On September 11, 2023, the HHS Office of Civil Rights (OCR) announced a settlement with LA Care Health Plan (LA Care) regarding LA Care’s potential HIPAA Security Rule violations. HHS and LA Care have executed a Resolution Agreement and Corrective Action Plan (Resolution Agreement), whereby LA Care agreed to pay $1.3 million to HHS and to implement a corrective action plan to take steps to resolve the potential violations of the HIPAA Security Rules.

LA Care is the nation’s largest publicly operated health plan that provides health care benefits and coverage through state, federal, and commercial programs. The HHS Office of Civil Rights enforces the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Security Rules) that set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of protected health information (PHI).

The Resolution Agreement stems from two separate incidents. The first resulted from a 2014 media article that reported that some LA Care members who logged into their payment portal website were able to view the PHI of other LA Care members, including other members’ names, addresses, and member identification numbers. HHS opened a compliance review based on this article, and in February 2016, LA Care filed a breach report with the HHS Office of Civil Rights, which described that the breach potentially affected less than 500 individuals.

The second incident is from March 2019, when LA Care reported to the HHS Office of Civil Rights that a mailing error caused LA Care member ID cards to be mailed to the wrong members. Approximately 1,498 individuals were affected by this second breach.

As a result of these two incidents, HHS conducted a comprehensive investigation into LA Care’s compliance with HIPAA Security Rules. This investigation found several alleged potential violations of the HIPAA Security Rules, including:

• Failure to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic PHI (ePHI) across the organization.
• Failure to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level.
• Failure to implement sufficient procedures to regularly review records of information system activity.
• Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI.
• Failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

In addition to agreeing to pay $1.3 million for the alleged HIPAA Security Rule breaches, LA Care agreed to implement a corrective action plan in which the HHS Office of Civil Rights will monitor LA Care for three years to ensure compliance with HIPAA. The agreed upon corrective action plan will require LA Care to make the following corrective measures:

• Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization.
• Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
• Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan.
• Report to HHS when it conducts an evaluation due to an environmental and operational change that affects the security of ePHI in LA Care’s possession or control.
• Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rules.

By entering into the Resolution Agreement, LA Care is not admitting or conceding that any breach of the HIPAA Security Rules occurred or that it is liable for civil money penalties.

The LA Care Health Plan Resolution Agreement and Corrective Action Plan can be found here. The HHS Press Release regarding the Resolution Agreement can be found here.