OCR Investigation Results in $1.3 Million Settlement, Updated Risk Assessment Tool Published

September 20, 2023Legal Alerts

Recently, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement with L.A. Health Care Plan. With more than 2.7 million members, L.A. Care is the nation's largest publicly operated health plan, that offers Medicaid, Medicare and plans through the Affordable Care Act.  Under the settlement, L.A. Care agreed to pay $1.3 million and to implement a corrective action plan to resolve these potential violations of the HIPAA Privacy and Security Rules,[1] and protect the security of electronic protected health information (ePHI).

This case serves as another example that HIPAA-covered entities must ensure that their HIPAA policies and procedures are up-to-date and are designed to ensure compliance with the HIPAA Privacy and Security Rules.

According to OCR, the first compliance investigation began in January of 2016 and was based on a March 2014 news publication alleging certain individuals who logged into the L.A. Care member payment portal between January 22-24, 2014 were able to view the name, address and member identification number of completely different individuals. OCR stated that this incident occurred due to a "manual information processing error.” L.A. Care subsequently filed a breach report in February of 2016 indicating that the breach impacted less than 500 individuals.

The second incident occurred on January 30, 2019, and was reported by L.A. Care to OCR on March 15, 2019. In that incident, L.A. Care reported that the Los Angeles Department of Public Social Services had notified the health plan that it became aware some L.A. Care members were mailed identification cards of other members. Approximately 1,500 individuals were impacted by this mailing incident.

According to OCR, the potential violations of the HIPAA Privacy and Security Rule as a result of these incidents included:

  • Failure to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to ePHI across the organization,
  • Failure to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level,
  • Failure to implement sufficient procedures to regularly review records of information system activity,
  • Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI, and
  • Failure to implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

OCR says its investigation also found evidence of other potential noncompliance across L.A. Care’s organization, which it considered serious given the size of L.A. Care. In addition to the monetary settlement, L.A. Care has agreed to take the following steps under a corrective action plan that will be monitored for three years by OCR to ensure compliance with the HIPAA Privacy and Security Rules:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization.
  • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity and availability of ePHI.
  • Develop, implement and distribute policies and procedures for a risk analysis and risk management plan.
  • Report to HHS when it conducts an evaluation due to an environmental and operational change that affects the security of ePHI in L.A. Care’s possession or control.
  • Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Rules.

OCR’s press release is available here. The resolution agreement and corrective action plan are available here.

Though these breaches impacted less than 2,000 individuals, it appears that OCR decided to levy a significant penalty of $1.3 million because of deficiencies noted by OCR when it investigated L.A. Care.  According to OCR Director Melanie Fontes Rainer, “breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules.” OCR’s expectation is that all covered entities and business associates have implemented and updated HIPAA policies and practices, and actively monitor them for improvement. To this end, OCR has also recently released a new Security Risk Assessment tool (SRA Tool). The SRA Tool is designed to help healthcare providers conduct a risk analysis as required by the HIPAA Security Rule. The downloadable SRA Tool is a desktop application that walks users through the security risk assessment process using multiple-choice questions, threat and vulnerability assessments and asset and vendor management. Version 3.4 contains a variety of feature enhancements, which include:

  • A Remediation Report to help track responses within the tool
  • A Glossary and "Tool Tips" help
  • Updated references to Health Industry Cybersecurity Practices (HICP) for 2023 Edition. Bug fixes and stability enhancements.

More information related to Version 3.4 of the SRA Tool, including a link to download the SRA Tool, is available here.

If you have any questions regarding this OCR enforcement action, the SRA Tool or your own compliance with the HIPAA Privacy and Security Rules, contact your Dinsmore health care attorney.

[1] 45 CFR Part 160 and Subparts A and E of Part 164; and 45 CFR Part 160 and Subparts A and C of Part 164 respectively.