Summary
In Regents, a thief stole an external hard drive and a card containing the hard drive's encryption password from the home of a physician working within the Regents health care system.
Summary of this case from Vigil v. Muir Med. Grp. IPAOpinion
B249148
2013-11-13
The REGENTS OF the UNIVERSITY OF CALIFORNIA, Petitioner, v. The SUPERIOR COURT of Los Angeles County, Respondent. Melinda Platter, Real Party in Interest.
See 2 Witkin, Cal. Evidence (5th ed. 2012) Witnesses, § 537 et seq. ORIGINAL PROCEEDINGS in mandate. Kenneth R. Freeman, Judge. Petition granted. (Los Angeles County Super. Ct. No. BC494928)
See 2 Witkin, Cal. Evidence (5th ed. 2012) Witnesses, § 537 et seq. ORIGINAL PROCEEDINGS in mandate. Kenneth R. Freeman, Judge. Petition granted. (Los Angeles County Super. Ct. No. BC494928) Office of the General Counsel, University of California, Charles F. Robinson, Menlo Park, Karen J. Petrulakis, Margaret L. Wu, Oakland; Munger, Tolles & Olson, Bradley S. Phillips, Los Angeles, and Michelle A. Friedland, for Petitioner.
Lois J. Richardson, for California Hospital Association, as Amicus Curiae on behalf of Petitioner.
Pillsbury WinthropShaw Pittman, Kevin M. Fong and Sarah G. Flanagan, San Francisco, for Lucile Packard Children's Hospital and Stanford Hospital and Clinics, as Amici Curiae on behalf of Petitioner.
Francisco J. Silva, Sacramento, and Lisa Matsubara, for California Medical Association as Amicus Curiae on behalf of Petitioner.
Bartko, Zankel, Bunzel & Miller, Robert H. Bunzel, William I. Edlund, Michael D. Abraham, Simon R. Goodfellow, San Francisco, for Sutter Health, Sutter Medical Foundation and Sutter Connect, as Amicus Curiae on behalf of Petitioner.
No appearance for Respondent.
Kabateck Brown Kellner, Brian S. Kabateck, Richard L. Kellner, Los Angeles; Ernst Law Group, Don A. Ernst, San Luis Obispo, Taylor Ernst, for Real Party in Interest.
PERLUSS, P.J.
The Confidentiality of Medical Information Act (CMIA) ( Civ.Code, § 56 et seq.)
prohibits health care providers and related entities from disclosing medical information regarding a patient without authorization except in certain specified instances. (§ 56.10.) A patient may bring an action for actual damages, nominal (statutory) damages of $1,000, or both against any person or entity that negligently released confidential medical information concerning him or her in violation of CMIA. (§ 56.36, subd. (b).) In addition, any person or entity that negligently disclosed medical information in violation of CMIA is subject to an administrative fine or civil penalty. (§ 56.36, subd. (c).)
Statutory references are to the Civil Code unless otherwise indicated.
Under CMIA every health care provider who creates, maintains or disposes of medical information is also required to do so in a manner that preserves the confidentiality of that information. (§ 56.101, subd. (a).) Any provider who negligently creates, maintains or disposes of medical information is “subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.” (§ 56.101, subd. (a).)
Does this statutory scheme authorize a private cause of action for damages based solely on the negligent maintenance or storage of medical information even if the patient's confidential records were never viewed or otherwise accessed by an unauthorized individual? Specifically, has a cause of action for nominal or statutory damages of $1,000 been adequately pleaded by real party in interest and putative class plaintiff Melinda Platter, who has alleged the Regents of the University of California, through its UCLA Health System, failed to have reasonable systems and controls in place to prevent the removal of protected medical information from one of its hospitals and, as a result, negligently lost possession of that information?
Ruling a damage claim may be stated under section 56.101, subdivision (a), based on a health care provider's negligent maintenance or storage of an individual's medical information without regard to whether it resulted in any actual release or disclosure of the information, respondent Los Angeles Superior Court overruled the Regents's demurrer to Platter's complaint. Although we do not agree with the Regents's argument an affirmative communicative act by the health care provider is an essential element of Platter's claim, we hold, by incorporating the remedy specified in section 56.36, subdivision (b), section 56.101 allows a private right of action for negligent maintenance only when such negligence results in unauthorized or wrongful access to the information. Because Platter cannot allege her information was improperly viewed or otherwise accessed, we grant the Regents's petition and issue a writ of mandate to the superior court directing it to vacate its order overruling the Regents's demurrer and to enter a new order sustaining the demurrer without leave to amend and dismissing the action.
FACTUAL AND PROCEDURAL BACKGROUND
1. The Loss of the Encrypted External Hard Drive and Platter's Complaint for Violation of CMIA
In a letter dated November 4, 2011 signed by Robert Gross, chief privacy officer of the UCLA Health System & David Geffen School of Medicine, the Regents advised certain patients treated at UCLA facilities that an encrypted external hard drive containing some of their personally identifiable medical information had been stolen as part of a home invasion robbery approximately two months earlier. The letter also informed the recipients the password for the encrypted information was written on an index card near the device and that card could not be located. The letter stated, “The theft was reported to the police and there is no evidence suggesting that your information has been accessed or misused.” A public notice regarding the incident was published in the Los Angeles Times for three consecutive days on November 4–6, 2011.
The superior court granted the Regents's request for judicial notice of the November 4, 2011 letter and published public notices in considering its demurrer to the complaint. The court carefully emphasized it was limiting judicial notice to the fact of the existence of the letter and public notices, not the truth of any statements contained in them.
On October 30, 2012 Platter filed a class action complaint in Los Angeles Superior Court seeking damages from the Regents in a single cause of action for unlawful disclosure of confidential medical information in violation of CMIA. Platter alleged she had been treated on numerous occasions at Ronald Reagan UCLA Medical Center and was one of more than 16,000 UCLA Health System patients who had been notified of the loss of the external hard drive and the related password needed to decode the encrypted data. According to Platter's complaint, a physician in the UCLA Faculty Practice Group took the external hard drive, which contained patient names, dates of birth, addresses, financial information and medical records, to his home and left it unsecured with the encryption password. On or about September 6, 2011 the hard drive and written password were taken from the physician's home. As of the date of the complaint neither the hard drive nor the encryption password had been recovered.
Platter alleged the Regents had failed to exercise due care to prevent the release or disclosure of her private medical information and that of the other putative class members without their written authorization. Specifically, “It failed to have reasonable systems and controls in place to prevent the removal of protected health information from the hospital premises and as a result it negligently lost possession of the hard drive and encryption passwords.” Platter did not allege she had suffered any actual damages, but sought statutory damages of $1,000 for herself and for each member of the putative class pursuant to section 56.36, subdivision (b).
Platter described the putative class as “All patients whose confidential information and/or records in the UCLA Health System was [ sic ] accessible from the hardware, data, or password lost on or around September 6, 2011.”
2. The Regents's Demurrer; Platter's Response
The Regents demurred to the complaint on January 18, 2013 pursuant to Code of Civil Procedure section 430.10, subdivision (e), contending Platter had failed to state facts sufficient to constitute a cause of action for statutory damages under CMIA because that remedy was available only if a health care provider had negligently “disclosed” or “released” confidential medical information and Platter had not alleged her medical information was disclosed or released by the Regents within the meaning of CMIA. In its memorandum of points and authorities the Regents asserted disclosure or release by a health care provider under CMIA occurs only when the provider actively communicates medical information to a third party without the patient's authorization: “A ‘disclosure’ or ‘release’ within the meaning of CMIA does not occur when a third party—through burglary, computer hacking or otherwise—wrongfully obtains such information against the health care provider's will.” Negligent storage or maintenance of medical information by a health care provider without such active disclosure or release, the Regents argued, could subject the health care provider to administrative discipline, including fines or civil penalties, but not a private cause of action for damages under section 56.36, subdivision (b).
In her response Platter disputed the Regents's construction of the governing statutes. According to Platter, CMIA provides a cause of action for statutory damages in any case where it can be proved a health care provider's negligence was the proximate cause of an unauthorized third party obtaining confidential patient information, whether the third party is a thief or the intended recipient of the provider's affirmative or intentional act of communication.
The Regents filed a reply memorandum. Both parties also submitted requests for judicial notice to the superior court, including with their papers excerpts from the legislative history of CMIA (in the request by Platter), as well as separate legislation enacted to safeguard electronically stored medical information from unauthorized access by third parties (in the request by the Regents).
3. The Superior Court's Order Overruling the Demurrer but Striking Portions of the Complaint
The superior court heard oral argument on April 11, 2013. On April 19, 2013 the court issued a 16–page ruling and order, overruling the Regents's demurrer but striking a portion of Platter's cause of action for violation of CMIA.
Relying upon what it concluded was the plain meaning of the terms at issue, the court agreed with the Regents that, under the facts as alleged, there was no disclosure of confidential information, a prerequisite to a claim for violation of section 56.10. However, the court also ruled CMIA established two separate types of wrongful conduct—wrongful disclosure of confidential medical information under section 56.10 and wrongful maintenance and storage of confidential information under section 56.101: “[T]he negligent maintenance, preservation, and storage of confidential data under § 56.101 specifically provides the remedy of $1,000 in nominal damages.... This is because the remedy portion of § 56.36(b) and (c) is incorporated by reference into § 56.101. As such, on the face of the statute, there is no requirement under § 56.101 that, to be eligible for the $1,000 nominal damages (or, as the case may be, actual damages), that there also have been a negligent release of the confidential information under § 56.36(b).”
Based on this analysis of the statutory scheme, the court overruled the demurrer, finding Platter had stated a claim for violation of CMIA because she alleged the Regents “failed to have reasonable systems and controls in place to prevent the removal of protected health information from the hospital premises and as a result it negligently lost possession of the hard drive and encryption passwords.” Nevertheless, because Platter had not alleged any affirmative disclosure of confidential information by the Regents, the court struck that portion of her CMIA claim premised on the allegation (in paragraph 46 of the complaint) that the Regents had “failed to exercise due care to prevent the release or disclosure of private medical information of Plaintiff and the class members without their written authorization.”
In an order filed April 30, 2013 pursuant to Code of Civil Procedure section 166.1, the superior court indicated its belief the April 19, 2013 ruling and order addressed a controlling question of law as to which there were substantial grounds for difference of opinion and stated that immediate appellate resolution of the question of statutory interpretation raised by the Regents's demurrer might materially advance the conclusion of the litigation.
4. The Writ Proceedings
On June 4, 2013 the Regents petitioned this court for a writ of mandate directing the superior court to vacate its order overruling the demurrer and to enter a new order sustaining the demurrer without leave to amend and dismissing the action. The petition argued the superior court's ruling would create a sweeping private right of action that was not intended by the Legislature, emphasized the Regents's potential liability for $16 million in nominal damages under the superior court's interpretation of CMIA and asserted the need to expend resources to defend this litigation, rather than resolve the pure legal question raised through this writ proceeding, would create serious difficulties for the Regents.
While initially considering the petition we received letter briefs from amici curiae in support of the Regents's position from the Lucile Packard Children's Hospital and Stanford Hospital and Clinic, the California Hospital Association and the California Medical Association. Real party in interest Platter submitted an opposition to the petition for writ of mandate, and the Regents's filed a reply. On June 25, 2013 we issued an order to show cause why the relief requested in the petition should not be granted. On July 22, 2013 Platter filed her return to the petition, and on August 12, 2013 the Regents filed its reply. On August 23, 2013 we received an amicus curiae brief in support of the Regents from Sutter Health, Sutter Medical Foundation and Sutter Connect, LLC dba Sutter Physician Services, which advised us, in part, the issue presented here is also currently pending before the Third District Court of Appeal ( Sutter Health v. Superior Court of Sacramento County, C072591.)
DISCUSSION
1. The Propriety of Extraordinary Writ Relief
An order overruling a demurrer is not directly appealable and will rarely be reviewed in a petition for extraordinary writ relief. (See, e.g., Brandt v. Superior Court (1985) 37 Cal.3d 813, 816, 210 Cal.Rptr. 211, 693 P.2d 796 [“we are reluctant to exercise our discretion to review rulings at the pleading stage of a lawsuit”]; City of Huntington Park v. Superior Court (1995) 34 Cal.App.4th 1293, 1297, 41 Cal.Rptr.2d 68.) However, when the question is purely legal and the issue significant, relief by extraordinary writ is appropriate (Babb v. Superior Court (1971) 3 Cal.3d 841, 851, 92 Cal.Rptr. 179, 479 P.2d 379; County of Santa Clara v. Superior Court (2009) 171 Cal.App.4th 119, 125–126, 89 Cal.Rptr.3d 520; City of Huntington Park, at p. 1297, 41 Cal.Rptr.2d 68.) Here, the issue of statutory construction raised by the superior court's ruling and presented by the Regents's petition has not previously been addressed by an appellate court and, based on the amici curiae submissions we have received, appears to be of widespread interest. Accordingly, writ review is appropriate.
2. Standard of Review
A demurrer tests the legal sufficiency of the factual allegations in a complaint. We independently review the superior court's ruling on a demurrer and determine de novo whether the complaint alleges facts sufficient to state a cause of action or discloses a complete defense. (McCall v. PacifiCare of Cal., Inc. (2001) 25 Cal.4th 412, 415, 106 Cal.Rptr.2d 271, 21 P.3d 1189; Aubry v. Tri–City Hospital Dist. (1992) 2 Cal.4th 962, 967, 9 Cal.Rptr.2d 92, 831 P.2d 317.) We assume the truth of the properly pleaded factual allegations, facts that reasonably can be inferred from those expressly pleaded and matters of which judicial notice has been taken. (Evans v. City of Berkeley (2006) 38 Cal.4th 1, 20, 40 Cal.Rptr.3d 205, 129 P.3d 394; Schifando v. City of Los Angeles (2003) 31 Cal.4th 1074, 1081, 6 Cal.Rptr.3d 457, 79 P.3d 569.) We liberally construe the pleading with a view to substantial justice between the parties. (Code Civ. Proc., § 452; Schifando, at p. 1081, 6 Cal.Rptr.3d 457, 79 P.3d 569.)
We also review de novo issues of statutory construction. (In re Tobacco II Cases (2009) 46 Cal.4th 298, 311, 93 Cal.Rptr.3d 559, 207 P.3d 20; People ex rel. Lockyer v. Shamrock Foods Co. (2000) 24 Cal.4th 415, 432, 101 Cal.Rptr.2d 200, 11 P.3d 956.) In construing statutes “[o]ur fundamental task ... is to ascertain the intent of the lawmakers so as to effectuate the purpose of the statute[s]. [Citation.] We begin by examining the statutory language, giving the words their usual and ordinary meaning. [Citation.] If there is no ambiguity, then we presume the lawmakers meant what they said, and the plain meaning of the language governs. [Citations.] If, however, the statutory terms are ambiguous, then we may resort to extrinsic sources, including the ostensible objects to be achieved and the legislative history. [Citation.] In such circumstances, we ‘ “select the construction that comports most closely with the apparent intent of the Legislature, with a view to promoting rather than defeating the general purpose of the statute, and avoid an interpretation that would lead to absurd consequences.” ’ ” (Day v. City of Fontana (2001) 25 Cal.4th 268, 272, 105 Cal.Rptr.2d 457, 19 P.3d 1196; accord, People v. Lawrence (2000) 24 Cal.4th 219, 230, 99 Cal.Rptr.2d 570, 6 P.3d 228.)
3. The Controlling Statutes
Section 56.10, subdivision (a), provides, “No provider of health care, health care service plan, or contractor shall disclose medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan without first obtaining an authorization, except as provided in subdivision (b) or (c).”
Section 56.10, subdivision (b), requires disclosure of medical information if compelled, for example, by a court order or lawful search warrant. (§ 56.10, subd. (b)(1) & (6).) Subdivision (c) permits disclosure in certain circumstances, for example to an insurer to the extent necessary to allow responsibility for payment to be determined and payment to be made. (§ 56.10, subd. (c)(2).)
Section 56.35 provides, “In addition to any other remedies available at law, a patient whose medical information has been used or disclosed in violation of Section 56.10 ... and who has sustained economic loss or personal injury therefrom may recover compensatory damages, punitive damages not to exceed three thousand dollars ($3,000), attorneys' fees not to exceed one thousand dollars ($1,000), and the costs of litigation.”
Section 56.36, subdivision (a), provides any violation of CMIA that results in economic loss or personal injury to a patient is punishable as a misdemeanor.
Section 56.36, subdivision (b), provides, “In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following: [¶] (1) Except as provided in subdivision (e), nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages. [¶] (2) The amount of actual damages, if any, sustained by the patient.”
Section 56.36, subdivision (c), establishes a schedule of escalating administrative fines and civil penalties for unauthorized negligent and willful disclosure or use of confidential patient information in violation of CMIA.
Section 56.101, subdivision (a), provides, “Every provider of health care, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein. Any provider of health care, health care service plan, pharmaceutical company, or contractor who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.”
4. The Complaint Fails To State Facts Sufficient To Constitute a Cause of Action for Statutory Damages Under CMIA
The superior court found, and the Regents does not dispute, Platter's complaint adequately alleges the Regents violated the duty imposed by section 56.101, subdivision (a), to maintain and store medical information in a manner that preserves the confidentiality of that information. (Cf. Mack v. Soung (2000) 80 Cal.App.4th 966, 971, 95 Cal.Rptr.2d 830 [all properly pleaded allegations deemed true for purposes of demurrer regardless of plaintiff's ability to later prove them].) The Regents, therefore, is potentially “subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.” (§ 56.101, subd. (a).) Section 56.36, subdivision (c), concerns administrative fines and civil penalties and is not directly at issue in this case. Subdivision (b) authorizes an individual action for damages (actual and/or $1,000 in nominal or statutory damages), but what is the nature of that remedy as applied to the negligent maintenance or storage of medical information? Specifically, who may bring the action, and what must he or she plead and prove?
a. A cause of action for statutory damages based on negligent storage or maintenance of confidential medical information requires pleading and proof that the plaintiff's confidential information has been released to a third party
Obviously troubled by the implications of its conclusion that “disclose,” as used in section 56.10, subdivision (a), and “release,” as used in section 56.36, subdivision (b), are synonymous and that both require an affirmative communicative act, as the Regents had argued—the issue we discuss in the following section of this opinion—the superior court determined CMIA defined “two separate species of wrongful conduct” and “two separate violations”: the wrongful disclosure of confidential medical information under section 56.10 and the wrongful maintenance and storage of confidential information under section 56.101, subdivision (a). In the absence of proof of actual damages, the remedy for the negligent release of information, which the court equated with its wrongful disclosure, is $1,000 in nominal or statutory damages, as provided in section 56.36, subdivision (b)(1). In addition, the court reasoned, the remedy for negligent maintenance, preservation or storage of confidential information that does not cause actual damage is again $1,000 in nominal damages because the remedy portion of section 56.36, subdivision (b), is incorporated into section 56.101. As such, the court concluded, “there is no requirement under § 56.101 that, to be eligible for the $1,000 nominal damages ..., that there also have been a negligent release of the confidential information under § 56.36(b).” In the court's view, section 56.101 merely incorporated the damages available under section 56.36, subdivision (b), but did not import the affirmative elements of the cause of action described in that subdivision, that is, the negligent release of confidential information.
The superior court read section 56.101, subdivision (a)'s incorporation of “the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36” far too narrowly. The remedy provided in subdivision (b) is the right of an individual whose confidential information has been released in violation of CMIA to bring a private cause of action for nominal and/or actual damages. (See Legis. Counsel's Dig., Sen. Bill No. 19 (1999–2000 Reg. Sess.) [“[t]he bill would provide that violation of the act would be grounds for suspension o[r] revocation of a health care service plan's license and would create a right of action to recover damages, as specified, for any individual whose confidential information or records are negligently released ...”].) By incorporating the entire subdivision (b) “remedy,” and not simply the measure of damages described in subdivision (b)(1) and (2), the Legislature plainly intended an action predicated on a health care provider's negligent maintenance of confidential information in violation of section 56.101 also plead and prove a release of that information.
This use of the term “remedy” to refer to the private cause of action itself, rather than to the particular form of relief available, is hardly unusual. (See, e.g., Munson v. Del Taco, Inc. (2009) 46 Cal.4th 661, 673, 94 Cal.Rptr.3d 685, 208 P.3d 623 [addition of subd. (f) to section 51 of the Unruh Civil Rights Act, which incorporated the Americans with Disabilities Act of 1990 (ADA), was intended to provide a person injured by violation of the ADA with the “remedy” of a “private damages action”]; Lu v. Hawaiian Gardens Casino, Inc. (2010) 50 Cal.4th 592, 597, 113 Cal.Rptr.3d 498, 236 P.3d 346 [discussing how courts determine whether Legislature intended to create a private cause of action; “a statute may refer to a remedy or means of enforcing its substantive provisions, i.e. by way of an action”]; id. at p. 604, 113 Cal.Rptr.3d 498, 236 P.3d 346 [“ ‘nothing we hold herein would prevent the Legislature from creating additional civil or administrative remedies, including, of course, creation of a private cause of action for violation of’ [the Labor Code section at issue]”]; see also San Diego Gas & Electric Co. v. Superior Court (1996) 13 Cal.4th 893, 916, 55 Cal.Rptr.2d 724, 920 P.2d 669 [Pub. Util.Code, § 2106 “authorize[es] the traditional private remedy of an action for damages brought by the injured party in superior or municipal court against any public utility ...”].) Moreover, when the Legislature simply wants to incorporate the damage measure from one provision into another, it does so directly. For example, Health and Safety Code section 130202, subdivision (a)(1), provides an administrative fine may be assessed by the Office of Health Information Integrity “for any violation of this division [concerning additional safeguards to protect the privacy of patient information] in an amount as provided in Section 56.36 of the Civil Code.” Here, in contrast, section 56.101, subdivision (a), does not refer to the “amount as provided” but rather to the remedy specified in subdivision (b), an incorporation that includes more than just the nominal damage amount available to a successful plaintiff.
Any lingering uncertainty about this interpretation of the elements of a private cause of action based on negligent maintenance of medical records is dispelled by the original language of Senate Bill No. 19 (1999–2000 Reg. Sess.), which added both sections 56.101 and 56.36, subdivisions (b) and (c), to CMIA, effective January 1, 2000. (Stats. 1999, ch. 526, §§ 3, 8, pp. 3647, 3650.)
As enacted in 1999, in addition to imposing a duty on health care providers to maintain and store medical records “in a manner that preserves the confidentiality of the information contained therein,” section 56.101 stated, “Any provider of health care, health care service plan, or contractor who negligently disposes, abandons or destroys medical records shall be subject to the provisions of this part ”—that is, to the provisions of CMIA. (Stats. 1999, ch. 526, § 3, p. 3647; italics added.) Thus, as originally enacted under Senate Bill No. 19, negligent preservation of confidential patient information would expose a health care provider not only to administrative sanctions under new section 56.36, subdivision (c), but also to the new private cause of action established in section 56.36, subdivision (b), as well as potentially to a damage action under section 56.35 and a criminal (misdemeanor) proceeding under section 56.36, subdivision (a). There was no separate, stand-alone private cause of action for violation of section 56.101.
Former section 56.36, making it a misdemeanor to violate CMIA if the violation caused economic loss or personal injury to a patient, was redesignated in Senate Bill No. 19 as section 56.36, subdivision (a). (Stats. 1999, ch. 526, § 8, p. 3650.)
The following year, as part of legislation making technical and clarifying changes to CMIA, section 56.101 was amended to substitute “negligently creates, maintains, preserves, stores” for “negligently disposes”; and to replace “subject to the provisions of this part” with “subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.” (Stats. 2000, ch. 1067, § 4, p. 8209, see Sen. Com. on Ins., Analysis of Sen. Bill No. 2094 (1999–2000 Reg. Sess.) [bill would make “clarifying and conforming changes” to § 56.101].) This revision simply clarified which “provisions of this part” contained the available remedies for violation of section 56.101; it did not purport to create a new private cause of action for violations of that section. The incorporation of section 56.36, subdivision (b) 's remedy, therefore, necessarily included the affirmative elements of the cause of action for negligent release of confidential information.
Notwithstanding its conclusion that section 56.101 incorporated only the measure of damages specified in section 56.36, subdivision (b), and not the other elements of subdivision (b)'s private cause of action, the superior court implicitly acknowledged the flaw in its analysis and recognized that more than a bare allegation of negligent maintenance of confidential information by a health care provider is required to recover nominal or statutory damages. Thus, the superior court did not rule, and Platter herself does not argue, a cause of action may be stated under section 56.101, subdivision (a), by any patient of a health care provider who has negligently maintained or stored some of its confidential medical records, let alone by someone who is not even a patient of the provider. At the very least, the information potentially compromised as a result of the negligent conduct must relate to the individual initiating the action, consistent with section 56.36, subdivision (b) 's requirement that the “confidential information or records at issue concern [ ] him or her.” Yet this minimum threshold requirement must necessarily be based on the incorporation of at least some of the affirmative elements of the private damage remedy created by section 56.36, subdivision (b); there is no other statutory ground on which it could stand.
Any broader interpretation of section 56.101 would, in effect, permit an otherwise unaffected individual—one who has suffered no actual injury and thus without a genuine beneficial interest in the action—to sue for statutory damages as a private attorney general based on a threat to a stranger's personal right of privacy. (Cf. Lugosi v. Universal Pictures (1979) 25 Cal.3d 813, 821, 160 Cal.Rptr. 323, 603 P.2d 425 [right of privacy “ ‘is purely a personal one; it cannot be asserted by anyone other than the person whose privacy has been invaded, that is, plaintiff must plead and prove that his privacy has been invaded’ ”]; Moreno v. Hanford Sentinel, Inc. (2009) 172 Cal.App.4th 1125, 1131, 91 Cal.Rptr.3d 858 [right of privacy is “purely personal” and “cannot be asserted by anyone other than the person whose privacy has been invaded”]; People v. Dominguez (1981) 121 Cal.App.3d 481, 505, 175 Cal.Rptr. 445 [state constitutional right of privacy is personal and may not be asserted derivatively].) Nothing in the legislative history suggests the Legislature intended to authorize such a novel representative action.
Here, Platter has satisfied this initial pleading requirement, alleging (as reported in the notice she received from UCLA Health System) that her confidential medical records were among those on the external hard drive taken from the physician's home on September 6, 2011. For the reasons discussed, however, more is required: Section 56.36, subdivision (b), incorporated into section 56.101, subdivision (a), requires pleading and proof that confidential information has been released in violation of CMIA to bring a private cause of action for nominal and/or actual damages.
b. A cause of action for statutory damages based on negligent storage or maintenance of confidential medical information requires pleading and proof of a release of the information but not an affirmative communicative act by the health care provider
Although we agree with the Regents an action for nominal damages under sections 56.101, subdivision (a), and 56.36, subdivision (b), requires pleading and proof of a “release” of confidential information, that does not mean, as the Regents contends, an affirmative communicative act by the health care provider is an essential element of Platter's claim. Specifically, “release” as used in section 56.36, subdivision (b), is not synonymous with “disclose” in section 56.10, subdivision (a); and the Regents posits a false dichotomy between disclosure or release, on the one hand, and “unauthorized ‘access' by third parties,” on the other hand.
i. “To disclose” and “to release” are not synonymous
CMIA does not define “disclose” or “release.” As a matter of their common or ordinary dictionary meanings, however, “to disclose” and “to release” are not synonymous. (See generally Angelucci v. Century Supper Club (2007) 41 Cal.4th 160, 168, 59 Cal.Rptr.3d 142, 158 P.3d 718 [“[i]n interpreting a statute, we first consider its words, giving them their ordinary meaning and construing them in a manner consistent with their context and the apparent purpose of the legislation”].) “Disclose,” as the Regents explains, is an active verb, denoting in the context of CMIA and the protections afforded confidential medical information an affirmative act of communication.
But “to release” is broader, including not only “to give permission for publication, performance, exhibition or sale of” or “to make available to the public,” the definitions identified by the superior court,
See, e.g., American Heritage Dictionary Online (2013) < http://www.ahdictionary.com/word/search.html?q=disclose> (as of Oct. 15, 2013) (“to expose to view, as by removing a cover; uncover”; “to make known (something heretofore kept secret))”; Merriam–Webster's Online Dictionary (2013) <http://www.merriam-webster.com/dictionary/disclose> (as of Oct. 15, 2013) (“to expose to view”; “to make known or public”).
and “to set free from restraint, confinement, or servitude; to let go,” among the definitions proffered by the Regents,
The superior court quoted Merriam–Webster's Online Dictionary <http://www.merriam-webster.com/dictionary/disclose> (checked as of Oct. 15, 2013).
but also “to cause or allow to move away or spread from a source or place of confinement”
Merriam–Webster's Online Dictionary (2013) <http:// www.merriam-webster.com/dictionary/release> (as of Oct. 15, 2013).
and “to allow or enable to escape from confinement.”
American Heritage Dictionary Online (2013) <http:// www.ahdictionary.com/word/search.html?q=release> (as of Oct. 15, 2013).
“Allow to spread” and “enable to escape” plainly do not connote affirmative acts propelling information or a substance outward. (Cf. Health & Saf.Code, § 25926, subd. (d) [legislative findings regarding asbestos abatement and control; “[w]hen [asbestos materials] deteriorate or become loose, damaged, or friable, they release asbestos fibers into the ambient air”].) Thus, under the usual and ordinary meaning of the statutory language, a health care provider who has negligently maintained confidential medical information and thereby allowed it to be accessed by an unauthorized third person—that is, permitted it to escape or spread from its normal place of storage—may have negligently released the information within the meaning of CMIA.
Oxford Dictionaries Online (2013) <http:// oxforddictionaries.com/definition/english/release?q=release> (as of Oct. 15, 2013).
We recognize “release” in section 56.36, subdivision (b), is used in the active, not passive, voice: An action may be brought “against any person or entity who has negligently released confidential information ...,” rather than brought by a person whose confidential information has been released. However, that a patient may need to plead and prove the health care provider engaged in some affirmative conduct leading to an unauthorized third party's access to confidential information does not mean, as the Regents argues, the negligent conduct must involve a communicative act.
ii. Established principles of statutory construction require we ascribe different meanings to different words used in the same statutory scheme and avoid an interpretation that would render any provision superfluous
This plain meaning construction of sections 56.101 and 56.36, subdivision (b), is reinforced by our obligation to interpret different terms used by the Legislature in the same statutory scheme to have different meanings. (Roy v. Superior Court (2011) 198 Cal.App.4th 1337, 1352, 131 Cal.Rptr.3d 536 [“ ‘[w]hen the Legislature uses different words a part of the same statutory scheme, those words are presumed to have different meanings' ”]; Romano v. Mercury Ins. Co. (2005) 128 Cal.App.4th 1333, 1343, 27 Cal.Rptr.3d 784 [same]; see also Brown v. Kelly Broadcasting Co. (1989) 48 Cal.3d 711, 725, 257 Cal.Rptr. 708, 771 P.2d 406 [“ ‘when the Legislature has carefully employed a term in one place and has excluded it in another, it should not be implied where excluded’ ”].) The Legislature elected to define the private cause of action created by section 56.36, subdivision (b), in terms of a negligent release of information, rather than a negligent disclosure. There is no reason to believe that decision was anything but deliberate.
As discussed, both sections 56.101 and 56.36, subdivision (b), were added to CMIA by Senate Bill No. 19 in 1999. Prior to that time the Legislature had provided a private cause of action for a patient “whose medical information had been used or disclosed in violation of Section 56.10 ... and who has sustained economic loss or personal injury therefrom.” Such an individual could recover both compensatory and limited punitive damages in addition to any other remedies available at law. (Former § 56.35; Stats. 1981, ch. 782, § 2, p. 3049; italics added.)
Section 56.35 now provides a private damage remedy not only for violations of section 56.10 but also for violations of sections 56.104, 56.20 and 56.26, subdivision (a). (See Stats. 1999, ch. 527, § 4, pp. 3662–3663.) Otherwise, it remains unchanged.
The provisions in Senate Bill No. 19 expanded the private right of action for individuals whose medical information had been compromised in several different ways. First, new section 56.36, subdivision (b), created a private cause of action for the negligent release of medical records, not only for their unauthorized disclosure or use. (Stats. 1999, ch. 526, § 8, p. 3650.) Second, in addition to authorizing an action for compensatory damages for the negligent release of confidential information or records in subdivision (b)(2), section 56.36, subdivision (b)(1), expressly provides that nominal (statutory) damages of $1,000 are available for a patient whose confidential information was negligently released without proof “that the plaintiff suffered or was threatened with actual damages.” Moreover, by virtue of section 56.101 health care providers are now charged with the duty not only to refrain from unauthorized disclosures of confidential medical information but also to maintain such information “in a manner that preserves the confidentiality of the information contained therein” (former § 56.101, Stats. 1999, ch. 526, § 3, p. 3647)—storage-related duties far broader than the duty created by section 56.10.
For our purposes two aspects of this legislation bear emphasis. First, section 56.36, subdivision (b)(2), permitting the recovery of actual damages for the negligent release of confidential medical information or records, would be superfluous in light of section 56.35, if “release” as used in section 56.36, subdivision (b), were synonymous with “disclose” as used in sections 56.10 and 56.35. When interpreting a statute, “ ‘ “[w]ords must be construed in context, and statutes must be harmonized, both internally and with each other to the extent possible.” [Citation.] Interpretations that lead to absurd results or render words surplusage are to be avoided.’ ” (People v. Loeun (1997) 17 Cal.4th 1, 9, 69 Cal.Rptr.2d 776, 947 P.2d 1313; accord, Dyna–Med, Inc. v. Fair Employment & Housing Com. (1987) 43 Cal.3d 1379, 1387, 241 Cal.Rptr. 67, 743 P.2d 1323 [“A construction making some words surplusage is to be avoided. The words of the statute must be construed in context, keeping in mind the statutory purpose, and statutes or statutory sections relating to the same subject must be harmonized, both internally and with each other, to the extent possible.”]; Reno v. Baird (1998) 18 Cal.4th 640, 658, 76 Cal.Rptr.2d 499, 957 P.2d 1333 [“ ‘[c]ourts should give meaning to every word of a statute if possible, and should avoid a construction making any word surplusage’ ”].)
Second, at the same time it created a private cause of action for the negligent release of confidential medical information in section 56.36, subdivision (b), the Legislature created a new system of administrative fines and civil penalties for the negligent or willful use or disclosure of such information in violation of CMIA in section 56.36, subdivision (c). Again, our obligation to interpret different terms used by the Legislature in the same statutory scheme to have different meanings requires we reject the Regents's argument that “to disclose” information and “to release” it within the meaning of CMIA are synonymous and that both require an affirmative communicative act. In sum, by incorporating the remedy provision of section 56.36, subdivision (b), in section 56.101, the Legislature simply did not intend a private cause of action under section 56.101 for negligent maintenance or disposal of confidential medical information to be limited to instances in which the health care provider disseminated the information through an affirmative communicative act.
Indeed, if an affirmative communicative act by the health care provider were required to state a claim under sections 56.101—that is, if only the negligent disclosure of that information, not just its negligent storage leading to unauthorized access, could support an award of civil damages—the second sentence of former section 56.101 (now section 56.101, subdivision (a)) expressly providing remedies for violations of section 56.101 would be superfluous. The Regents attempts to avoid this untenable conclusion by noting that section 56.101 applies to pharmaceutical companies, which are not covered by section 56.10. Thus, it reasons, section 56.101 has independent significance because a private cause of action now exists against pharmaceutical companies that negligently maintain and release medical information. But pharmaceutical companies were not added to section 56.101 until 2002. (Stats. 2002, ch. 853, § 2, p. 5377.) This after-the-fact development does nothing to validate the Regents's interpretation of section 56.101 's remedial provisions—an interpretation that would mean those provisions, when adopted in 1999, were simply redundant and thus unnecessary.
Nor are we persuaded by the Regents's observation that the Legislature may create certain duties that are not enforceable through any private cause of action. Although that is certainly true (see, e.g., Lu v. Hawaiian Gardens Casino, Inc., supra, 50 Cal.4th at p. 596, 113 Cal.Rptr.3d 498, 236 P.3d 346), it does little to explain what the Legislature intended when it provided, first, that violation of the duty imposed by section 56.101 was “subject to the provisions of this part,” and, thereafter, that such violations were “subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.” As discussed, section 56.36, subdivision (b), only provides for a private cause of action (for actual damages, nominal or statutory damages, or both). The Legislature plainly created some form of private cause of action for negligent maintenance or disposal of confidential medical information; the issue presented here is not whether a private right of action exists to enforce the duties created by section 56.101, but what are the elements of such a claim.
iii. Subsequent legislation to further protect confidential medical information does not support the Regents's cramped interpretation of sections 56.101 and 56.36, subdivision (b)
Finally, we reject the Regents's argument that a private cause of action under sections 56.101 and 56.36, subdivision (b), must include pleading and proof of an affirmative disclosure by the health care provider because in 2008, some years after those provisions were adopted, the Legislature enacted new regulatory safeguards for confidential medical records that expressly addressed unlawful or unauthorized “access” to such information, as well as its unauthorized use or disclosure. (Health & Saf.Code, §§ 1280.15, 130200 et seq.; see Stats. 2008, ch. 605, § 2, pp. 4326–4327; Stats. 2008, ch. 602, § 2, pp. 4303–4304.) Health and Safety Code section 1280.15, subdivision (a), imposes on health care facilities and clinics a duty to prevent “unlawful or unauthorized access to, and use or disclosure of, patients' medical information” and, in subdivision (b) provides administrative remedies for the failure to report improper access, use or disclosure. A finding of negligence is not necessary to trigger administrative sanctions. Similarly, Health and Safety Code section 130203, subdivision (a), requires health care providers to establish and implement appropriate administrative, technical and physical safeguards to protect the privacy of a patient's medical information and to safeguard it from “any unauthorized access or unlawful access, use, or disclosure.” Health and Safety Code section 130202 authorizes imposition of administrative fines for any violation.
As noted, both of these additional, related regulatory schemes cover unauthorized disclosure of confidential medical information, as well as improper access, and thus unquestionably overlap with the protections provided by section 56.10. Nothing in these statutes or their legislative history, however, suggests the Legislature, in providing these additional protections for confidential medical information, intended to modify or displace existing private remedies under sections 56.36 or 56.101 for the negligent storage or disposal of such information.
To be sure, as the Regents observe, an Assembly committee analysis of Senate Bill No. 541, which became Health and Safety Code section 1280.15, in explaining the need for the legislation, commented that “CMIA prohibits, with exceptions, health care providers ... from disclosing medical information.... CMIA does not address ‘access' which could involve an individual ‘snooping’ at a patient's records without a healthcare related or other legally authorized purpose, but who does not disclose or otherwise use the medical information.” (Assem. Com. on Health, Analysis of Sen. Bill No. 541 (2007–2008 Reg. Sess.) as amended Aug. 13, 2008, p. 7.) But “ ‘[t]he declaration of a later Legislature is of little weight in determining the relevant intent of the Legislature that enacted the law.’ ” (Apple Inc. v. Superior Court (2013) 56 Cal.4th 128, 145, 151 Cal.Rptr.3d 841, 292 P.3d 883.) Moreover, the legislative history makes clear the concerns regarding “unauthorized access” and “snooping” that prompted Senate Bill No. 541 were far broader than security breaches caused by negligent maintenance of medical records. (See, e.g., Sen. Health Com., Analysis of Sen. Bill No. 541 (2007–2008 Reg. Sess.) as amended Aug. 21, 2008, pp. 6–7 [“DPH recently released a report indicating that more than 120 workers at the UCLA Medical Center looked at celebrities' medical records and other personal information without permission between January 2004 and June 2008, and that three continued to look at one particular celebrity's records even after a crackdown on the unauthorized access began in April 2008.... In May 2008, it was reported that hospitals and other health care organizations commonly use patients' information for fundraising efforts without their express permission.”]; Assem. Com. on Health, supra, at p. 7 [“[i]n California, DPH indicates 127 people breached patient records at the University of California Los Angeles (UCLA) Medical Center, including one individual who breached 939 times, and the medical information of more than 6,000 patients at University of California San Francisco (UCSF) Medical Center was posted on the internet for more than three months”].) The privacy portions of Senate Bill No. 541 were necessary, not because any violation of CMIA necessarily requires an affirmative communicative act, as the Regents contend, but because “CMIA does not clearly address unauthorized ‘access' to medical records by providers, which could involve an individual ‘snooping’ at a patient's records without having a legitimate reason for doing so.” (Sen. Health Com., supra, at p. 7,, italics added.)
c. Pleading negligent maintenance and loss of possession of confidential medical information is insufficient to state a cause of action under sections 56.101 and 56.36, subdivision (b)
Apparently recognizing that negligent storage or disposal of confidential information alone is not actionable under sections 56.101 and 56.36, subdivision (b), in overruling the Regents's demurrer the superior court quoted Platter's allegation (in paragraph 46 of her complaint) that the Regents “failed to have reasonable systems and controls in place to prevent the removal of protected health information from the hospital premises and as a result it negligently lost possession of the hard drive and encryption passwords.” (Italics added.) In her return to the writ petition Platter emphasizes the italicized words and argues the allegation of a loss of possession of her confidential medical information provides the necessary elements for her private cause of action against the Regents.
Platter's pleading is honest. Because no one (except perhaps the thief) knows what happened to the encrypted external hard drive and the password for the encrypted information, she cannot allege her medical records were, in fact, viewed by an unauthorized individual. But it is also deficient. Even under the broad interpretation of “release” we believe the Legislature intended in section 56.36, subdivision (b), as incorporated into section 56.101, more than an allegation of loss of possession by the health care provider is necessary to state a cause of action for negligent maintenance or storage of confidential medical information. (See generally Kirkwood v. Bank of America (1954) 43 Cal.2d 333, 341, 273 P.2d 532 [“[w]ords may not be inserted in a statutory provision under the guise of interpretation”]; Schroeder v. Irvine City Council (2002) 97 Cal.App.4th 174, 194, 118 Cal.Rptr.2d 330 [same].) What is required is pleading, and ultimately proving, that the confidential nature of the plaintiff's medical information was breached as a result of the health care provider's negligence.
Because Platter's complaint failed to include any such allegation, the Regents's demurrer should have been sustained without leave to amend and the case dismissed.
Such a breach of confidentiality, of course, can occur whether or not the information remains in the actual possession of the health care provider. Conversely, if a provider properly disposes of medical records, as contemplated by section 56.101, it will lose possession of the records without in any way compromising their confidentiality.
In a petition for rehearing Platter for the first time requests leave to amend the complaint to allege the confidentiality of her personal information on the encrypted external hard drive was breached as a result of the Regents's negligence. Specifically, Platter asserts “within months” of the loss of the external hard drive an unauthorized telephone account was opened using the same personal information that was contained on the hard drive. Because she had not previously been the victim of identity theft, Platter contends it is a reasonable inference the two events are related and the unidentified individual who opened the telephone account is either the unknown thief who stole the hard drive or someone who obtained Platter's information from the thief.
We acknowledge leave to amend should be granted when the plaintiff has demonstrated a “reasonable possibility” she can amend her claim to state a viable cause of action (see Schifando v. City of Los Angeles, supra, 31 Cal.4th at p. 1081, 6 Cal.Rptr.3d 457, 79 P.3d 569), even if no similar request was made in the trial court. (See Code Civ. Proc., § 472c, subd. (a); Schultz v. Harney (1994) 27 Cal.App.4th 1611, 1623, 33 Cal.Rptr.2d 276.) But here Platter's request is too late, coming only after she admitted in her return to the Regents's petition she had not alleged that any person accessed, viewed or used the confidential information on the external hard drive and then failed to suggest any possible amendment to the complaint in her briefing in this court or even at oral argument when questioned about the possible significance of a release of confidential information that was not thereafter accessed by an unauthorized individual. (See Reynolds v. Bement (2005) 36 Cal.4th 1075, 1091–1092, 32 Cal.Rptr.3d 483, 116 P.3d 1162 [argument regarding possible amendment of complaint not properly raised for first time in petition for rehearing].) Moreover, Platter concedes there are other means by which her personal information may have been obtained, and the Regents has presented information the theft of the external hard drive occurred in Hawaii, not Southern California as Platter has assumed and where the identity theft apparently took place. Under the circumstances there are simply too many layers of speculation required for these minimal facts to be considered sufficient to overcome the deficiency in Platter's complaint. (See Sandler v. Sanchez (2012) 206 Cal.App.4th 1431, 1437, 142 Cal.Rptr.3d 771 [leave to amend should not be granted where amendment would be futile]; Vaillette v. Fireman's Fund Ins. Co. (1993) 18 Cal.App.4th 680, 685, 22 Cal.Rptr.2d 807 [same].)
DISPOSITION
The petition is granted. Let a peremptory writ of mandate issue directing the superior court to vacate its order overruling the Regents's demurrer and to enter a new order sustaining the demurrer without leave to amend and dismissing Platter's action. The parties are to bear their own costs in this proceeding. We concur: WOODS, J. ZELON, J.