Forging a Secure Healthcare Future: HHS OCR Achieves Resolution with L.A. Care Health Plan in HIPAA Security Rule Case

This agreement stems from two OCR investigations triggered by a significant breach report and an eye-opening media article highlighting a distinct security incident. As guardians of privacy and security in the realm of protected health information (PHI), OCR enforces the HIPAA:

• Privacy Rule
• Security Rule
• Breach Notification Rule

These set forth the mandatory obligations of HIPAA-regulated entities. In recognition of its commitment to rectifying any potential violations of the HIPAA Security Rule and bolstering the security of electronic protected health information (ePHI), L.A. Care has not only agreed to pay a staggering 1.3 million dollars but also embarked on implementing an all-encompassing corrective action plan.

Director Melanie Fontes Rainer from OCR urges all healthcare entities to be proactive in ensuring compliance with HIPAA Rules rather than waiting for enforcement action. She emphasizes that protecting patients’ health information is crucial while providing care for vulnerable communities.

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer.  “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.  Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

Unveiling the Identified Violations: A Closer Look at the Infractions

In this case, a multitude of violations emerged, revealing a concerning disregard for the safety and security of ePHI within the organization. 

Among these transgressions were:

• A failure to embark upon an accurate and extensive risk analysis aimed at identifying potential vulnerabilities and hazards to ePHI scattered throughout the entire organizational framework.
• Insufficient implementation of security measures designed to mitigate risks and vulnerabilities effectively posed to ePHI, ultimately failing to bring them down to a reasonable level that aligns with appropriate standards.
• Negligence in establishing adequate procedures for routinely reviewing records detailing information system activity. This flaw rendered the organization ill-equipped to identify any irregularities or potentially harmful activities pertaining to ePHI.
• An oversight in conducting periodic evaluations, both technical and non-technical, tailored specifically towards monitoring environmental or operational changes capable of impacting the overall security of ePHI
• The absence of necessary hardware, software, and/or procedural mechanisms intended to record and scrutinize activity taking place within information systems that store or utilize ePHI. This omission left crucial gaps in the organization’s ability to detect unauthorized access or disclosure of ePHI.

A Call Toward Compliance: Taking the Necessary Steps Forward

OCR’s investigation revealed potential noncompliance with the HIPAA Privacy and Security Rule across L.A. Care’s organization, a concerning finding considering the size of the health plan. To address this issue and ensure long-term compliance, OCR has laid out specific steps for L.A. Care to follow under a comprehensive action plan.

In addition to the financial settlement, L.A. Care must undertake the following actions:

• Conduct an accurate risk analysis to identify vulnerabilities within the organization

• Develop and implement a risk management plan to address these vulnerabilities

• Establish policies and procedures for conducting risk analyses and managing identified risks

• Report any evaluations conducted due to environmental or operational changes affecting ePHI security

• Notify HHS within 30 days if workforce members fail to comply with HIPAA rules

Monitoring Progress: Safeguarding Your Health Information Matters

To ensure strict adherence to HIPAA guidelines, OCR will monitor L.A. Care’s progress over the next three years through regular assessments. This ongoing oversight aims to guarantee the protection of patient’s electronic health records (EHRs).

This settlement serves as a reminder of the importance of safeguarding your PHI while receiving care from healthcare professionals. By holding entities accountable for their compliance with HIPAA rules and regulations, OCR is working toward creating a safer environment where patient privacy is paramount.

Moving forward, it is essential that all healthcare organizations take proactive measures in protecting sensitive health data and complying with the stringent obligatory regulations set forth by HIPAA.