California's medical records privacy law is under attack. AB 439 would increase the risk of releasing confidential health information to strangers, without the patient's consent. AB 439 would shield drug store chains, hospitals and health insurance companies from paying damage awards in many instances when they violate our privacy, even when hundreds of thousands of patients' most personal medical information gets into the wrong hands.
Tell the California legislature to oppose AB 439 and any amendments that would put our medical information at risk.
Subject: Oppose AB 439 (Skinner) -- Immunity for Medical Privacy Breaches
Dear [Decision Maker],
I am writing you to urge you to oppose AB 439 (Skinner).
California's Confidentiality of Medical Information Act, which prohibits unauthorized disclosure of private patient records, is a much-needed deterrent to the negligent or intentional release of medical records.
Less than half of medical industry executives surveyed in a 2011 study reported that their companies were taking steps to protect patient records. At the same time, reports of medical record privacy breaches filed with the federal government increased by 97% from 2010 to 2011, and the average number of records compromised in a security breach jumped from 27,000 to over 49,000.
Current law provides for damages of $1000 for each record that a health care business negligently released without a patient's consent. The concept behind AB 439 was to give these companies a break, by giving a judge the discretion to set a lesser dollar amount for damages, or to waive damage awards entirely - but only in very limited instances. First, the judge would review the evidence. The judge would have to conclude that it was the health care company's first privacy offense, that the records were retrieved and destroyed before they caused any harm to a patient, and that the company is taking corrective steps such as encrypting computerized records and training its staff in privacy procedures, before damage awards were reduced or eliminated.
Unfortunately, amendments to AB 439 eliminate the judge's discretion to examine all the circumstances in deciding the proper damage award. The amended bill ties a judge's hands, and wipes out damages entirely for drug store chains, medical records companies, hospitals, and other corporations that violate patient privacy time and time again, as long as they can say "oops, we goofed, no harm done, sorry about that" each time they are hauled into court.
These amendments deny patients the right to obtain justice in a courtroom when billion dollar health care corporations violate our privacy through sloppy or negligent handling of our most private records. Current California patient privacy law provides an essential financial disincentive to corporations that fail to take responsibility to tighten up lax security standards.
It is reasonable to give a judge discretion to weigh all the facts and to reduce the cost of a judgment against a first time offender. It is harmful to patients to give businesses that fail to fix their security problems free pass after free pass, in perpetuity.
AB 439 would tell these businesses that the cost of privacy negligence is cheaper than the cost of developing strong security protocols. Please vote No on AB 439 unless the bill is substantially amended to give a judge the discretion set damage awards -- but only for a first time privacy violation.