A California court recently held that a health care provider does not violate California’s medical privacy act if it releases personal identifying information when release of that information is not coupled with an individual’s medical information. The case began after a computer was stolen from the Eisenhower Medical Center. The computer contained personal information (name, medical record number, age, date of birth, and last four numbers of individuals’ Social Security numbers) as well as Eisenhower’s internal “clerical record number” on over 500,000 people.
Plaintiffs (whose information was included on the computer) filed suit, alleging that Eisenhower had violated California’s Confidentiality of Medical Information Act. The Act prohibits disclosure of “individually identifiable information” with information “regarding a patient’s medical history, mental or physical condition, or treatment.” (§ 56.05, former subd (g).) Eisenhower sought summary judgment, arguing that release of its medical clerical number did not result in disclosure of medical history, mental or physical condition, or treatment, and therefore the law was not violated. Plaintiffs contended that Eisenhower had reported the theft of the computer to federal authorities as a “breach” under HIPAA. That report, they contended, constituted an admission that there was a breach of California state law as well.
The trial court denied Eisenhower’s request for summary judgment. On appeal, however, the appellate court reversed, holding that the mere assignment of a medical record number did not equate receiving medical treatment such that it would constitute “medical information” under California’s state law. Further, the definition of “individually identifiable health information” differed under federal and state law, so reporting the breach to federal authorities did not amount to concession of a breach.
TIP: Courts may recognize that even if there is a data breach as defined under one law, that does not necessarily mean that a breach exists under another law with a slightly different set of definitions. This case is a reminder, however, that companies can face – and will need to think about – multiple laws after suffering one incident.