The CMIA Bites Twice

Most California practices price their privacy exposure as a HIPAA problem. They have a HIPAA risk assessment, a HIPAA breach response procedure, and a HIPAA training module that runs annually. They do not, as a rule, have any of those things for the Confidentiality of Medical Information Act, because they have been told CMIA is essentially HIPAA with a California sticker on it. It is not.

The operative difference is that CMIA gives patients a private right of action. Under HIPAA, an individual cannot sue you for a breach; only the federal Office for Civil Rights or a state attorney general can enforce. Under CMIA, the patient walks into court. Civil Code § 56.36 sets statutory damages at $1,000 per violation without any requirement that the patient prove actual harm. Real damages can be added on top. A breach affecting ten thousand records, fully consistent with HIPAA’s breach notification requirements, is a $10 million floor exposure under CMIA before anyone has alleged a missed appointment.

The practical consequence is that breach math is wrong almost everywhere. Practices model breach response against the OCR penalty tiers and forget that a plaintiffs’ class action under CMIA is sitting underneath those tiers, indifferent to whether the breach was unintentional, indifferent to whether the practice took remedial action, indifferent to whether anyone was harmed. The settlement number is statutory.

The other practical consequence is that the contracts matter more than people think. The vendor BAA addresses HIPAA. The vendor indemnification clause — if there is one — needs to address CMIA explicitly. If it does not name the statute, assume the vendor will argue it does not cover it. Some vendors will lose that argument. The practice will not enjoy finding out which ones.

We will write up a recent CMIA settlement in a future issue. The interesting fact about it is how small the breach was. The interesting fact about the number is how it was calculated.