HHS Hits Nation’s Largest Public Health Plan with Severe Corrective Action Plan

Erin Eiselein, Jack Hobaugh Jr., Michael King
Brownstein Hyatt Farber Schreck
Contact
LinkedIn
Facebook
X
Send
Embed

Brownstein Hyatt Farber Schreck

Paying the $1.3 million fine is the easy part. Complying with the CAP is a different undertaking.

On Sept. 11, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an unprecedented resolution agreement and corrective action plan (“CAP”) with L.A. Care Health Plan to settle investigations over potential HIPAA violations.

As part of the resolution agreement, L.A. Care agreed to pay $1.3 million. That is the easy part—a minor endeavor compared to complying with the CAP. Attached to the resolution agreement as Appendix A, the CAP will keep the L.A. Care chief compliance officer, privacy officer and information security officer busy with the following tasks:

  • Conducting an enterprise-wide risk analysis
  • Developing and implementing a risk management plan
  • Drafting an evaluation report
  • Drafting policies and procedures to comply with the HIPAA Privacy Rule and Security Rule
  • Augmenting the training program
  • Ongoing reporting of reportable events such as workforce member noncompliance

The completion of these tasks will be held to HHS’s approval.

Although it may be tempting to cut costs by skimping on physical, administrative and technical security measures to protect the confidentiality, integrity and availability of protected health information (PHI), the lack of those measures can be easily highlighted through basic human error. Indeed, HHS has a webpage dedicated to “How to File a Civil Rights Complaint.”

In L.A. Care’s case, what appears to be a simple human error of sending approximately 1,498 member ID cards to the wrong individuals around January 2019 raised a red flag that was eventually noticed by the OCR. But this wasn’t the first red investigative flag. In January 2016, HHS started a compliance review after a March 3, 2013, article reported L.A. Care members seeing other member information upon logging onto the payment portable. Note that these are not hackers attempting to break into the system and steal data but human errors internal to the company.

HHS’s investigation of L.A. Care’s compliance with HIPAA rules revealed potential violations such as:

  • Risk analysis of vulnerabilities and potential risks to the confidentiality, integrity and availability of electronic PHI (ePHI). 45 C.F.R. Section 308(a)(1)(ii)(A).
  • Implementation of sufficient security measures for reducing risks and vulnerabilities. 45 C.F.R. Section 308(a)(1)(ii)(B).
  • Procedures to regularly review records of system activity. 45 C.F.R. Section 308(a)(1)(ii)(D).
  • Periodic technical and nontechnical evaluations. 45 C.F.R. Section 308(a)(8).
  • Implementation of software, hardware and/or procedural mechanisms for recording and examining information system activity. 45 C.F.R. Section 312(b).
  • Human error of disclosing 1,498 individuals’ ePHI. 45 C.F.R. Section 502(a).

No company is without security incidents that result from human error. It could be argued that if human error was the only issue, there would not have been a resolution agreement and CAP. That places the compliance spotlight squarely on lacking the mandatory physical, administrative and technical security controls to safeguard the confidentiality, integrity and availability of PHI.

Covered entities under HIPAA are also responsible for passing on these obligations to their business associates through a business associate agreement. A significant amount of security incidents occur at the vendor level. Accordingly, it is prudent for covered entities to review the vendor’s SOC 2 reports and cybersecurity risk frameworks such as ISO 27001:2013 or NIST CSF, in addition to the vendor’s privacy obligations.

To be clear, human errors, incidents and breaches happen to companies that have best-in-class protections, policies and procedures. The question is not if a human error, incident or breach will happen—it is when. When that happens and an OCR investigation ensues, the company that can provide evidence of proper compliance with HIPAA (through contractual, procedural, policy and governance evidence along with proper physical, administrative and technical controls evidence) will be better poised to avoid a resolution agreement and CAP.

We would be remiss if we didn’t acknowledge that HHS is not the only federal agency watching and acting on privacy concerns in health care. The Federal Trade Commission may also take action where it discovers deceptive privacy and security promises in covered entity privacy policies. Covered entities should therefore prioritize developing robust HIPAA compliance plans to mitigate the risk of such actions.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Brownstein Hyatt Farber Schreck | Attorney Advertising

Written by:

Brownstein Hyatt Farber Schreck
Brownstein Hyatt Farber Schreck
Contact
more
less

Brownstein Hyatt Farber Schreck on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide