Filed 9/23/25
CERTIFIED FOR PUBLICATION
IN THE COURT OF APPEAL OF THE STATE OF CALIFORNIA THIRD APPELLATE DISTRICT
(Sacramento) ----
THE REGENTS OF THE UNIVERSITY OF C100351 CALIFORNIA,
Plaintiff and Respondent, (Super. Ct. No. 34-2022- 80004049-CU-WM-GDS)
v.
STATE DEPARTMENT OF PUBLIC HEALTH,
Defendant and Appellant.
APPEAL from a judgment of the Superior Court of Sacramento County, Stephen P. Acquisto, Judge. Affirmed.
Rob Bonta, Attorney General, Cheryl L. Feiner, Assistant Attorney General, Gregory D. Brown and Maryam Toossi Berona, Deputy Attorneys General, for Defendant and Appellant.
Morgan, Lewis & Bockius, Ella Foley Gannon and Pejman Moshfegh, for Plaintiff and Respondent.
Athene Law, Long X. Do and Kyle R. Brierly, for California Hospital Association as Amicus Curiae on behalf of Plaintiff and Respondent.
1 Defendant California Department of Public Health (the Department) imposed a $75,000 penalty on plaintiff Regents of University of California doing business as Resnick Neuropsychiatric Hospital of UCLA (Resnick) after a Resnick employee photographed confidential patient information and posted the photograph to his Instagram account. The Department imposed this penalty after finding that Resnick violated Health and Safety Code1 section 1280.15, which provides, in part, that a health facility “shall prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information, as defined in Section 56.05 of the Civil Code and consistent with Section 1280.18.” (§ 1280.15, subd. (a), italics added.) The question before us is this: Does the “shall prevent” language denote a strict liability statute, such that any failure to prevent disclosure constitutes a violation of section 1280.15? Or, as the trial court ruled, does the “consistent with Section 1280.18” language require that a violation of section 1280.15 must be supported by a concomitant violation of section 1280.18’s mandate that health facilities establish appropriate safeguards to protect the privacy of patient medical information and reasonably safeguard confidential medical information, effectively importing a reasonableness standard from section 1280.18 into section 1280.15? An administrative law judge (ALJ) upheld the Department’s findings and penalty. The trial court subsequently granted Resnick’s petition for a writ of administrative mandate to set aside that determination. Here, the Department argues: (1) the plain language of section 1280.15 supports its interpretation of that statute as one of strict liability, (2) the legislative history confirms its position, (3) the Department’s interpretation is reasonable, longstanding, and consistent, and should be afforded deference, (4) its interpretation is “consistent with the foundational principles of administrative law,” and (5) public policy favors its interpretation.
1 Further undesignated section references are to the Health and Safety Code.
2 We will affirm. We deny Resnick’s motion for judicial notice of certain documents related to the legislative history of section 1280.15 as unnecessary to our determination. (City of Grass Valley v. Cohen (2017) 17 Cal.App.5th 567, 594, fn. 13.) BACKGROUND Resnick is a hospital within the University of California, Los Angeles Health System (UCLA Health), and is licensed by the Department as an Acute Psychiatric Hospital. In September 2016, Kevin Y. was hired as a Clinical Care Partner at Resnick. His duties included assisting nurses and taking and recording vital signs. As part of his onboarding process, on September 8, 2016, Kevin Y. completed the online Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub.L. No. 104-191 (Aug. 21, 1996) 110 Stat. 1936) Privacy and Information Security training required by Resnick. That training included instruction on maintaining the confidentiality of protected health information, including a prohibition against storing such information on personal devices. Kevin Y. also signed the UCLA Health patient confidentiality agreement, by which he agreed to protect the privacy, confidentiality, and security of all medical records. On October 17, 2016, Kevin Y. attended orientation for new UCLA Health employees. As part of that orientation, he completed additional HIPAA and patient-privacy training. The orientation Kevin Y. completed included persistent reminders that employees were required to protect all information that could be used to identify a patient. On November 22, 2016, while entering patient vital signs into Resnick’s electronic health record system, Kevin Y. used his personal cell phone to photograph patients’ medical information. After completing his shift, he redacted the photograph to obscure the names and/or diagnoses of patients and posted the photograph to his Instagram account. Despite his redaction, the personal information of 10 patients remained partially visible, including names and medical diagnoses. A Resnick employee saw the post and informed Kevin Y. that his conduct was inappropriate. Kevin Y. subsequently deleted the
3 Instagram post. Following UCLA Health policies, the Resnick employee reported the incident to a supervisor. Kevin Y. was placed on administrative leave and ultimately terminated from Resnick as a result of the incident. UCLA Health’s Office of Compliance Services was alerted to the incident and began an investigation. That office also sent out a high-importance email to all UCLA Health employees, reiterating the duty of all employees to maintain the security and confidentiality of patient information. UCLA Health also notified the affected patients of the disclosure. No patient reported any adverse consequences as a result of Kevin Y.’s actions. After an investigation into the matter, the Department submitted to Resnick an initial, and then an amended, Statement of Deficiencies and Plan of Correction, with which Resnick timely complied. The Department subsequently issued an Unauthorized Disclosure/Breach Administrative Penalty Notice to Resnick, stating that Resnick “failed to prevent unlawful or unauthorized access to, and use or disclosure of, a patient’s medical information, as required by section 1280.15 . . . .” It also penalized Resnick $7,500 per patient, or $75,000. No penalties were assessed against Kevin Y. Resnick requested a hearing to appeal from the Department’s determination. The parties submitted a joint statement of stipulated facts for the administrative appeal, from which the foregoing recitation of underlying facts was derived. In a preliminary determination, the ALJ agreed with the Department that “the [L]egislature intended the legal standard for a violation of section 1280.15, subdivision (a), to be that of strict liability.” In its subsequent proposed decision, the ALJ first confirmed its preliminary determination that strict liability applied. Thus, any “unlawful or unauthorized access to, and use or disclosure of, patients’ medical information” constitutes a violation of section 1280.15, subdivision (a), and the Department was not required to prove Resnick failed to have proper procedures in place before it could be held responsible for a violation of that section. The ALJ did note that the Department
4 found that Resnick did not violate section 1280.18. The ALJ then stated there was no dispute that Kevin Y. accessed and disclosed patients’ private health information, and therefore Resnick was responsible. Lastly, the ALJ concluded that the Department did not abuse its discretion in levying the $75,000 penalty. On October 10, 2022, the Department adopted the ALJ’s proposed decision as its final decision. Resnick filed in the trial court a petition for a writ of administrative mandamus (Code Civ. Proc., § 1094.5) and a request for declaratory relief (Code Civ. Proc., § 1060).
Free access — add to your briefcase to read the full text and ask questions with AI
Filed 9/23/25
CERTIFIED FOR PUBLICATION
IN THE COURT OF APPEAL OF THE STATE OF CALIFORNIA THIRD APPELLATE DISTRICT
(Sacramento) ----
THE REGENTS OF THE UNIVERSITY OF C100351 CALIFORNIA,
Plaintiff and Respondent, (Super. Ct. No. 34-2022- 80004049-CU-WM-GDS)
v.
STATE DEPARTMENT OF PUBLIC HEALTH,
Defendant and Appellant.
APPEAL from a judgment of the Superior Court of Sacramento County, Stephen P. Acquisto, Judge. Affirmed.
Rob Bonta, Attorney General, Cheryl L. Feiner, Assistant Attorney General, Gregory D. Brown and Maryam Toossi Berona, Deputy Attorneys General, for Defendant and Appellant.
Morgan, Lewis & Bockius, Ella Foley Gannon and Pejman Moshfegh, for Plaintiff and Respondent.
Athene Law, Long X. Do and Kyle R. Brierly, for California Hospital Association as Amicus Curiae on behalf of Plaintiff and Respondent.
1 Defendant California Department of Public Health (the Department) imposed a $75,000 penalty on plaintiff Regents of University of California doing business as Resnick Neuropsychiatric Hospital of UCLA (Resnick) after a Resnick employee photographed confidential patient information and posted the photograph to his Instagram account. The Department imposed this penalty after finding that Resnick violated Health and Safety Code1 section 1280.15, which provides, in part, that a health facility “shall prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information, as defined in Section 56.05 of the Civil Code and consistent with Section 1280.18.” (§ 1280.15, subd. (a), italics added.) The question before us is this: Does the “shall prevent” language denote a strict liability statute, such that any failure to prevent disclosure constitutes a violation of section 1280.15? Or, as the trial court ruled, does the “consistent with Section 1280.18” language require that a violation of section 1280.15 must be supported by a concomitant violation of section 1280.18’s mandate that health facilities establish appropriate safeguards to protect the privacy of patient medical information and reasonably safeguard confidential medical information, effectively importing a reasonableness standard from section 1280.18 into section 1280.15? An administrative law judge (ALJ) upheld the Department’s findings and penalty. The trial court subsequently granted Resnick’s petition for a writ of administrative mandate to set aside that determination. Here, the Department argues: (1) the plain language of section 1280.15 supports its interpretation of that statute as one of strict liability, (2) the legislative history confirms its position, (3) the Department’s interpretation is reasonable, longstanding, and consistent, and should be afforded deference, (4) its interpretation is “consistent with the foundational principles of administrative law,” and (5) public policy favors its interpretation.
1 Further undesignated section references are to the Health and Safety Code.
2 We will affirm. We deny Resnick’s motion for judicial notice of certain documents related to the legislative history of section 1280.15 as unnecessary to our determination. (City of Grass Valley v. Cohen (2017) 17 Cal.App.5th 567, 594, fn. 13.) BACKGROUND Resnick is a hospital within the University of California, Los Angeles Health System (UCLA Health), and is licensed by the Department as an Acute Psychiatric Hospital. In September 2016, Kevin Y. was hired as a Clinical Care Partner at Resnick. His duties included assisting nurses and taking and recording vital signs. As part of his onboarding process, on September 8, 2016, Kevin Y. completed the online Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub.L. No. 104-191 (Aug. 21, 1996) 110 Stat. 1936) Privacy and Information Security training required by Resnick. That training included instruction on maintaining the confidentiality of protected health information, including a prohibition against storing such information on personal devices. Kevin Y. also signed the UCLA Health patient confidentiality agreement, by which he agreed to protect the privacy, confidentiality, and security of all medical records. On October 17, 2016, Kevin Y. attended orientation for new UCLA Health employees. As part of that orientation, he completed additional HIPAA and patient-privacy training. The orientation Kevin Y. completed included persistent reminders that employees were required to protect all information that could be used to identify a patient. On November 22, 2016, while entering patient vital signs into Resnick’s electronic health record system, Kevin Y. used his personal cell phone to photograph patients’ medical information. After completing his shift, he redacted the photograph to obscure the names and/or diagnoses of patients and posted the photograph to his Instagram account. Despite his redaction, the personal information of 10 patients remained partially visible, including names and medical diagnoses. A Resnick employee saw the post and informed Kevin Y. that his conduct was inappropriate. Kevin Y. subsequently deleted the
3 Instagram post. Following UCLA Health policies, the Resnick employee reported the incident to a supervisor. Kevin Y. was placed on administrative leave and ultimately terminated from Resnick as a result of the incident. UCLA Health’s Office of Compliance Services was alerted to the incident and began an investigation. That office also sent out a high-importance email to all UCLA Health employees, reiterating the duty of all employees to maintain the security and confidentiality of patient information. UCLA Health also notified the affected patients of the disclosure. No patient reported any adverse consequences as a result of Kevin Y.’s actions. After an investigation into the matter, the Department submitted to Resnick an initial, and then an amended, Statement of Deficiencies and Plan of Correction, with which Resnick timely complied. The Department subsequently issued an Unauthorized Disclosure/Breach Administrative Penalty Notice to Resnick, stating that Resnick “failed to prevent unlawful or unauthorized access to, and use or disclosure of, a patient’s medical information, as required by section 1280.15 . . . .” It also penalized Resnick $7,500 per patient, or $75,000. No penalties were assessed against Kevin Y. Resnick requested a hearing to appeal from the Department’s determination. The parties submitted a joint statement of stipulated facts for the administrative appeal, from which the foregoing recitation of underlying facts was derived. In a preliminary determination, the ALJ agreed with the Department that “the [L]egislature intended the legal standard for a violation of section 1280.15, subdivision (a), to be that of strict liability.” In its subsequent proposed decision, the ALJ first confirmed its preliminary determination that strict liability applied. Thus, any “unlawful or unauthorized access to, and use or disclosure of, patients’ medical information” constitutes a violation of section 1280.15, subdivision (a), and the Department was not required to prove Resnick failed to have proper procedures in place before it could be held responsible for a violation of that section. The ALJ did note that the Department
4 found that Resnick did not violate section 1280.18. The ALJ then stated there was no dispute that Kevin Y. accessed and disclosed patients’ private health information, and therefore Resnick was responsible. Lastly, the ALJ concluded that the Department did not abuse its discretion in levying the $75,000 penalty. On October 10, 2022, the Department adopted the ALJ’s proposed decision as its final decision. Resnick filed in the trial court a petition for a writ of administrative mandamus (Code Civ. Proc., § 1094.5) and a request for declaratory relief (Code Civ. Proc., § 1060). Resnick sought “to correct the Department’s abuse of discretion and misinterpretation of the Health and Safety Code, namely the improper ruling that Section 1280.15 was violated without any violation of Section 1280.18.” In the first cause of action, Resnick sought a writ of administrative mandate “finding that [the Department] improperly ruled [Resnick] was in violation of Section 1280.15 and that there can be no violation of Section 1280.15 without a violation of Section 1280.18.” In the second cause of action, Resnick sought a judgment declaring that, without proof of a violation of section 1280.18, the Department cannot prove a violation of section 1280.15. In a tentative ruling, the trial court noted the statutory language, which provides that a health facility “shall prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information, as defined in Section 56.05 of the Civil Code and consistent with Section 1280.18.” (§ 1280.15, subd. (a), italics added.) It further noted that section 1280.18 provided: “Every provider of health care shall establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient’s medical information. Every provider of health care shall reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure.” (§ 1280.18, subd. (a).) The trial court agreed with Resnick that the phrase “consistent with Section 1280.18” in section 1280.15, subdivision (a), “serves to place a limitation on the duty under section 1280.15 to situations where there is also a violation of section 1280.18. A finding of violation of section 1280.15 . . . where
5 the facility had implemented appropriate safeguards in compliance with section 1280.18 would not be ‘consistent with’ section 1280.18.” The court found section 1280.15 to be unambiguous, and that the only reasonable interpretation of the plain language of that section was that a violation cannot occur without a concurrent violation of section 1280.18. Following oral argument, the trial court affirmed its tentative ruling. In an order filed November 7, 2023, the trial court granted the writ petition, granted Resnick’s request for a judgment declaring that section 1280.15, subdivision (a), cannot be violated without a concurrent violation of section 1280.18, ordered judgment entered in favor of Resnick, and ordered a peremptory writ of mandamus to issue remanding the proceedings to the Department and directing the Department to vacate its decision dated October 10, 2022, and take further action consistent with the court’s ruling. On the same date, the court filed its judgment, granting Resnick’s petition. DISCUSSION I Standard of Review and Statutory Interpretation In reviewing an administrative decision in proceedings on a petition for writ of administrative mandate, we review the administrative determination itself, not the trial court’s decision, for abuse of discretion. (Griego v. City of Barstow (2023) 87 Cal.App.5th 133, 139.) “In administrative mandate cases, abuse of discretion is established if the agency has not proceeded in the manner required by law, the order or decision is not supported by the findings, or the findings are not supported by substantial evidence in light of the whole record.” (Martis Camp Community Assn. v. County of Placer (2020) 53 Cal.App.5th 569, 593, fn. omitted, citing Code Civ. Proc., § 1094.5, subds. (b), (c).) Here, the parties stipulated to the underlying facts. The issue is whether
6 the Department proceeded in the manner required by law based on its interpretation of section 1280.15.2 “ ‘The proper interpretation of a statute and the application of the statute to undisputed facts are questions of law, which we . . . review de novo.’ ” (Parsons v. Estenson Logistics, LLC (2022) 86 Cal.App.5th 1260, 1265.) A reviewing court’s fundamental task in any case involving statutory construction “ ‘is to determine the Legislature’s intent so as to effectuate the law’s purpose.’ [Citation.] ‘We begin by examining the statutory language, giving it a plain and commonsense meaning. [Citation.] We do not, however, consider the statutory language in isolation; rather, we look to the entire substance of the statutes in order to determine their scope and purposes. [Citation.] That is, we construe the words in question in context, keeping in mind the statutes’ nature and obvious purposes. [Citation.] We must harmonize the various parts of the enactments by considering them in the context of the statutory [framework] as a whole. [Citation.] If the statutory language is unambiguous, then its plain meaning controls. If, however, the language supports more than one reasonable construction, then we may look to extrinsic aids, including the ostensible objects to be achieved and the legislative history.’ ” (Skidgel v. California Unemployment Ins. Appeals Bd. (2021) 12 Cal.5th 1, 14.) “Ultimately, we must ‘ “ ‘select the construction that comports most closely with the apparent intent of the Legislature, with a view to promoting rather than defeating the general purpose of the statute, and avoid an interpretation that would lead to
2 There is authority for the proposition that “ ‘an action for declaratory relief is not appropriate to review an administrative decision,’ ” and that declaratory relief “cannot be joined with a writ of mandate reviewing an administrative determination.” (City of Pasadena v. Cohen (2014) 228 Cal.App.4th 1461, 1466-1467.) Because no party raises any issue concerning the appropriateness of declaratory relief, we will not address that cause of action.
7 absurd consequences.’ ” ’ ” (City of Los Angeles v. PricewaterhouseCoopers, LLP (2024) 17 Cal.5th 46, 64.) II Plain Language Analysis The Department argues that the plain language of section 1280.15 makes clear that the section imposes strict liability for the unlawful disclosure of medical records. Conversely, Resnick argues, and amicus curiae California Hospital Association agrees, that the trial court was correct in determining that the plain and unambiguous language of section 1280.15 effectively incorporates the reasonableness standard set forth in section 1280.18. We agree with Resnick and amicus curiae. Again, the relevant language of section 1280.15 provides that a health facility “shall prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information, as defined in Section 56.05 of the Civil Code and consistent with Section 1280.18.” (§ 1280.15, subd. (a), italics added.) The Department focuses on the “shall prevent” language, arguing that this text establishes the mandatory nature of the directive and gives rise to strict liability. Under the Department’s reading, any failure to prevent unauthorized access to, use, or disclosure of patient medical information would be a violation of section 1280.15, subdivision (a). Resnick, on the other hand, urges us to read the statute in its entirety, and to focus on the language stating that a health facility shall prevent unauthorized disclosure of medical information “consistent with Section 1280.18.” Section 1280.18 provides that providers must establish “appropriate . . . safeguards to protect the privacy of a patient’s medical information,” and must “reasonably safeguard confidential medical information . . . .” (§ 1280.18, subd. (a), italics added.) According to Resnick, the inclusion of the “consistent with Section 1280.18” language in section 1280.15 means that a health facility is liable under section 1280.15 only if it has failed to implement
8 reasonable safeguards consistent with section 1280.18, and thus this language effectively imports the reasonableness standard from section 1280.18 into section 1280.15. The “shall prevent” language does suggest, at least as a starting point, that a health facility is required to prevent unauthorized access, use, and disclosure of patients’ medical information. Courts generally interpret the word “shall” as giving rise to a mandatory duty, although, despite that presumption, a court interpreting a statute must still determine the legislative intent behind the enactment. (See California Correctional Peace Officers Assn. v. State Personnel Bd. (1995) 10 Cal.4th 1133, 1143 [there is a “presumption that the word ‘shall’ in a statute is ordinarily deemed mandatory, and ‘may’ permissive,” but, “[n]onetheless, in construing the statute, the court must ascertain the legislative intent”].) Here, our analysis of the statute does not end by reading the phrase “shall prevent” in isolation. We must consider the meaning in its larger context. (See Gerawan Farming, Inc. v. Agricultural Labor Relations Bd. (2018) 23 Cal.App.5th 1129, 1196, fn. 85 [“In construing a statute, ‘ “effect should be given, whenever possible, to the statute as a whole and to every word and clause thereof, leaving no part of the provision useless or deprived of meaning” ’ ”].) According to the Department, the phrase “consistent with Section 1280.18” (§ 1280.15, subd. (a)) “modifies ‘medical information,’ and does not modify ‘shall prevent.’ ” We do not agree with this interpretation. This portion of the subdivision requires the prevention of the unauthorized access, use, and disclosure of “medical information, as defined in Section 56.05 of the Civil Code and consistent with Section 1280.18.” (§ 1280.15, subd. (a).) Civil Code section 56.05, a definitions section, includes a definition of “ ‘Medical information.’ ” (Civ. Code, § 56.05, subd. (j).) Thus, Civil Code section 56.05 furnishes the definition of “medical information” as used in section 1280.15. Nothing in section 1280.18 purports to define or elaborate on “medical information.” Rather, that section sets forth requirements that health care providers
9 implement appropriate safeguards to protect the privacy of patient medical information and reasonably safeguard confidential medical information. (§ 1280.18, subd. (a).) There is no definition, description, or consideration of “medical information” in section 1280.18 to which section 1280.15 could be referring in specifying “and consistent with Section 1280.18.” (§ 1280.15, subd. (a).) Because section 1280.18 does not define or discuss “medical information,” we reject as unreasonable and contrary to the plain language of the statutory scheme the Department’s interpretation that the qualifier “consistent with Section 1280.18” in section 1280.15, subdivision (a), modifies “medical information.” Conversely, given the substance of section 1280.18, subdivision (a), requiring that health care providers implement appropriate safeguards to protect the privacy of patient medical information and reasonably safeguard confidential medical information, it is reasonable to interpret the provision of section 1280.15 requiring consistency with section 1280.18 as modifying the requirement that health facilities “shall prevent” improper use or disclosure of medical information. (§ 1280.15, subd. (a).) This reading would be functionally the same as stating that a health facility “shall prevent, consistent with section 1280.18, unlawful or unauthorized access to, and use or disclosure of, patients’ medical information, as defined in Section 56.05 of the Civil Code.” We find this to be the most reasonable reading of the statute’s plain language. We also are not persuaded by the Department’s arguments that the “ ‘consistent with Section 1280.18’ ” language serves to clarify “that sections 1280.15 and 1280.18 both concern the same types of medical information,” or that “the two statutes are complementary in how they protect medical information.” Both statutes do reference medical information. However, we conclude there could be no need to include the language “consistent with Section 1280.18” to clarify that both statutes concern medical information or even the same type of medical information, or that they are “complementary in how they protect medical information.” Such a provision would be
10 wholly superfluous and of no operative effect. There is no need for section 1280.15 to specify that a health facility shall prevent unauthorized disclosure of medical information that is consistent with the type of medical information that is also referenced in section 1280.18. While the Department disagrees, we conclude that the Department’s construction would effectively read “and consistent with Section 1280.18” out of section 1280.15, subdivision (a). “We generally must ‘ “give meaning to every word in [a] statute and . . . avoid constructions that render words, phrases, or clauses superfluous.” ’ ” (Rittiman v. Public Utilities Com. (2022) 80 Cal.App.5th 1018, 1034, fn. 10.) The Department also argues its interpretation is the only “grammatically correct reading of section 1280.15” because the phrase “as defined in Section 56.05 of the Civil Code and consistent with Section 1280.18” directly follows the term “medical information,” and is “far away from and not grammatically linked to the phrase ‘shall prevent.’ ” The first portion of that phrase clearly does refer to “medical information,” as it directly references the definition in Civil Code section 56.05. However, the mere fact that the reference to section 1280.18 is closer in the sentence to “medical information” than to “shall prevent” will not persuade us to adopt the Department’s interpretation, which we have concluded is not reasonable in the context of the statutory framework. Even if the Department’s grammatical point were correct, grammar is but a tool for use in determining legislative intent, is not itself controlling, and is certainly not a basis for impeding the effectuation of legislative intent. (Mt. Hawley Ins. Co. v. Lopez (2013) 215 Cal.App.4th 1385, 1411-1412.) The Department relies on other provisions setting forth the penalties the Department “may assess” for violations, because, according to the Department, they authorize the Department to assess a penalty “for any unlawful disclosure, without qualification.” Additionally, the Department relies on subdivision (g) of section 1280.15, which refers to the “failure to prevent” unlawful disclosures. According to the Department, the “statute’s terms such as ‘shall prevent’ and references to liability for a
11 ‘failure to prevent’ impose a strict liability standard for the unlawful disclosure of medical information.” We disagree. Nothing in these provisions addresses whether the statute is one of strict liability and do not persuade us that the conclusion we have reached is incorrect. The Department argues that, had the Legislature intended to establish a reasonableness standard, it could have done so clearly with explicit language in the statute. However, as Resnick notes, the same can be said of imposing strict liability. The mere mandate that health facilities “shall prevent” disclosure is not a conclusive indicator of strict liability when the Legislature could have used plain language to that effect. (See, e.g., § 25299.73 [the “standard of liability for any costs of corrective action recoverable pursuant to this chapter is strict liability”].) We next address the significance of the qualification that a health facility shall prevent unauthorized access to and use or disclosure of patients’ medical information, “consistent with Section 1280.18.” (§ 1280.15, subd. (a).) Again, subdivision (a) of section 1280.18 provides: “Every provider of health care shall establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient’s medical information. Every provider of health care shall reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure.” (§ 1280.18, subd. (a).) Synthesizing these sections, section 1280.15 provides that a health facility “shall prevent” unauthorized access to and use or disclosure of patients’ medical information “consistent with Section 1280.18” (§ 1280.15, subd. (a)), which, in turn, requires health care providers to “implement appropriate . . . safeguards to protect the privacy of a patient’s medical information,” and to “reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure” (§ 1280.18, subd. (a)).
12 We agree with Resnick, amicus curiae, and the trial court that this statutory framework incorporates the standards from section 1280.18 into section 1280.15. Specifically, it requires health facilities to prevent unauthorized access to, use of, and disclosure of patients’ medical information consistent with section 1280.18 by implementing “appropriate” safeguards and “reasonably safeguard[ing]” that information. Thus, this section incorporates the “appropriate” and “reasonabl[e]” standards from section 1280.18 into section 1280.15. We therefore agree with the trial court’s conclusion that the “only reasonable interpretation” of the statutory framework “is that a violation of section 1280.15 cannot occur without a concurrent violation of section 1280.18.” As the trial court wrote, a “finding of violation of section 1280.15 . . . where the facility had implemented appropriate safeguards in compliance with section 1280.18 would not be ‘consistent with’ section 1280.18.” Thus, notwithstanding its “shall prevent” language, we find that section 1280.15 is not a strict liability statute that establishes a violation in every case of unauthorized access and use or disclosure. For an actionable violation, the health facility must have failed to comply with section 1280.18, subdivision (a). For the foregoing reasons, we conclude that the plain language of section 1280.15, subdivision (a), makes clear that this law incorporates the requirements of section 1280.18 and the “appropriate” and “reasonabl[e]” standards in that section. This interpretation effectuates the legislative intent to protect patients’ medical information while not penalizing health facilities that have undertaken all reasonable steps within their power to safeguard that information. Because we conclude that the language of section 1280.15 is plain and unambiguous, the text controls. (Lopez v. Sony Electronics, Inc. (2018) 5 Cal.5th 627, 634.) Accordingly, we need not address the Department’s arguments concerning the legislative history of section 1280.15, whether the Department’s interpretation is entitled to deference (see Western Growers Assn. v. Occupational Safety & Health Stds. Bd.
13 (2021) 73 Cal.App.5th 916, 932 [“ ‘Deference is not accorded to an administrative action which is incorrect in light of unambiguous statutory language or which is clearly erroneous or unauthorized’ ”]), the “foundational principles of administrative law” governing a licensee’s liability for the acts of its employees, or public policy. DISPOSITION The judgment is affirmed. Resnick shall recover its costs on appeal. (Cal. Rules of Court, rule 8.278(a)(1), (2).)
\s\ , Krause, J.
We concur:
\s\ , Hull, Acting P. J.
\s\ , Boulware Eurie, J.