California Appellate Court Finds Reasonableness Standard in Medical Information Breach Notification Law

In September 2025, the California Court of Appeal, Third Appellate District, issued a judgment confirming that strict liability does not apply to the security requirements under California’s medical information breach notification law. The court analyzed a disclosure matter in which a neuropsychiatric hospital had implemented appropriate and reasonable security safeguards but was nonetheless penalized by the California Department of Public Health (CDPH) when an employee of the hospital inadvertently posted patient information on social media.

Alleged Violation 

In November 2016, an employee of a California neuropsychiatric hospital used their personal cell phone to photograph patients’ medical information. After redacting the patient information, the employee posted the photo on their Instagram account. Despite the redaction, the personal information of 10 patients remained visible in the photo. After investigation, the CDPH issued the hospital a $75,000 penalty, stating that it “failed to prevent unlawful or unauthorized access to, and use or disclosure of, a patient’s medical information” as is required under California’s medical information breach notification law.

The judgment details that the employee underwent Health Insurance Portability and Accountability Act (HIPAA) training and signed a patient confidentiality agreement. It also states that the hospital terminated the employee shortly after discovery of the disclosure, circulated an email to all workforce members regarding the importance of maintaining the security and confidentiality of patient information, and notified all affected patients.

Legal Analysis 

Two sections of the California Health and Safety Code are at issue. Section 1280.15 (the prevention section) states that a health provider “shall prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information […] consistent with Section 1280.18.” Section 1280.18 (the safeguard section) states that a health provider “shall establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient’s medical information [and] shall reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure.” The material question is whether the “shall prevent” language of the prevention section denotes strict liability, such that any failure to prevent a disclosure constitutes a violation, or its “consistent with Section 1280.18” language requires that any purported violation be supported by noncompliance with the safeguard section, thus importing a reasonableness standard to the prevention section.

The administrative law judge (ALJ) hearing the hospital’s appeal upheld the penalty and concluded that strict liability applies to the prevention section. However, the ALJ noted that the hospital did not violate the safeguard section because it maintained appropriate and reasonable safeguards. The trial court granted the hospital’s “petition for a writ of administrative mandate to set aside that determination.” On appeal, the CDPH argued that the plain language of the prevention section supports strict liability; the legislative history confirms this position; the CDPH’s interpretation is reasonable and consistent with the principles of administrative law; and it is in the interest of public policy to apply strict liability.

The appellate court applied a plain language analysis of the law to determine that one cannot violate the prevention section without violating the safeguard section, thus rejecting the strict liability position and importing a reasonableness standard. In practical terms, this means that California health providers should not receive a penalty for violation of the prevention section resulting from an inadvertent disclosure so long as they have implemented appropriate and reasonable safeguards to maintain the confidentiality and security of patient information (including proper remediation and notification resulting from the disclosure). Because a plain language analysis concluded that the law was unambiguous on its face, the appellate court did not review the applicable legislative history.

Practical Takeaways

It is important to note that the facts before the court lend themselves to a favorable analysis for the hospital. The disclosure resulted from an employee’s independent violation of internal policy after having participated in training and signing a confidentiality agreement. If the disclosure resulted instead from the hospital’s own security failure, it is likely that the CDPH could identify that failure as noncompliance with the safeguard section, thus supporting an alleged violation of the prevention section. However, it should comfort California health providers that the language of the safeguard section closely mirrors that of HIPAA, and so it is likely that compliance with HIPAA’s administrative, physical, and technical safeguards can act as a bulwark against allegations of noncompliance.

What to Expect 

While the predominant focus for medical information protection remains with federal law and regulation, states continue to enact strict laws that go beyond HIPAA, and individuals have recently been citing state laws to try to relate private action claims to HIPAA. Interpretation of medical information privacy laws will become more important as this trend continues. Goodwin’s Healthcare and Data, Privacy & Cybersecurity lawyers will continue to monitor for similar judicial action. Please contact Jonathan Ishee or Michael Paluzzi with any questions related to state or federal medical information privacy laws.

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.