L.A. Care Health Plan will pay a $1.3 million settlement and enact a corrective action plan to address alleged HIPAA violations. Following two HHS investigations prompted by a breach report and media coverage of a security incident, LA Care faced accusations of inadequate risk analysis, security measures, and oversight of electronic health information. The corrective plan includes risk analysis, management measures, policy development, and reporting procedures, highlighting the importance of proactive HIPAA compliance for entities handling sensitive health data.
L.A. Care Health Plan has reached an agreement to pay a settlement of $1.3 million and has committed to implementing a corrective action plan to address allegations of violating HIPAA regulations.
This settlement arises from two separate investigations initiated by the Department of Health and Human Services (HHS), triggered by a breach report and a media story related to a distinct security incident.
The alleged violations encompassed the following:
1. Neglecting to conduct a comprehensive and precise risk analysis to assess the risks and vulnerabilities associated with electronic protected health information (ePHI).
2. Failing to institute security measures adequate to mitigate risks and vulnerabilities related to ePHI to an appropriate and reasonable level.
3. Insufficient procedures in place to regularly review records of information system activity.
4. Not performing periodic evaluations in response to environmental or operational changes affecting ePHI security.
5. Failing to implement hardware, software, or protocols that can monitor and scrutinize activity in information systems housing or using ePHI.
Melanie Fontes Rainer, director of HHS’ Office for Civil Rights, emphasized the importance of proactive compliance with HIPAA rules for entities subject to its regulations. She stated, “Entities like LA Care have a responsibility to safeguard the health information of their insured individuals, especially while providing healthcare services to vulnerable residents in Los Angeles County, including Medicaid, Medicare, and Affordable Care Act health plans.”
As part of the corrective action plan, LA Care has committed to the following measures:
1. Conducting a thorough analysis to identify risks and vulnerabilities associated with electronic patient and system data.
2. Implementing a risk management plan to address the identified risks and vulnerabilities, with a focus on preserving the confidentiality, integrity, and availability of ePHI.
3. Establishing policies and procedures to support the ongoing implementation of a risk analysis and management plan.
4. Promptly reporting to HHS whenever an evaluation is conducted in response to environmental and operational changes impacting the security of ePHI.
5. Reporting to HHS within a 30-day window any instances where workforce members fail to comply with HIPAA rules.