California: AG announces $49M settlement with Kaiser for illegal disposal of protected health information
The California Attorney General (AG), Rob Bonta, announced, on September 8, 2023, that in partnership with six other AGs, it had reached a $49 million settlement with Faiser Foundation Health Plan, Inc. and Kaiser Foundation Hospitals, resolving allegations that the healthcare provider unlawfully disposed of, among other things, protected health information at Kaiser facilities statewide which are alleged to violate the Health Insurance Portability and Accountability Act (HIPAA) and the Confidentiality of Medical Information Act (CMIA), among others.
Background to the case
In particular, the AG noted that the allegations resulted from undercover inspections conducted by the district attorneys' offices of dumpsters from 16 different Kaiser facilities.
Findings of the AG
Following its investigation, the AG noted that it reviewed the contents of unsecured dumpsters destined for disposal at publicly accessible landfills, finding over 10,000 paper records containing the information of over 7,700 patients. To this end, Bonta explained that Kaiser failed to prevent unlawful or unauthorized access to, use, or disclosure of, patients' medical information, as required by the Health and Safety Code, and failed to establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient's medical information.
Further to the above, the AG highlighted that it had reached a settlement that requires Kaiser to pay $46 million in penalties and retain an independent third-party auditor, approved by the Bonta's Office and the District Attorneys, who will:
- perform no less than 520 trash compactor audits at Kaiser's California facilities to help ensure that regulated wastes (including items containing protected health information) are not unlawfully disposed of;
- conduct at least 40 programmatic field audits each year, for a period of five years after entry of the final judgment, to evaluate Kaiser's compliance with policies and procedures designed to ensure compliance with applicable laws related to, among other things, protected health information; and
- designate existing or new qualified personnel to serve as its California Regional Privacy and Security Officers with responsibilities for all covered entities.