Los Angeles Health Plan Fined $1,300,000 by OCR for Alleged HIPAA Violations

The HHS’ Office for Civil Rights (OCR) has announced a settlement has been reached with the nation’s largest publicly operated health plan, L.A. Care Health Plan, which resolves alleged violations of the HIPAA Privacy and Security Rules. Under the terms of the settlement, L.A. Care Health Plan will pay a $1,300,000 penalty and will adopt a corrective action plan that covers the aspects of noncompliance discovered by OCR during two separate investigations of data breaches.

The data breaches in question occurred in 2014 and 2019, the first of which was due to human error and allowed fewer than 500 plan members to access the electronic protected health information (ePHI) of other plan members over three days in 2014 via the online portal. The data breach was reported in the media in 2014, but the breach was not reported to OCR until February 2016, one month after OCR initiated a compliance review.

In March 2019, OCR was notified about another data breach, this time affecting 1,498 individuals. An error occurred when mailing ID cards, resulting in them being sent to the wrong members. OCR investigated the data breach to determine whether the HIPAA Rules had been violated. OCR identified several potential violations of the HIPAA Rules during the investigations.

  • The requirement to conduct an accurate and thorough risk analysis.
  • The requirement to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  • The requirement to implement sufficient procedures to regularly review records of information system activity, the requirement to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI.
  • The requirement to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
  • OCR also determined that L.A. Care Health Plan impermissibly disclosed the ePHI of 1,498 individuals.

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer in the announcement about the settlement.  “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.  Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

This is the 9th HIPAA settlement to be announced by OCR in 2023. So far this year, OCR has imposed $3,356,500 in civil monetary penalties to resolve HIPAA violations.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/