A recent settlement entered into by the nation’s largest publicly operated health plan serves as a clear warning to all covered entities and business associates – do not disregard your obligations to comply with HIPAA.

The settlement, dated September 11, 2023, is between the U.S. Department of Health and Human Services’ Office for Civil Rights (“HHS-OCR”) and L.A. Care Health Plan (“LACHP”), pursuant to which LACHP will pay a fine of $1.3 million and enter into a corrective action plan to address several HIPAA compliance deficiencies.

The underlying events originated with an incident in January 2014, in which LACHP’s payment portal allowed members to view the names, addresses and member identification numbers of other members. This event was reported in an online article in March 2014, which indicated that the disclosures were a result of a “manual information processing error.”

HHS-OCR commenced its investigation in January 2016 based on the March 2014 article, apparently (and notably) not because LACHP notified it and/or the affected individuals of the breach. On February 26, 2016, LACHP filed a report with HHS-OCR indicating that the January 2014 event resulted in a HIPAA breach which potentially affected less than 500 individuals. HHS-OCR notified LACHP of its investigation into LAHCP’s HIPAA compliance in May 2016.

While the HHS-OCR investigation was ongoing, LACHP encountered another HIPAA breach in January 2019. LACHP reported to HHS-OCR that approximately 1,500 members received identification cards for other LACHP members as a result of a “mailing error.”

HHS-OCR stated that LACHP’s potential violations included a number of failures: (i) to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic Protected Health Information (“ePHI”) across the organization; (ii) to implement security measures to sufficiently reduce the risks and vulnerabilities to ePHI; (iii) to implement sufficient procedures to regularly review record of information system activity; (iv) to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI; and (v) to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

The breach incidents and HIPAA violations cited by HHS-OCR indicate that LACHP failed to implement and maintain certain basic technical, physical, and administrative safeguards in accordance with HIPAA requirements. While the extent of the HIPAA violations and deficiencies were not reported, the duration of the investigation (2016-2023), the settlement amount of about $1.3 million, and the corrective actions required by HHS-OCR provide insight.

In addition to the monetary settlement, LACHP is now subject to a corrective action plan that will be monitored by HHS-OCR for three (3) years to ensure compliance. The corrective action plan reflects HHS-OCR taking an active role in overseeing LACHP’s remediation of existing compliance deficiencies and establishing protocol to address unanticipated changes to its systems and operations.

The corrective action plan requires LACHP to (1) conduct accurate and thorough risk assessments; (2) identify and remediate vulnerabilities to the confidentiality, integrity and availability of ePHI; (3) monitor and report to HHS-OCR environmental and operational changes that may affect the security of ePHI; (4) ensure workforce awareness of the safeguards and policies; and (5) report instances of workforce non-compliance to HHS-OCR.

Conclusions

Covered entities and business associates must implement the basic safeguards required under the HIPAA Security Rule and consistently maintain and improve them as necessary to avoid inadvertent disclosure of PHI. They have an affirmative obligation to identify and mitigate vulnerabilities within their processes and established safeguards, and to provide prompt notification of HIPAA breaches. Establishing a set of HIPAA policies and procedures but failing to enforce them or failing to review and update them following the occurrence of a security incident or breach, may leave PHI vulnerable to improper access and disclosure.

HHS-OCR’ findings and the results of the settlement reaffirm that the agency has and will continue to investigate these matters and hold covered entities and business associates accountable for their failure to comply with HIPAA’s requirements. It is vital, therefore, that covered entities and their business associates regularly review and update their HIPAA safeguards.