CHA News Article

Court Rules Release of Patient Demographic Information Not a Violation of CMIA

The California Court of Appeal for the Fourth Appellate District ruled this week that a release of patient demographic information did not constitute a violation of the state’s Confidentiality of Medical Information Act (CMIA). In the case, a hospital’s computer that contained information about 500,000 patients was stolen. The information included each patient’s name, medical record number, age, date of birth and the last four digits of the person’s Social Security number. A class action lawsuit was filed under the CMIA seeking nominal damages of $1,000 per patient.

In the attached published opinion, the court noted that the CMIA prohibits the disclosure of medical information, which is defined as information regarding “a patient’s medical history, mental or physical condition, or treatment.” The court rejected the plaintiffs’ argument that the mere fact that a person’s name or demographic information was released by a hospital reveals that he or she was a patient, which is medical history, and thus constitutes a release of “medical information” under the CMIA.

California hospitals should be aware, for breach notification purposes, that the release of demographic information about a patient, unaccompanied by medical information, may trigger state and/or federal (HIPAA) breach notification requirements, although such a release would not violate the CMIA.

CHA filed an amicus brief in the case supporting the defendant hospital, and will continue to advocate for reasonable interpretations of health information privacy and breach notification laws.