OCR Reaches $1.3M Settlement With LA Care Over Potential HIPAA Violations

September 11, 2023 - LA Care, a Los Angeles-based health plan, agreed to a $1.3 million settlement and corrective action plan (CAP) to resolve potential HIPAA violations uncovered during two HHS Office for Civil Rights (OCR) investigations. LA Care is the largest publicly operated health plan in the US, covering nearly 3 million members.

The settlement was the result of two OCR investigations that began with a breach report and a media article concerning a separate security incident. OCR started a compliance review of LA Care in 2016, following a 2014 media article that reported that some LA Care members were able to see other members’ names, addresses, and identification numbers when they logged onto their personal payment portal.

LA Care filed a breach report about this incident, explaining that the error had impacted less than 500 individuals. But in 2019, LA Care reported another breach to OR, this time impacting nearly 1,500 individuals. The 2019 breach occurred due to a mailing error that resulted in LA Care members receiving ID cards meant for other members.

OCR’s investigations uncovered several potential HIPAA violations, including failure to implement sufficient security measures to reduce risks to electronic protected health information (ePHI), and failure to conduct an accurate risk analysis.

More potential violations included failure to perform a technical and nontechnical evaluation in response to changes impacting the security of ePHI, and failure to implement procedural mechanisms to examine activity in information systems that contain ePHI.

Due to the sheer size of LA Care, OCR expressed concerns about the evidence of potential noncompliance with the HIPAA Privacy and Security Rules across the organization. On top of the hefty monetary settlement, LA Care agreed to take on a variety of corrective actions to improve compliance and security.

The CAP requires LA Care to conduct an accurate and thorough risk analysis to determine vulnerabilities to patient data systems, develop a risk management plan, and implement and distribute updated risk management policies and procedures.

Additionally, LA Care will be required to report to HHS “when it conducts an evaluation due to an environmental and operational change that affects the security of ePHI in LA Care’s possession or control,” the CAP noted. What’s more, LA Care must communicate with HHS within 30 days if a workforce member fails to comply with HIPAA rules.

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer. “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.”

OCR has made its priorities clear with recent settlements, showing that it will investigate any potential HIPAA violations. Most recently, OCR reached a settlement with UnitedHealthcare Insurance Company (UHIC) to resolve potential HIPAA right of access violations. UHIC agreed to pay $80,000 to OCR. The investigation marked the 45th case settled under OCR’s HIPAA Right of Access Initiative.

These cases show that when organizations face data breaches or complaints of noncompliance, they can expect to hear from regulators.