(a)Any violation of this part that results in economic loss or personal injury to a patient is punishable as a misdemeanor.
(b)In addition to any other remedies available at law, any individual may bring an action against any person or entity that has negligently released confidential information or records concerning him or her in violation of this part, for access, at the defendant’s expense, to a nationally recognized credit monitoring and reporting service for one year from the date of release of any medical information and either or both of the following:
(1)Nominal damages of one
thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages.
(2)The amount of actual damages, if any, sustained by the patient.
(c)(1)In addition, any person or entity that negligently discloses medical information in violation of the provisions of this part shall also be liable, irrespective of the amount of damages suffered by the patient as a result of that violation, for an administrative fine or civil penalty not to exceed two thousand
five hundred dollars ($2,500) per violation.
(2)(A)Any person or entity, other than a licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part shall be liable for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation.
(B)Any licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part shall be liable on a first violation, for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation, or on a second violation for an administrative fine or civil penalty not to exceed ten thousand dollars
($10,000) per violation, or on a third and subsequent violation for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation. Nothing in this subdivision shall be construed to limit the liability of a health care service plan, a contractor, or a provider of health care that is not a licensed health care professional for any violation of this part.
(3)(A)Any person or entity, other than a licensed health care professional, who knowingly or willfully obtains or uses medical information in violation of this part for the purpose of financial gain shall be liable for an administrative fine or civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation and shall also be subject to disgorgement of any proceeds or other consideration obtained as
a result of the violation.
(B)Any licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation
of this part for financial gain shall be liable on a first violation, for an administrative fine or civil penalty not to exceed five thousand dollars ($5,000) per violation, or on a second violation for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation, or on a third and subsequent violation for an administrative fine or civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation and shall also be subject to disgorgement of any proceeds or other consideration obtained as a result of the violation. Nothing in this subdivision shall be construed to limit the liability of a health care service plan, a contractor, or a provider of health care that is not a licensed health care professional for any violation of this part.
(4)Nothing in this
subdivision shall be construed as authorizing an administrative fine or civil penalty under both paragraphs (2) and (3) for the same violation.
(5)Any person or entity that is not permitted to receive medical information pursuant to this part and who knowingly and willfully obtains, discloses, or uses medical information without written authorization from the patient shall be liable for a civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation.
(d)In assessing the amount of an administrative fine or civil penalty pursuant to subdivision (c), the Office of Health Information Integrity, licensing agency, or certifying board or court shall consider any one or more of the relevant circumstances presented by any of the parties to the case including,
but not limited to, the following:
(1)Whether the defendant has made a reasonable, good faith attempt to comply with this part.
(2)The nature and seriousness of the misconduct.
(3)The harm to the patient, enrollee, or subscriber.
(4)The number of violations.
(5)The persistence of the misconduct.
(6)The length of time over which the misconduct occurred.
(7)The willfulness of the defendant’s misconduct.
(8)The defendant’s assets, liabilities, and net worth.
(e)(1)The civil penalty pursuant to subdivision (c) shall be assessed and recovered in a civil action brought in the name of the people of the State of California in any court of competent jurisdiction by any of the following:
(A)The Attorney General.
(B)Any district attorney.
(C)Any county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance.
(D)Any city attorney of a city.
(E)Any city
attorney of a city and county having a population in excess of 750,000, with the consent of the district attorney.
(F)A city prosecutor in any city having a full-time city prosecutor or, with the consent of the district attorney, by a city attorney in any city and county.
(G)The Director of the Office of Health Information Integrity may recommend that any person described in subparagraphs (A) to (F), inclusive, bring a civil action under this section.
(2)If the action is brought by the Attorney General, one-half of the penalty collected shall be paid to the treasurer of the county in which the judgment was entered, and one-half to the General Fund. If the action is brought by a district attorney or county counsel, the
penalty collected shall be paid to the treasurer of the county in which the judgment was entered. Except as provided in paragraph (3), if the action is brought by a city attorney or city prosecutor, one-half of the penalty collected shall be paid to the treasurer of the city in which the judgment was entered and one-half to the treasurer of the county in which the judgment was entered.
(3)If the action is brought by a city attorney of a city and county, the entire amount of the penalty collected shall be paid to the treasurer of the city and county in which the judgment was entered.
(4)Nothing in this section shall be construed as authorizing both an administrative fine and civil penalty for the same violation.
(5)Imposition of a fine or penalty provided for in this section shall not preclude imposition of any other sanctions or remedies authorized by law.
(6)Administrative fines or penalties issued pursuant to Section 1280.15 of the Health and Safety Code shall offset any other administrative fine or civil penalty imposed under this section for
the same violation.
(f)For purposes of this section, “knowing” and “willful” shall have the same meanings as in Section 7 of the Penal Code.
(g)No person who discloses protected medical information in accordance with the provisions of this part shall be subject to the penalty provisions of this part.
(h)Paragraph (6) of subdivision (e) shall only become operative if Senate Bill 541 of the 2007–08 Regular Session is enacted and becomes effective on or before January 1, 2009.