The Local Initiative Health Authority for Los Angeles County, which operates as L.A. Care Health, faced multiple violations of the HIPAA Privacy and Security Rules. They’ve agreed to settle with the HHS for $1.3 million.
The settlement follows the conclusion of an HHS investigation into two separate events.
First, according to the Los Angeles Times, an online payment portal displayed the protected health information (PHI) of approximately 500 members to other patients. It was discovered that the information was available between January 22nd and January 24th, 2014. An online media source later reported the event in 2014, saying leaked information included names, addresses, and member identification numbers.
The second incident was reported by L.A. Care Health in 2019. The organization reported to the OCR that approximately 1,498 records had been breached in January 2019 due to a mailing error that resulted in members receiving I.D. cards of other members.
The OCR determined that there had been several HIPAA violations, listed below:
- Failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerability to the confidentiality, integrity, and availability of all ePHI.
- A failure to implement security measures sufficient to reduce risks and vulnerability to a reasonable and appropriate level.
- A failure to implement sufficient procedures to regularly review records of information system activity.
- A failure to perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operation changes affecting the security of ePHI.
- A failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
- The impermissible disclosure of the ePHI of 1,498 individuals.
The rest of the report is available from the HHS here.
In response, L.A. Care Health Plan decided to settle for $1.3 million with no admission of guilt. They will also adopt a corrective plan, which will require them to conduct a comprehensive risk analysis, develop a risk management plan, develop, implement, and distribute policies and procedures for a risk analysis and plan, report to OCR when changes are conducted, and report any HIPAA violations within 30 days.
Why it matters
The incident involving the L.A. Care Health Plan shows the high standards every organization is held to, whether or not they swiftly follow breach protocols.
The errors that resulted in each breach were processing or computer errors, but L.A. Care Health Plan must still comply with HIPAA requirements. Furthermore, we learn that investigations into HIPAA violations can take time. Between the investigation and the correction plan implementation, it may be several years before a healthcare organization is entirely up to standard.
The big picture
Director of the Office for Civil Rights, Melanie Fontes Rainer, said that breaches of protected health information “often reveal systemic noncompliance with the HIPAA Rules.” She added, “Entities such as L.A. Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”
L.A. Care Health Plan stated they plan to swiftly implement measures to better protect member privacy.