On September 11, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with LA Care related to potential violations of Health Insurance Portability and Accountability Act (HIPAA). LA Care is the largest publicly operated health plan in the country. The settlement was the result of two OCR investigations. The first investigation arose from a news article that reported that LA Care plan members who logged onto their payment portal were able to see other members' personal information. The second investigation resulted from a report of a large breach where members received identification cards intended for other members.
What You Need to Know:
- Nation's largest public health plan enters into $1,300,000 settlement and corrective action plan with HHS OCR.
- Covered Entities need to be proactive in ensuring their compliance with HIPAA.
- OCR will enforce the HIPAA rules against entities big and small.
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules that are the requirements for Covered Entities to protect the privacy and security of protected health information (PHI). OCR alleged that LA Care violated HIPAA rules by failing to:
- Conduct a risk analysis to determine risks to electronic PHI (ePHI) within their organization;
- Implement security measures to reduce those risks;
- Implement a regular review of records of information system activity;
- Perform periodic evaluations in response to environmental or operational changes affecting the security of ePHI; and
- Implement mechanisms that record and examine activity in information systems that contain ePHI.
In addition to paying $1,300,000 to OCR, LA Care agreed to a three-year corrective action plan (CAP) requiring it to take each of the following steps:
- Conduct an analysis to determine risks to its electronic patient/system data;
- Develop and implement a risk management plan to address risks to the confidentiality, integrity and availability of ePHI;
- Adopt policies and procedures for a risk analysis and risk management plan;
- Report to HHS any evaluation as a result of changes that affect the security of ePHI; and
- Report to HHS within 30 days when employees fail to comply with HIPAA.
The Resolution Agreement and CAP is available here.
This latest OCR settlement is a reminder to all HIPAA-regulated entities that it is important to be proactive in your HIPAA compliance. Covered entities and business associates should have policies in place to ensure HIPAA compliance, assess their organization's risks regularly and be prepared to reevaluate their plans in the event of changes. OCR takes HIPAA compliance seriously and will levy significant penalties if it believes an organization fails to protect PHI.
Saul Ewing attorneys regularly assist covered entities and business associates with HIPAA compliance efforts including drafting and updating policies and procedures, workforce training, and breach responses.