Название: California Civil Code
Автор: California
Издательство: Проспект
Жанр: Юриспруденция, право
isbn: 9785392109821
isbn:
(B) A licensed health care professional who knowingly and willfully obtains, discloses, or uses medical information in violation of this part shall be liable on a first violation for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation, on a second violation for an administrative fine or civil penalty not to exceed ten thousand dollars ($10,000) per violation, or on a third and subsequent violation for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation. This subdivision shall not be construed to limit the liability of a health care service plan, a contractor, or a provider of health care that is not a licensed health care professional for a violation of this part.
(3) (A) A person or entity, other than a licensed health care professional, who knowingly or willfully obtains or uses medical information in violation of this part for the purpose of financial gain shall be liable for an administrative fine or civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation and shall also be subject to disgorgement of any proceeds or other consideration obtained as a result of the violation.
(B) A licensed health care professional who knowingly and willfully obtains, discloses, or uses medical information in violation of this part for financial gain shall be liable on a first violation for an administrative fine or civil penalty not to exceed five thousand dollars ($5,000) per violation, on a second violation for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation, or on a third and subsequent violation for an administrative fine or civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation and shall also be subject to disgorgement of any proceeds or other consideration obtained as a result of the violation. This subdivision shall not be construed to limit the liability of a health care service plan, a contractor, or a provider of health care that is not a licensed health care professional for any violation of this part.
(4) This subdivision shall not be construed as authorizing an administrative fine or civil penalty under both paragraphs (2) and (3) for the same violation.
(5) A person or entity who is not permitted to receive medical information pursuant to this part and who knowingly and willfully obtains, discloses, or uses medical information without written authorization from the patient shall be liable for a civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation.
(d) In assessing the amount of an administrative fine or civil penalty pursuant to subdivision (c), the State Department of Public Health, licensing agency, or certifying board or court shall consider any of the relevant circumstances presented by any of the parties to the case including, but not limited to, the following:
(1) Whether the defendant has made a reasonable, good faith attempt to comply with this part.
(2) The nature and seriousness of the misconduct.
(3) The harm to the patient, enrollee, or subscriber.
(4) The number of violations.
(5) The persistence of the misconduct.
(6) The length of time over which the misconduct occurred.
(7) The willfulness of the defendant’s misconduct.
(8) The defendant’s assets, liabilities, and net worth.
(e) (1) In an action brought by an individual pursuant to subdivision (b) on or after January 1, 2013, in which the defendant establishes the affirmative defense in paragraph (2), the court shall award any actual damages and reasonable attorney’s fees and costs, but shall not award nominal damages for a violation of this part.
(2) The defendant is entitled to an affirmative defense if all of the following are established, subject to the equitable considerations in paragraph (3):
(A) The defendant is a covered entity or business associate, as defined in Section 160.103 of Title 45 of the Code of Federal Regulations, in effect as of January 1, 2012.
(B) The defendant has complied with any obligations to notify all persons entitled to receive notice regarding the release of the information or records.
(C) The release of confidential information or records was solely to another covered entity or business associate.
(D) The release of confidential information or records was not an incident of medical identity theft. For purposes of this subparagraph, “medical identity theft” means the use of an individual’s personal information, as defined in Section 1798.80, without the individual’s knowledge or consent, to obtain medical goods or services, or to submit false claims for medical services.
(E) The defendant took appropriate preventive actions to protect the confidential information or records against release consistent with the defendant’s obligations under this part or other applicable state law and the Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191) (HIPAA) and all HIPAA Administrative Simplification Regulations in effect on January 1, 2012, contained in Parts 160, 162, and 164 of Title 45 of the Code of Federal Regulations, and Part 2 of Title 42 of the Code of Federal Regulations, including, but not limited to, all of the following:
(I) Developing and implementing security policies and procedures.
(II) Designating a security official who is responsible for developing and implementing its security policies and procedures, including educating and training the workforce.
(III) Encrypting the information or records, and protecting against the release or use of the encryption key and passwords, or transmitting the information or records in a manner designed to provide equal or greater protections against improper disclosures.
(F) The defendant took reasonable and appropriate corrective action after the release of the confidential information or records, and the covered entity or business associate that received the confidential information or records destroyed or returned the confidential information or records in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. A court may consider this subparagraph to be established if the defendant shows in detail that the covered entity or business associate could not destroy or return the confidential information or records because of the technology utilized.
(G) The covered entity or business associate that received the confidential information or records, or any of its agents, independent contractors, or employees, regardless of the scope of the employee’s employment, did not retain, use, or release the information or records.
(H) After the release of the confidential information or records, the defendant took reasonable and appropriate action to prevent a future similar release of confidential information or records.
(I) The defendant has not previously established an affirmative defense pursuant to this subdivision, or the court determines, in its discretion, that application of the affirmative defense is compelling and consistent with the purposes of this section to promote reasonable conduct in light of all the facts.
(3) (A) In determining whether the affirmative defense may be established pursuant to paragraph (2), the court shall consider the equity of the situation, including, but not limited to, (i) whether the defendant has previously violated this part, regardless of whether an action has previously been brought, and (ii) the nature of the prior violation.
СКАЧАТЬ