L.A. Care Health Plan Resolves Several HIPAA Violations with a $1.3 Million Settlement

Posted by HIPAA Software on Sep 12, 2023
L.A. Care Health Plan Resolves Several HIPAA Violations with a $1.3 Million Settlement

The Local Initiative Health Authority for Los Angeles County, also known as L.A. Care Health Plan, has resolved multiple HIPAA Privacy and Security Rule breaches with HHS’ OCR. As part of the settlement, they will incur a $1,300,000 fine and implement a comprehensive corrective action plan.

L.A. Care Health Plan is the largest publicly operated health plan in the US, with over 2.7 million members. The OCR initiated two distinct investigations into L.A. Care Health Plan to evaluate its compliance with HIPAA. The initial investigation stemmed from a media report about unauthorized PHI disclosures via the member portal. The second investigation was triggered by a reported breach that impacted the PHI of 1,498 members.

In March 2014, an online media outlet revealed that individuals covered by the health plan had accidentally accessed the protected health information (PHI) of fellow members. This breach occurred through the online member portal. This incident occurred during a brief period, specifically from January 22 to January 24, 2014. The breach occurred due to a manual processing error, enabling members to access personal details of others, such as names, addresses, and member IDs.

Subsequently, in January 2016, the Office for Civil Rights (OCR) initiated a compliance review, and in February 2016, L.A. Care Health Plan officially reported the breach to OCR. This report indicated that the breach had affected fewer than 500 individuals.

Fast forward to March 2019, L.A. Care Health Plan informed OCR about another data breach involving 1,498 records. This incident took place around January 30, 2019, and was attributed to a mailing error that resulted in members receiving the identification cards of other health plan participants.

OCR Findings Reveal Significant HIPAA Non-Compliance and Subsequent Resolution Agreement

OCR found multiple instances of non-compliance with the HIPAA Privacy and Security Rules, as evidenced by a resolution agreement that enumerates six potential HIPAA violations detected by its investigators.

Certainly, here are rephrased versions of each of those statements:

  • Neglecting to conduct a precise and comprehensive analysis of potential risks and vulnerabilities that could compromise the confidentiality, integrity, and accessibility of electronic Protected Health Information (ePHI) – as per 45 C.F.R. § 164.308(a)(1)(ii)(A). 
  • Failing to implement security measures that effectively lower risks and vulnerabilities to an appropriate and reasonable level – as stipulated in 45 C.F.R. § 164.308(a)(1)(ii)(B). 
  • Insufficiently establishing procedures to routinely review records of activity within information systems – as required by 45 C.F.R. § 164.308(a)(1)(ii)(D). 
  • Omitting the periodic technical and non-technical evaluations, initially based on the standards defined under this regulation, and subsequently, in response to changes in the environment or operations affecting the security of ePHI – per 45 CFR F.R. § 164.308(a)(8). 
  • Neglecting to implement mechanisms, whether hardware, software, or procedural, that capture and analyze activities within information systems containing or utilizing ePHI – in accordance with 45 C.F.R. 164.312(b).
  •  Unlawfully disclosing the ePHI of 1,498 individuals, in violation of 45 C.F.R. § 164.502(a).

L.A. Care Health Plan decided to resolve the investigations without acknowledging fault and consented to a $1,300,000 financial penalty. They also committed to implementing a corrective action plan to address the alleged HIPAA violations. L.A. Care Health Plan involves a comprehensive risk analysis and management strategy across the organization, including the creation and dissemination of relevant policies and procedures. It also mandates notifying the OCR of environmental and operational assessments and reporting HIPAA violations by employees within 30 days.

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,

HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.  Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

said OCR Director Melanie Fontes Rainer

We will be happy to hear your thoughts

Leave a reply

Register New Account
Reset Password
Compare items
  • Total (0)