L.A. Care Health Plan's HIPAA Settlement: Lessons for HR Professionals

The U.S. Department of Health and Human Services’ Office for Civil Rights (HHS) reached a settlement with L.A. Care Health Plan, resulting in a $1.3 million fine and the initiation of a corrective action plan. This settlement serves as a critical reminder of the importance of HIPAA compliance and risk management for HR professionals within the healthcare industry.

The settlement results from an incident in January 2014 when L.A. Care’s payment portal exposed sensitive information, including member names, addresses, and identification numbers, to other members. While the breach was reported as a manual information processing error, the consequences were far-reaching. HHS began its investigation in January 2016, following an article that highlighted the incident, rather than being notified by L.A. Care or the affected individuals.

In January 2019, during the HHS investigation, a subsequent HIPAA breach occurred affecting approximately 1,500 members. This breach resulted from a mailing error. HHS cited several potential violations by L.A. Care, including the failure to conduct comprehensive risk assessments, implement necessary security measures, and establish proper procedures for monitoring and responding to security-related changes.

The corrective action plan, which will be monitored by HHS for three years, requires L.A. Care to address its deficiencies. It mandates thorough risk assessments, the identification and remediation of vulnerabilities in safeguarding electronic Protected Health Information (ePHI), ongoing monitoring and reporting of changes affecting ePHI security, and enhanced workforce awareness of data security policies.

This event highlights the importance of a robust HIPAA compliance program, especially for HR professionals overseeing healthcare organizations. It underscores the significance of continuous risk assessment, technical safeguards, and the need for a proactive approach to address compliance deficiencies.

The $1.3 million settlement serves as a stark reminder that HIPAA violations can have severe financial consequences and reputational harm. HR professionals should use this case as an opportunity to review and enhance their organizations’ HIPAA compliance measures, ensuring that they are well-prepared to handle potential risks and compliance issues effectively.