Protect Your Medical Privacy ‘ No on AB 439 (Skinner)

Bill Update: The Consumer Federation of California opposed AB 439 (Skinner) as
amended on June 15, 2012. After intense negotiations in early July, the author agreed to a new set of amendments and the CFC withdrew opposition.  AB 439 was signed with the new amendments by Governor Brown on September 22.

The Consumer Federation of California opposes AB 439 (Skinner) as
amended on June 15, 2012.  The bill would create numerous
loopholes in the Confidentiality of Medical Information Act, placing
patients at risk of repeated unauthorized release of confidential health
information on a massive scale.

The transition to electronic medical records provides both benefits and risks to patients.  More than one quarter of a million Americans are victims of medical identity theft each year1; understandably, privacy of medical records ranks near the top of consumer concerns. While an epidemic of medical privacy breaches continues2, health providers are failing to establish adequate security safeguards for electronic records. Over one half of 600 health industry executives surveyed in 2011 said their companies were not addressing privacy and security concerns.3

California’s Confidentiality of Medical Information Act (CMIA), which prohibits all persons and entities from unauthorized disclosure of private patient records, is a much-needed deterrent to the negligent or intentional release of medical records. It lets consumers sue, and a court can impose damages of $1000 for each record that a health care business negligently released without a patient’s consent.  That is a very strong financial deterrent against lax privacy controls. In 2010, patients sued McKesson Corporation, a huge medical records company with over $120 billion a year in revenues4, for a privacy breach of over one million patient records.  McKesson asked the state legislature to change the law to make sure it doesn’t have to worry about paying damage awards if it is ever sued again for a similar release of records without patients’ permission.  AB 439 (Skinner) is the result.

The initial idea behind AB 439 was to give health care companies a break next time, by giving a judge the discretion to set a lesser dollar amount for damages, or to waive damage awards entirely – but only in very limited instances. First, the judge would review the evidence. The judge would have to conclude that it was the health care company’s first privacy offense, that the records went to another health care provider, that they were retrieved and destroyed before they caused any harm to a patient, and that the company is taking corrective steps such as encrypting computerized records and training its staff in privacy procedures, before damage awards were reduced or eliminated.

The Consumer Federation of California doesn’t object to this approach. We have faith that a judge could evaluate the evidence, weigh the exonerating circumstances, and decide whether to reduce the amount of a damage award, or eliminate damages entirely, for a first offense.

Unfortunately for patients, McKesson and the big drug store chains and hospitals backing AB 439 are not satisfied with that change to California privacy law.  Industry-sponsored amendments to the bill carve out massive exemptions to any damage awards for repeat privacy violators. The current version eliminates a judge’s discretion in imposing damages for first offenses based on a thorough review of the circumstances. Instead there is no possibility of any damage award, for limitless repeat offenses, as long as the health care corporation can say ‘we messed up again, sorry folks, no harm done’ each time it is hauled into court for breaching our medical privacy.

These amendments would give free passes, time after time, for sharing records without our permission with marketing corporations, direct mail outfits, data aggregators, and other businesses that perform services for health care entities.

The amendments also eliminate the requirement that the business that committed the privacy breach take corrective action following the records release, and they eliminate the requirement that the recipient of the unauthorized patient records destroy or return the records immediately.

These amendments would signal big businesses that negligence in protecting medical records is cheaper than developing strong security protocols. The health care industry’s record of lax security does not warrant this sweeping grant of immunity from deterrent penalties. 

Patients deserve certainty that their most intimate medical records will be carefully protected by healthcare providers. Instead AB 439 would give repeat violators of medical record confidentiality endless free passes at the expense of patients.

________________

1https://worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf
2Canadian Medical Association Journal, March 6, 2012
3Reuters, September 22, 2011
4https://www.mckesson.com/static_files/McKesson.com/CorpIR/PDF_Documents/2006%20Form%2010-KBM.pdf