Consumer Federation of California

California lawmakers are poised to weaken a patient privacy law despite its overwhelming voter support.

AB 439 (Skinner) is before the Senate Judiciary Committee for a vote on Tuesday July 3. The bill would create loopholes in the Confidentiality of Medical Information Act (CMIA), placing patients at risk of repeated unauthorized release of confidential health information on a massive scale.

Assembly member Skinner is carrying the bill for McKesson Corporation, a healthcare business that ranks 15th on the Fortune 500 list. McKesson, a distributor of pharmaceuticals and manager of healthcare information systems, reported revenues of $122 billion in its 2012 Annual Report. Drug store chains, hospitals and other health care
corporations are also supporting AB 439.

Consumer and privacy groups opposing AB 439 include the Consumer Federation of California, Consumer Action, Consumer Watchdog, CALPIRG, Privacy Rights Clearinghouse, California Alliance for Retired Americans, Electronic Frontier Foundation and World Privacy Forum.

AB 439 alters CMIA, a law that prohibits health care providers and others from the unauthorized disclosure of private patient records. Privacy violations are subject to actual damages and/or nominal damages of $1000 per record, as well as civil penalties.  AB 439 eliminates damage awards when patients sue for privacy breaches, if the violator can establish an ‘affirmative defense’.

Consumer groups point out that the potential exposure to damage awards is an essential deterrent for businesses that might otherwise cut corners when it comes to enhancing the security of medical records.

California voters agree.  A statewide survey conducted last week of 600 likely November voters found 77% support for the Confidentiality of Medical Information Act and its right to sue a health care provider for damages of $1000 per patient record breach. Support ran across the political spectrum. 87% of Democrats, 73% of Decline to State voters, and 67% of Republicans support current medical privacy law. 14% of voters surveyed opposed this law.

Support for the medical privacy law strengthened when voters heard the industry argument that lawsuits could cost privacy violators ‘tens of millions of dollars’. 32% of voters said that made them more likely to support the law, and only 15% said they were more likely to oppose the law ‘ nearly identical to the opposition level at the start of the
survey. 43% said the argument made no difference.

Lax records security gives health care consumers good reason to support strong penalties for privacy violations. A review of reports filed with the US Secretary of Health and Human Services found a 97% increase in the number of health records breached from 2010 to 2011. The average number of patient records compromised in each reported breach
increased from 26,968 in 2010 to 49,394 in 2011.

While an epidemic of medical privacy breaches continues, health providers are failing to establish adequate security safeguards for electronic records.

A September 2011 Price Waterhouse Coopers LLP survey of 600 medical industry executives covering a range of hospitals, physician groups, insurers and pharmacy corporations found that over half of surveyed executives acknowledged that they were aware of some kind of a privacy or security breach at their company in the past two years. Despite this, only 47 percent of the companies surveyed were taking steps to address privacy and security issues.

Privacy advocates were told the intent of AB 439 was to balance the need for strong privacy enforcement with a reasonable degree of leniency for a health care business when a privacy violation was accidental, when it was the company’s first privacy breach, the improper release of personally-identifiable records was only to another health care provider, the damage was identified and contained, the breached records were destroyed, and the business committing the violation took steps to tighten up its records security. These are the elements needed for the ‘affirmative defense’.

Consumer groups opposing AB 439 would not object to granting a judge the discretion to reduce the $1000 nominal damage award to a much smaller amount, or to waive damages entirely, in limited instances, based on a review of all the circumstances surrounding a first-time privacy violation.

Propelled by McKesson, amendments to AB 439 have converted judicial discretion into judicial handcuffs. AB 439 now prohibits courts from weighing the evidence and determining the amount of damages for a medical privacy breach, as long as a health care provider can establish the ‘affirmative defense’. In its current form, AB 439 leaves patients
out in the cold with no possibility for a damage award. It gives McKesson and other multi-billion dollar corporations repeated free passes for their privacy beaches, as long as they can say each time they are hauled into court ‘oops, we messed up again, sorry, no harm done’.

AB 439 gives health care businesses a signal that negligence in protecting medical records is cheaper than the cost of developing strong security protocols. The health care industry’s record of privacy failure does not warrant this sweeping grant of immunity from deterrent penalties.

Privacy advocates are asking the Senate Judiciary Committee to defeat AB 439, unless the bill is substantially amended to give courts the ability to weigh evidence and determine the proper level of damages to award. Patient privacy should not take a back seat to corporate health care’s profit considerations.