Regents of University of California v. State Department of Public Health (Sept. 23, 2025) __ Cal.App.5th __ [2025 WL 2701640]
California Department of Public Health (DPH) imposed a $75,000 penalty on University of California hospital affiliate Resnick Neuropsychiatric Hospital (Resnick) after a Resnick employee photographed confidential patient information and posted the picture on social media. DPH found that Resnick violated Health and Safety Code section 1280.15, which provides that healthcare facilities “shall prevent unlawful or unauthorized” disclosure of patient medical information “consistent with” the facility’s statutory duty under section 1280.18 to use “reasonable” and “appropriate safeguards” to protect the privacy of that information. Although DPH did not that find that Resnick violated section 1280.18, DPH maintained that Resnick was strictly liable for any confidentiality breach regardless whether it complied with section 1280.18. The administrative law judge (ALJ) upheld DPH’s penalty. The trial court granted Resnick’s petition for administrative mandamus, ruling that section 1280.15 incorporates section 1280.18’s reasonableness standards and therefore cannot be violated absent a concurrent violation of section 1280.18. DPH appealed.
The Court of Appeal affirmed. The court held that “the plain and unambiguous language of section 1280.15 effectively incorporates the reasonableness standard set forth in section 1280.18.” The court reasoned that a “finding of violation of section 1280.15 . . . where the facility had implemented appropriate safeguards in compliance with section 1280.18 would not be ‘consistent with’ section 1280.18.” Thus, the “ ‘only reasonable interpretation’ of the statutory framework ‘is that a violation of section 1280.15 cannot occur without a concurrent violation of section 1280.18.’ ”
