In September 2023, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) announced a settlement regarding potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with LA Care, the nation's largest publicly operated health plan that provides health care benefits and coverage through state, federal, and commercial programs. Here are some key points from the settlement.
- L.A. Care, a large public health plan agreed to pay $1.3 million and implement a corrective action plan to settle potential HIPAA violations related to two data breaches in 2014 and 2019.
- The 2014 breach involved an online payment portal error that exposed the protected health information (PHI) of 750 members.
- The 2019 breach involved a mailing error that sent ID cards to the wrong individuals, affecting 1,500 members.
- OCR noted that L.A. Care failed to conduct a proper security risk analysis, as required by the HIPAA regulations.
- This is the second penalty of more than $1 million announced by OCR since it lowered tiers of fines in 2019.
- The settlement took four years to reach, and the reasons for the delay are unclear.
- L.A. Care maintains that it takes data privacy and security seriously and has implemented corrective actions.
- The article also mentions a 2012 incident where L.A. Care mailed ID cards to the wrong addresses, potentially affecting 18,000 individuals. This incident was not mentioned in the settlement agreement.
To learn more about the resolution agreement and corrective action plan, please visit https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/la-care-health-plan/index.html
For any other quires about privacy, security and compliance, please visit https://www.complianceprosolutions.com/
