Report on Patient Privacy 23, no. 10 (October, 2023)

By 2016, it should have been clear to HIPAA covered entities that a security risk analysis—and corresponding risk management plan—were compliance basics. Yet, a new settlement agreement between the HHS Office for Civil Rights (OCR) and L.A. Care Health Plan, which has nearly 3 million members, alleges the plan failed in both respects. L.A. Care agreed to pay $1.3 million and implement a three-year corrective action plan (CAP) to settle these and other related “potential” violations.^[1]

A three-year CAP has become a rarity in recent years, and the settlement harkens back to past OCR agreements in another way: it has often taken OCR more than five years to resolve an investigation with enforcement action. In this case, the agency cited a 2014 disclosure, followed by another in 2019, as among the alleged HIPAA infractions underlying the settlement with the nation’s largest publicly operated health plan.

Interestingly, OCR’s own website reveals L.A. Care reported a breach in 2012 that mirrors the 2019 incident and which potentially affected nearly 10 times the number of individuals cited in the new resolution agreement.^[2] Following that report, OCR warned it to conduct the risk analysis it now alleges was never completed.

At the time, OCR “provided technical assistance regarding a covered entity’s obligation to conduct an accurate and thorough risk analysis and implement security measures sufficient to reduce those risks and vulnerabilities identified in the analysis,” according to the website.

The settlement, announced last month but signed during the summer, marks only the second penalty of more than $1 million announced since OCR lowered tiers of fines in 2019, following a successful challenge by the University of Texas MD Anderson of a $4.3 million penalty OCR sought to impose.^[3] In February, OCR announced that Banner Health of Phoenix, Arizona, agreed to a $1.25 million settlement for a 2016 hacking estimated to affect 2.81 million individuals.^[4]

The settlement documents indicate OCR did not begin its “compliance review” of L.A. Care related to the 2014 incident until Jan. 13, 2016—two years later—spurred by a news report published on March 3, 2014.

Quoting from that report, “some L.A. Care Covered members who logged onto (their) payment portal were able to see another member’s name, address and member identification number…the disclosures took place between January 22, 2014 to January 24, 2014 and were the result of a manual information processing error,” OCR said.

According to the agency, L.A. Care did not report this to OCR until Feb. 26, 2016, after OCR began its review. However, in its statement to RPP, L.A. Care said this incident involved 700 individuals—OCR provided no number of affected people—so it should have been posted on OCR’s breach report website.

OCR reclassified the review to an investigation on May 19, 2016. It is not clear what, if anything, transpired between OCR and L.A. Care for three years. OCR picked up the thread again by noting that on March 15, 2019, L.A. Care reported to OCR that it had learned of a mix-up with members’ identification (ID) cards.

Earlier in 2019, the Los Angeles Department of Public Social Services informed L.A. Care that one of its health plan members received ID cards for other members. L.A. Care “discovered that a mailing error caused member ID cards to be mailed to the wrong members. Approximately 1,498 individuals were affected by the breach,” according to the settlement documents.

Again, it’s not known what went on between the 2019 investigation and the signing of the settlement agreement four years later obligating L.A. Care to pay $1.3 million and implement the CAP.

L.A. Care did not respond to RPP’s question of why the agreement took so long to be reached, nor what the penalty amount is based on. Officials did respond to other questions.

In a statement, L.A. Care officials said the plan “self-reported” the two incidents because it “takes the privacy and security of our members’ data seriously.” In total, the 2014 and 2019 incidents resulted in “a combined number of approximately 2,250 members’ data [being] inadvertently shared with individuals other than the member,” the plan told RPP.

Specifically, “in 2014, an online payment portal displayed the Personal Health Information (PHI) of approximately 750 members to the wrong individuals due to a processing error,” the statement said. “In 2019, a data processing error resulted in approximately 1,500 membership ID cards being mailed to the wrong individuals.”

L.A. Care said OCR “concluded that the conduct was not intentional and that L.A. Care took reasonable corrective action upon discovery.” However, neither OCR’s news release nor settlement documents contain language regarding intent and do not address L.A. Care’s actions in response to the breaches. Without a breakdown of the penalty, it is not possible to know whether OCR based any of the $1.3 million on the “willful neglect” category of fines, which is the highest tier.

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” OCR Director Melanie Fontes Rainer said in the news release. “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules and not wait for OCR to reveal long-standing HIPAA inefficiencies. Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

RPP also asked L.A. Care if it had already implemented requirements in the CAP, given the length of time that had elapsed since the 2019 breach.

“During the course of the OCR’s investigation, other opportunities to strengthen the privacy and security of member data were identified, and L.A. Care is working on implementing those enhanced protocols and processes. None of these discovered areas have resulted in a data breach,” the statement said.

Moreover, the plan “made operational changes due to the processing errors soon after their discovery, and L.A. Care and the OCR have mutually agreed to a corrective action plan to reduce the risk of similar events occurring in the future.” L.A. Care officials added that “impacted members were notified soon after L.A. Care identified the issues and within the federal notification timeframes.”

L.A. Care “regrets these incidents occurred, and remains committed to continuous improvement in order to maintain the trust of our members and protect their data,” the statement said.

[View source.]