California has long been considered a bastion of consumer protection and individual privacy rights. By its recently issued decision in Brown v. Mortensen, (2011) 51 Cal. 4th 1052 the California Supreme Court buttressed that reputation by holding that state law remedies potentially available under California's Confidentiality of Medical Information Act, Cal. Civ. Code §56 (Confidentiality Act), are not preempted by federal law, specifically, the Fair Credit Reporting Act, 15 U.S.C. §1681 (FCRA). (A copy of the decision can be accessed here.)
California's Confidentiality Act generally prohibits unauthorized dissemination of individually identifiable medical information (PHI), and provides for compensatory damages, punitive damages and attorneys' fees. The federal Health Insurance Portability and Accountability Act, 42 U.S.C. §1320d (HIPAA), contains a privacy rule that prohibits, among other things, unauthorized dissemination of PHI, and imposes civil and criminal penalties for violations. The Health Information Technology for Economic and Clinical Health Act, which was passed as part of the American Recovery and Reinvestment Act of 2009, greatly increased the statutory penalties that Department of Health and Human Services' Office of Civil Rights could impose as a result of privacy rule violations. Unlike the Confidentiality Act, HIPAA does not provide a private right of action or provide a mechanism for individuals to recover compensatory damages.
The facts of the Brown case are straightforward. Brown and his two children were patients of a dentist. A billing dispute arose and the matter was referred to a collection agency, which repeatedly disclosed Brown's and his children's dental records to various reporting agencies allegedly for the purpose of verifying that a debt was owed (despite the fact that no one contended Brown owed money for dentistry on the children and Brown never authorized the disclosure of this information to any third parties). Brown sued seeking compensatory damages under the Confidentiality Act.
After a successful demurrer in the trial court, the collection agencies argued on appeal that federal law (the FCRA) preempted Brown's state law claims based on the Confidentiality Act. The Court of Appeal agreed and reversed the trial court's dismissal. However, the California Supreme Court concluded that Brown could pursue his state law claims despite the federal laws. Significant to the Supreme Court's reasoning was that although the FCRA contained a general "no preemption" provision, it carved out certain claims against furnishers of information to a consumer reporting agency. Specifically, the FCRA provides that states may not impose requirements on furnishers of information with respect to any of the responsibilities of those furnishers that are regulated under the FCRA. Because of the general presumption against preemption, however, the court construed this section narrowly, and concluded that only state laws relating to furnisher accuracy or dispute resolution are precluded by FCRA. The Brown court found that Congress never intended FCRA to preempt state laws governing medical privacy and thereby "relieve entities otherwise obligated to maintain confidentiality of the duty to do so when reporting credit information."
In so doing, the Brown court also examined HIPAA, which generally prohibits states' attempts to regulate the privacy and confidentiality of PHI but directs that only conflicting or less stringent state laws are preempted while more stringent state laws are preserved. In its analysis, the California Supreme Court noted that HIPAA reinforced the argument that FCRA does not preempt state privacy laws; the argument being that HIPAA was enacted around the same time as the FCRA was amended (in 1996), and thus Congress could have amended FCRA to provide for disclosure of medical information but it elected not to do so.
Because Brown's Confidentiality Act claims were not preempted, the California Supreme Court reversed the Court of Appeal's decision and remanded the case back to the trial court for further proceedings. The Brown decision is important because it reinforces that anyone who is handling PHI must be vigilant and proactive to avoid unauthorized disclosures to the extent possible. Companies should be cognizant that – despite the existence of a controlling federal privacy law – state laws, including their breach notification requirements, may nonetheless apply.