth dates and medical record numbers of 500,000 patients going back to the 1980s did not violate California’s Confidentiality of Medical Information Act, a California appellate court ruled Wednesday.
Names on a hospital patient index are not “medical information” if they’re not coupled with medical histories, condition or treatment, the Fourth District Court of Appeal ruled. The decision reversed a trial court ruling that had exposed Eisenhower Medical Center in Riverside to as much as $500 million in statutory damages.
Eisenhower Medical Center v. Superior Court is the second published appellate decision in the last year applying the CMIA to a potential privacy breach at a California hospital. Still another case is set to be argued next month to the Third District Court of Appeal.
Thursday’s decision “recognizes that the Legislature balanced the potentially devastating penalties—available without any showing of harm whatever—by crafting very specific definitional language about what counts as ‘medical information,’” said Horvitz & Levy partner Lisa Perrochet, who argued the appeal for the medical center.
The case was triggered when a computer was stolen from the medical center in 2011. Names, medical record numbers, dates of birth and the last four digits of patients’ Social Security numbers were stored on the computer in password-protected but unencrypted format. Several patients represented by Los Angeles’ Harris & Ruble sought to bring a class action, seeking statutory damages of $1,000 per class member.
The hospital argued that because it stores data about medical histories, conditions and treatment on a separate server, no “medical information” was put at risk. Riverside County Superior Court Judge Harold Hopp had disagreed, ruling that the fact a person was a hospital patient was itself medical information within the meaning of the CMIA.
But a Fourth District panel, led by Justice Art McKinster, concluded that reading was contrary to the statute, which specifies “medical history, mental or physical condition, or treatment.” Even if one could infer from the index that a medical record was generated, “Confirmation that a person’s medical record exists somewhere is not medical information as defined under the CMIA,” he wrote.
Perrochet and Horvitz & Levy’s Steven Fleischman worked on the appeal along with attorneys from Baker & Hostetler, who also defended Eisenhower Medical in an investigation involving the same computer theft brought by the U.S. Department of Health and Human Services’ Office of Civil Rights.
Contact the reporter at email@example.com.