Dive Brief:
- The HHS announced on Monday that L.A. Care, the nation’s largest publicly operated health plan, will pay $1.3 million to settle allegations it violated federal breach rules following investigations into two separate security incidences.
- L.A. Care’s alleged violations of the HIPAA privacy law include a failure to conduct a thorough risk analysis to determine vulnerabilities for its members’ digital health information and a failure to implement sufficient security measures and procedures to regularly review its information systems. The health plan admitted no wrongdoing under the settlement.
- Regulators opened an investigation into L.A. Care in 2016 after a news article reported a breach potentially affecting less than 500 individuals allowed L.A. Care plan members to temporarily view other members’ personal health information in payment portals. In 2019, L.A. Care informed regulators of a separate security incident that resulted in member identification cards being mailed to the wrong members, affecting almost 1,500 people.
Dive Insight:
The alleged HIPAA noncompliance from L.A. Care provoked “serious concern” from regulators given the size of the health plan, according to an HHS release. L.A. Care, an independent public agency, provides coverage to low-income Los Angeles residents and has more than 2.7 million members in Medicare, Medicaid and Affordable Care Act plans.
The HHS cited the initial 2014 news report that said the first security incident came from a “manual information processing error.” L.A. Care said the 2019 breach was the result of a mailing error, which caused ID cards to be incorrectly mailed.
In addition to the payment, the HHS Office for Civil Rights will monitor L.A. Care for three years to ensure ongoing compliance with HIPAA.
“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” Melanie Fontes Rainer, director of the OCR, said in a statement. “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.”
This is not the first time that L.A. Care has been penalized by regulators. Last year, the plan was fined $55 million by state regulators for alleged operational deficiencies that resulted in member harm, including failure to address more than 67,000 grievances from plan members and a backlog of more than 9,000 prior authorization requests.