- within Food, Drugs, Healthcare and Life Sciences topic(s)
- in United States
- with readers working within the Healthcare industries
- within Transport topic(s)
In September 2025, the California Court of Appeal, Third Appellate District, issued a judgment confirming that strict liability does not apply to the security requirements under California's medical information breach notification law. The court analyzed a disclosure matter in which a neuropsychiatric hospital had implemented appropriate and reasonable security safeguards but was nonetheless penalized by the California Department of Public Health (CDPH) when an employee of the hospital inadvertently posted patient information on social media.
Alleged Violation
In November 2016, an employee of a California neuropsychiatric hospital used their personal cell phone to photograph a patient's medical information. After redacting the patient's information, the employee posted the photo on their Instagram account. Despite the redaction, the personal information of 10 patients remained visible in the photo. After investigation, the CDPH issued the hospital a $75,000 penalty, stating that it "failed to prevent unlawful or unauthorized access to, and use or disclosure of, a patient's medical information" as is required under California's medical information breach notification law.
The judgment details that the employee underwent HIPAA training and signed a patient confidentiality agreement. It also states that the hospital terminated the employee shortly after discovery of the disclosure, circulated an email to all workforce members regarding the importance of maintaining security and confidentiality of patient information, and notified all affected patients.
Legal Analysis
Two sections of the California Health and Safety Code are at issue. Section 1280.15 (the Prevention Section) states that a health provider "shall prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information... consistent with Section 1280.18." Section 1280.18 (the Safeguard Section) states that a health provider "shall establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient's medical information [and] shall reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure." The material question is whether the "shall prevent" language of the Prevention Section denotes strict liability, such that any failure to prevent a disclosure constitutes a violation, or whether its "consistent with section 1280.18" language requires that any purported violation be supported by noncompliance with the Safeguard Section, thus importing a reasonableness standard to the Prevention Section.
On appeal with an administrative law judge (ALJ), the ALJ upheld the penalty and concluded that strict liability applies to the Prevention Section. However, the ALJ noted that the hospital did not violate the Safeguard Section because it maintained appropriate and reasonable safeguards. The trial court granted the hospital's petition for a writ of administrative mandate to set aside that determination. On appeal, the CDPH argued that the plain language of the Prevention Section supports strict liability, that legislative history confirms this position, that the CDPH's interpretation is reasonable and consistent with the principles of administrative law, and that it is in the interest of public policy to apply strict liability.
The appellate court applied a plain language analysis of the law to determine that one cannot violate the Prevention Section without violating the Safeguard Section, thus rejecting the strict liability position and importing a reasonableness standard. In practical terms, this means that California health providers should not receive a penalty for violation of the Prevention Section resulting from an inadvertent disclosure so long as they have implemented appropriate and reasonable safeguards to maintain the confidentiality and security of patient information (including proper remediation and notification resulting from the disclosure). Because a plain language analysis concluded that the law was unambiguous on its face, the appellate court did not review the applicable legislative history.
Practical Takeaways
It's important to note that the facts at bar lend themselves to a favorable analysis for the hospital. The disclosure resulted from an employee's independent violation of internal policy after having participated in training and signing a confidentiality agreement. If the disclosure resulted instead from the hospital's own security failure, it is likely that the CDPH could identify that failure as noncompliance with the Safeguard Section, thus supporting an alleged violation of the Prevention Section. However, it should comfort California health providers that the language of the Safeguard Section closely mirrors that of HIPAA, and so it is likely that compliance with HIPAA's administrative, physical, and technical safeguards can act as a bulwark against allegations of noncompliance.
What to Expect
While the predominant focus for medical information protection remains with federal law and regulation, states continue to enact strict laws that go beyond HIPAA, and individuals have recently been citing to state laws in an attempt to make private action claims related to HIPAA. Interpretation of medical information privacy laws will become more important as this trend continues.Goodwin'sHealthcareandData, Privacy & Cybersecuritylawyers will continue to monitor for similar judicial action. Please contactJonathan IsheeorMichael Paluzziwith any questions related to state or federal medical information privacy laws.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
