L.A. Care to Pay $1.3 Million Settlement Over HIPAA Violations: What You Need to Know

Aaron Black
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

A recent settlement entered into by the nation’s largest publicly operated health plan serves as a stark warning to all entities and business associates subject to the Health Insurance Portability and Accountability Act: Disregard your obligation at your own risk.

The settlement at hand involved the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS) and L.A. Care Health Plan (L.A. Care). Under the settlement, which was announced Sept. 11, L.A. Care will pay a fine of $1.3 million and enter into a corrective action plan to address several HIPAA compliance deficiencies.

Incidents and Deficiencies

The underlying events originated with an incident in January 2014, in which L.A. Care’s payment portal allowed members to view the names, addresses and member identification numbers of other members. This incident was reported in an online article in March 2014, which indicated that the disclosures were a result of a “manual information processing error.”

HHS initiated its investigation in January 2016 based on the March 2014 article, apparently (and notably) not because L.A. Care notified it and/or the affected individuals of the breach. On February 26, 2016, L.A. Care filed a report with HHS indicating that the January 2014 event resulted in a HIPAA breach potentially affecting fewer than 500 individuals. HHS notified L.A. Care of its investigation into L.A. Care’s HIPAA compliance in May 2016.

While HHS’ investigation was ongoing, L.A. Care suffered a subsequent HIPAA breach in January 2019. L.A. Care reported to HHS that approximately 1,500 members received identification cards for other L.A. Care members as a result of a “mailing error.”

HHS stated L.A. Care’s potential violations included a failure: (1) to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic Protected Health Information (ePHI or PHI) across the organization; (2) to implement security measures to sufficiently reduce the risks and vulnerabilities to ePHI; (3) to implement sufficient procedures to regularly review record of information system activity; (4) to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI; and (5) to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

The breach incidents and HIPAA violations cited by HHS indicate that L.A. Care failed to implement and maintain certain basic technical, physical, and administrative safeguards in accordance with HIPAA’s requirements. While the extent of the HIPAA violations and deficiencies were not reported, the duration of HHS’ investigation (2016-2023), the settlement amount of about $1.3 million, and the corrective actions required by HHS provide insight.

Corrective Action Plan

In addition to the monetary settlement, L.A. Care is subject to a corrective action plan that will be monitored by HHS for three years to ensure compliance. The plan reflects HHS taking an active role in overseeing L.A. Care’s remediation of existing compliance deficiencies and establishing protocol to address unanticipated changes to its systems and operations.

The corrective action plan requires L.A. Care to (1) conduct accurate and thorough risk assessments; (2) identify and remediate vulnerabilities to the confidentiality, integrity and availability of ePHI; (3) monitor and report to HHS environmental and operational changes that may affect the security of ePHI; (4) ensure workforce awareness of the safeguards and policies; and (5) report instances of workforce non-compliance to HHS.

Take Away

Covered entities and business associates must implement the basic safeguards required under the HIPAA Security Rule and consistently maintain and improve them as necessary to avoid inadvertent disclosure of PHI. They have an affirmative obligation to identify and mitigate vulnerabilities within their processes and established safeguards, and to provide prompt notification of HIPAA breaches. Establishing a set of HIPAA policies and procedures but failing to enforce them or failing to review and update them following the occurrence of a security incident or breach leaves PHI vulnerable to improper access and disclosure.

HHS’ findings and the results of the settlement reaffirm that HHS has and will continue to investigate these matters and hold covered entities and business associates responsible for their failure to comply with HIPAA’s requirements. It is vital that covered entities regularly review and update their HIPAA safeguards.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide