On September 22, 2012, Governor Jerry Brown signed a bill (A.B. 439) that allows defendants to use an affirmative defense to damage claims, where a HIPAA covered entity or business associate can establish certain actions or lack of harm. The existing law, Confidentiality of Medication Information Act (CMIA), prohibits a health care provider, contractor or health care service plan from dislcosing medical information regarding a patient without first obtaining authorization. The law allows an individual to bring an action against any person or entity who has negligently released records, also providing for statutory damages of $1,000 per record, i.e., nominal damages (no need to show actual damages). The new bill, effective Jan. 1, 2013, specifies that, in an action brought by an individual, a court may not award the “nominal” damage where the defendant is entitled to an affirmative defense. The affirmative defenses apply to HIPAA entities/business associates, who establish: that there was notification compliance; that the release of information was to another covered entity/business associate; that the release of the confidential information was not medical ID theft; and, that the defendant took appropriate preventive measures (security policies, encryption, retention procedures, remedial measures). Finally, if the affirmative defense is established, defendant shall not be liable for more than one judgment on the merits for releases of confidential informatoin arising out of the same event, transaction or occurrence.