June 15, 2023
Kaiser Permanente, a prominent organization offering health insurance and medical care, recently faced a significant penalty of $450,000 imposed by The Department of Managed Health Care. This fine resulted from the organization’s violation of California laws. The breach occurred as the company failed to update its electronic health records system, resulting in the impermissible disclosure of confidential and protected health information (PHI) of a substantial number of health plan members.
Table of Contents
Kaiser Permanente Fined Due to Mailing Error
Between October 2019 and December 2019, Kaiser Permanente sent out 337,755 mailings to 167,095 enrollees’ addresses. Unfortunately, due to an error in their electronic medical record system, some of these mailings were directed to outdated addresses. Upon receiving the mailings, eight individuals promptly contacted the organization after realizing the information was meant for someone else. Furthermore, 1,788 packets were returned unopened by recipients who recognized that they had been sent to incorrect addresses. Consequently, the mailing error led to the disclosure of PHI.
DMHC Investigation Uncovers Kaiser Permanente’s Violations
The California Department of Managed Health Care, or DMHC, thoroughly investigated the mailings’ potential breach. They found that Kaiser Permanente violated California’s Confidentiality of Medical Information Act (CMIA) by disclosing medical information without authorization. The managed care organization further breached the CMIA rules for its negligent maintenance and disposal of sensitive medical data.
It is also worth noting that the organization became aware of the mailing error on November 11, 2019, but only halted the mailings on December 20, 2019. This 39-day delay resulted in a further 175,000 potentially misdirected correspondences. The inability to promptly address the issue exacerbated the breach, potentially impacting the confidentiality of PHI for thousands of enrollees.
Impact on Kaiser Permanente Enrollees
The healthcare provider’s violation of the CMIA has led to severe repercussions. Aside from Kaiser Permanente getting heavy sanctions, the mailing error resulted in the unauthorized disclosure of PHI for up to 167,095 health plan members. This incident raised concerns regarding patient privacy and highlighted the importance of maintaining confidentiality in the healthcare sector.
The breach exposed sensitive medical information to unintended recipients, jeopardizing patient privacy and potentially compromising their well-being. Malicious actors can use enrollees’ PHI and personally identifiable information (PII) for criminal activities such as identity theft, account takeover, phishing, financial fraud, employment or tax fraud, impersonations, and other scams.
Report Shows Kaiser Permanente Among Health Privacy Law’s Repeat Offenders
This incident isn’t the first time the organization has made the news for violating the Health Insurance Portability and Accountability Act or HIPAA. A 2015 ProPublica report shows that the healthcare provider was one of the HIPAA Privacy Rules’ repeat offenders. The article mentions that while organizations receive private warnings for their violations, sanctions are rarely imposed. This time, though, Kaiser Permanente couldn’t escape the DMHC’s strict enforcement actions.
Privacy Violations and Fines Under State and HIPAA Laws
Both state laws and the HIPAA federal law protect patient privacy and security. These laws and regulations establish strict guidelines and requirements for covered entities to protect patients’ PHI from unauthorized access, use, or disclosure. Compliance not only safeguards patient information but also cultivates trust between healthcare providers and their patients.
The penalties for non-compliance with HIPAA rules and state laws vary based on the extent and severity of the breach. Organizations may face significant financial loss, legal liabilities, and reputational damage. The Kaiser Permanente violations and fines imposed by the DMHC show that repercussions can be severe when privacy laws are enforced.
Kaiser Permanente Implements Corrective Actions
To rectify the violations and prevent future breaches, Kaiser Permanente committed to implementing corrective actions in line with HIPAA requirements. These actions include updating software systems to avoid mailing errors, conducting regular address accuracy checks, and providing staff training on HIPAA standards.
Kaiser Permanente will also collaborate with their call center employees to verify address information, notify affected individuals about the breach, and take necessary steps to prevent similar incidents from occurring. The company’s commitment to safeguarding consumers’ confidential information is crucial in restoring trust and patient privacy.
“Health plans must protect the confidentiality of enrollee records and maintain and dispose of medical information correctly,” said DMHC Director Mary Watanabe. “Kaiser Permanente agreed to take corrective actions to protect consumers’ confidential information and ensure this doesn’t happen again.”
The heavy penalty imposed on Kaiser Permanente by the DMHC highlights the importance of patient privacy and the consequences of privacy breaches in the healthcare industry. The mailing error that led to the disclosure of PHI raises concerns about the security and protection of sensitive medical information. Kaiser Permanente’s corrective actions serve as a reminder to healthcare providers of the importance of adhering to applicable laws and regulations, such as CMIA and HIPAA.
