Privacy Ruling Benefits CA Hospitals
A state appellate court has provided a key ruling in a privacy case that raises the bar on liability for providers when patient medical records are breached.
The court ruled that providers do not necessarily have liability to patients when medical records are stolen or misappropriated unless they are accessed by a third party.
The ruling, handed down on Tuesday, arises from a class-action suit filed against the University of California. It stemmed from a 2011 incident in which a physician from UCLA Health had his laptop computer stolen during a home invasion robbery that contained medical data for 16,000 patients. Although the laptop had been encrypted per federal privacy guidelines, the thieves also took an index card containing an access password. However, there was no indication that the data had ever been accessed by the thieves or anyone else.
UCLA Health notified the public about the breach not long after it was discovered, also per state and federal guidelines. It was sued by one of its patients, Melinda Platter, who sought damages under the California Confidentiality of Medical Information Act. That law provides for a fine of $1,000 for each patient breach.
In the UCLA case, the provider could have been liable for up to $16 million in statuatory damages for each patient record contained in the stolen laptop. Instead, the appeals court ruled that the suit be dismissed.
“The decision is good news for hospitals and other healthcare providers who are victims of theft or hacking of medical information where the plaintiff cannot prove that the thief or hacker actually viewed the medical information,” the California Hospital Association said in a statement.
The CHA submitted an amicus brief in the case, Platter v. the Regents of the University of California.
The ruling does not have an effect on the federal Health Insurance Portability and Accountabilty Act, known as HIPAA. Under that law, any known breach of the medical records of more than 500 patients compels a provider to report the breach to the U.S. Department of Health and Human Services and be potentially subject to fines.
