L.A. Care Health Plan Settles Multiple HIPAA Violations for $1.3 Million
The Local Initiative Health Authority for Los Angeles County, operating as L.A. Care Health Plan, has settled multiple violations of the HIPAA Privacy and Security Rules with the HHS’ Office for Civil Rights (OCR) and will pay a $1,300,000 penalty and adopt a robust corrective action plan.
L.A. Care Health Plan is the largest publicly operated health plan in the United States and has more than 2.7 million members. OCR said it launched two separate investigations of L.A. Care Health Plan to assess the state of HIPAA compliance, the first of which was in response to a media report about impermissible disclosures of protected health information (PHI) via its member portal and the second was in response to a breach that was reported to OCR involving the PHI of 1,498 members.
In March 2014, an online media source reported that members of the health plan were able to access the protected health information (PHI) of other members via the online member portal between January 22 and January 24, 2014. The breach was due to a manual processing error that allowed members to view other members’ information, including names, addresses, and member identification numbers. In January 2016, OCR initiated a compliance review and in February 2016, L.A. Care Health Plan reported the breach to OCR as affecting fewer than 500 individuals. In March 2019, L.A. Care Health Plan notified OCR about a 1,498-record data breach that occurred on or around January 30, 2019. The breach was due to a mailing error that saw members receive the ID cards of other health plan members.
OCR determined that there had been several failures to fully comply with the requirements of the HIPAA Privacy and Security Rules. The resolution agreement lists 6 potential HIPAA violations identified by its investigators.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- A failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI – 45 C.F.R. § 164.308(a)(1)(ii)(A).
- A failure to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level – 45 C.F.R. § 164.308(a)(1)(ii)(B).
- A failure to implement sufficient procedures to regularly review records of information system activity – 45 C.F.R. § 164.308(a)(1)(ii)(D).
- A failure to perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI – 45 CFR F.R. § 164.308(a)(8).
- A failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI – 45 C.F.R. 164.312(b).
- The impermissible disclosure of the ePHI of 1,498 individuals – 45 C.F.R. § 164.502(a).
L.A. Care Health Plan chose to settle the investigations with no admission of liability and agreed to pay a $1,300,000 financial penalty and adopt a corrective action plan to correct the alleged HIPAA violations. The corrective action plan includes the requirement to conduct a comprehensive, organization-wide risk analysis, develop a risk management plan, develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, report to OCR when evaluations of environmental and operational changes are conducted, and to report HIPAA violations by employees to OCR within 30 days.
“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer. “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies. Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”