The HHS’ Office for Civil Rights (OCR) has announced a settlement has been reached with the nation’s largest publicly operated health plan, L.A. Care Health Plan, which resolves alleged violations of the HIPAA Privacy and Security Rules. Under the terms of the settlement, L.A. Care Health Plan will pay a $1,300,000 penalty and will adopt a corrective action plan that covers the aspects of noncompliance discovered by OCR during two separate investigations of data breaches.
The data breaches in question occurred in 2014 and 2019, the first of which was due to human error and allowed fewer than 500 plan members to access the electronic protected health information (ePHI) of other plan members over three days in 2014 via the online portal. The data breach was reported in the media in 2014, but the breach was not reported to OCR until February 2016, one month after OCR initiated a compliance review.
In March 2019, OCR was notified about another data breach, this time affecting 1,498 individuals. An error occurred when mailing ID cards, resulting in them being sent to the wrong members. OCR investigated the data breach to determine whether the HIPAA Rules had been violated. OCR identified several potential violations of the HIPAA Rules during the investigations.
- The requirement to conduct an accurate and thorough risk analysis.
- The requirement to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
- The requirement to implement sufficient procedures to regularly review records of information system activity, the requirement to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI.
- The requirement to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
- OCR also determined that L.A. Care Health Plan impermissibly disclosed the ePHI of 1,498 individuals.
“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer in the announcement about the settlement. “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies. Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”
This is the 9th HIPAA settlement to be announced by OCR in 2023. So far this year, OCR has imposed $3,356,500 in civil monetary penalties to resolve HIPAA violations.