DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations

Posted on September 11, 2023 by Dissent

LA Care, the largest publicly operated health plan in the country paid $1,300,000 to settle

Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with LA Care, the nation’s largest publicly operated health plan that provides health care benefits and coverage through state, federal, and commercial programs. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules that set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of protected health information (PHI).  The settlement concludes two OCR investigations initiated from a large breach report and a media article regarding a separate security incident.  Under the agreement, LA Care agreed to pay $1,300,000 and to implement a corrective action plan, discussed in further detail below, which identifies steps LA Care will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic protected health information (ePHI).

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer.  “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.  Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

The potential violations in this case included:

  • failure to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to ePHI across the organization,
  • failure to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level,
  • failure to implement sufficient procedures to regularly review records of information system activity,
  • failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI, and
  • failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

OCR’s investigation found evidence of potential noncompliance with the HIPAA Privacy and Security Rules across LA Care’s organization, a serious concern given the size of this covered entity.   In addition to the monetary settlement, LA Care has agreed to take the following steps under a comprehensive corrective action plan that will be monitored for three years by OCR to ensure compliance with HIPAA:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization.
  • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
  • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan.
  • Report to HHS when it conducts an evaluation due to an environmental and operational change that affects the security of ePHI in LA Care’s possession or control.
  • Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Rules.

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/la-care-health-plan/index.html 

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information. Guidance about the Privacy Rule, Security Rule, and Breach Notification Rules can also be found on OCR’s website.  If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.

Source:  HHS.gov

Related posts:

  • HIPAA Security Rule Facility Access Controls – What are they and how do you implement them?
  • HHS’ Office for Civil Rights Settles HIPAA Security Rule Investigation with Health Fitness Corporation; $227k monetary penalty plus corrective action plan
  • HHS Office for Civil Rights Settles HIPAA Security Rule Investigation with USR Holdings, LLC Concerning the Deletion of Electronic Protected Health Information
  • HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation for $90,000
Category: Breach LawsCommentaries and AnalysesHealth DataHIPAAOf NoteU.S.

Post navigation

← MS: Hinds County computer system remains under ransomware attack
Brazil’s government convicted for data leak exposed by The Brazilian Report →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • DOJ investigates ex-ransomware negotiator over extortion kickbacks
  • Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
  • One in Five Law Firms Hit by Cyberattacks Over Past 12 Months
  • U.S. Sanctions Russian Bulletproof Hosting Provider for Supporting Cybercriminals Behind Ransomware
  • Senator Chides FBI for Weak Advice on Mobile Security
  • Cl0p cybercrime gang’s data exfiltration tool found vulnerable to RCE attacks
  • Kelly Benefits updates its 2024 data breach report: impacts 550,000 customers
  • Qantas customers involved in mammoth data breach
  • CMS Sending Letters to 103,000 Medicare beneficiaries whose info was involved in a Medicare.gov breach.
  • Esse Health provides update about April cyberattack and notifies 263,601 people (1)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Oregon Amends Its Comprehensive Privacy Statute
  • Wisconsin Supreme Court’s Liberal Majority Strikes Down 176-Year-Old Abortion Ban
  • 20 States Sue HHS to Stop Medicaid Data Sharing with ICE
  • Kids are making deepfakes of each other, and laws aren’t keeping up
  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.