Payer’s $1.3M HIPAA settlement a cautionary tale

LA Care Health Plan, operated by the Local Initiative Health Authority for Los Angeles (LA) County, has agreed to pay $1.3 million and implement a corrective action plan (CAP) in response to alleged HIPAA violations stemming from an investigation by the HHS Office of Civil Right (OCR) into a pair of incidents reported in the past decade.

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer, in a press release.  “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.  Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

The first sign of patient privacy trouble for LA Care, the largest publicly operated health care pan with about 3 million members, came in January 2014 when some of its covered members logged into their member portals to find other members’ personal member information, including names, addresses, and member identification numbers. This mishap was chalked up to a manual information processing error, but OCR opened an investigation into the matter in January 2016, based on a March 2014 media report detailing the incident.

Under the Breach Notification Rule, a covered entity must report within days any breach of unsecured protected health information that affects 500 or more individuals, but for breaches impacting fewer than 500 individuals a report must be submitted to HHS within 60 days of the end of the calendar year in which the breach took place.

LA Care’s HIPAA breach report, which indicated there were likely fewer than 500 affected individuals, was submitted on Feb. 26, 2016, two years after the breach and one month after OCR opened its investigation. OCR officially notified LA Care about the investigation in May 2016.

A similar incident took place around the beginning of 2019, as a LA Care member received ID cards for another member. The LA Department of Public Social Services (DPSS) notified LA Care on Jan. 30, 2019, about the incident, and the health plan’s investigation found a mailing error resulted in the wrong ID cards being sent to almost 1,500 members. LA Care filed a breach report with OCR on March 15, 2019.

HIPAA info monitoring, procedural failures

Based on its investigation of LA Care’s compliance with HIPAA Rules, OCR outlined several potential violations that serve as a lesson for all covered entities, including failure to:

• Conduct an analysis of risk and vulnerabilities of the security and management of electronic personal health information (ePHI),
• Implement adequate security measures to reduce risks and vulnerabilities to a reasonable and appropriate level,
• Implement sufficient procedures to regularly review records of information system activity,
• Perform a periodic technical and nontechnical evaluation based on HIPAA Rule standards as well as in response to environmental or operational changes affecting the security of ePHI, and
• Implement monitoring and recording hardware, software, and/or procedures for activity in information systems that contain or use ePHI.

LA Care will have three years to complete agreed upon actions to correct these failures. It must conduct an enterprise-wide analysis of security risks and vulnerabilities, develop and implement a risk management plan, submit an evaluation report for environmental or operational changes affecting its ePHI security, develop and maintain written policies and procedures to comply with applicable privacy and security rules, and improve its HIPAA and security training program for all of its workforce members who have access to ePHI.

Also, the health plan is required to file annual reports on its CAP status including a final report after all of the corrective actions outlined in the agreement are completed.