L.A. Care Health Plan has agreed to pay a $1.3 million settlement and to implement a corrective action plan to resolve allegations that it violated HIPAA regulations.
The settlement includes two HHS investigations initiated from a breach report and a media story regarding a separate security incident.
The potential violations in the case included:
- Failure to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information.
- Failure to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level.
- Failure to implement sufficient procedures to regularly review records of information system activity.
- Failure to perform a periodic evaluation in response to environmental or operational changes affecting the security of ePHI.
- Failure to implement hardware, software or protcols that record and examine activity in information systems that contain or use ePHI.
"HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies," Melanie Fontes Rainer, director of HHS' Office for Civil Rights, said in a Sept. 11 news release. "Entities such as LA Care must protect the health information of its insureds while providing healthcare for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans."
LA Care has agreed to take various steps under a corrective action plan. They include:
- Conducting an analysis to determine risks and vulnerabilities to electronic patient/system data.
- Implementing a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity and availability of ePHI.
- Enacting policies and procedures for a risk analysis and management plan.
- Reporting to HHS when it conducts an evaluation due to an environmental and operational change that affects the security of ePHI.
- Reporting to HHS within 30 days when workforce members fail to comply with HIPAA rules.