To help get out of paying a large fine for the negligent disclosure of medical records, the McKesson Corporation successfully lobbied to get AB 439 (Skinner) passed and signed into law in 2012. AB 439 gives health care businesses a signal that negligence in protecting medical records is cheaper than the cost of developing strong security protocols. The defendant in a CMIA action may not be ordered to pay nominal damages if the defendant establishes specified factors as an affirmative defense:
- The defendant is a covered entity or business associate, as defined in Section 160.103 of Title 45 of the Code of Federal Regulations, in effect as of January 1, 2012.
- The defendant has complied with any obligations to notify all persons entitled to receive notice regarding the release of the information or records.
- The release of confidential information or records was solely to another covered entity or business associate.
- The release of confidential information or records was not an incident of medical identity theft. For these purposes, “medical identity theft” means the use of an individual’s personal information without the individual’s knowledge or consent, to obtain medical goods or services, or to submit false claims for medical services.
- The defendant took appropriate preventive actions to protect the confidential information or records against release consistent with the defendant’s obligations under this part or other applicable state law and HIPAA, which include: developing and implementing security policies and procedures; designating a security official who is responsible for its security policies and procedures, including educating and training the workforce; encrypting the information or records, and protecting against the release or use of the encryption key and passwords, or transmitting the information or records in a manner designed to provide equal or greater protections against improper disclosures.
- The defendant took reasonable and appropriate corrective action after the release of the confidential information or records, and the covered entity or business associate that received the confidential information or records destroyed or returned the confidential information or records in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. A court may consider this subparagraph to be established if the defendant shows in detail that the covered entity or business associate could not destroy or return the confidential information or records because of the technology utilized.
- The covered entity or business associate that received the confidential information or records, or any of its agents, independent contractors, or employees, regardless of the scope of the employee’s employment, did not retain, use, or release the information or records.
- After the release of the confidential information or records, the defendant took reasonable and appropriate action to prevent a future similar release of confidential information or records.
- The defendant has not previously established an affirmative defense or the court determines, in its discretion, that application of the affirmative defense is compelling and consistent with the purposes of this section to promote reasonable conduct in light of all the facts.