This month, U.S. Health and Human Services' Office of Civil Rights (OCR) announced a settlement and corrective action plan (CAP) with LA Care, a publicly operated health plan, for multiple potential violations and for evidence of potential noncompliance with the HIPAA Privacy and Security Rules. OCR Director Melanie Fontes Rainer really summed up their role and work well by stating "HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies..."
LA Care's CAP includes the following potential violations:
• failure to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to ePHI across the organization,
• failure to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level,
• failure to implement sufficient procedures to regularly review records of information system activity,
• failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI, and
• failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
It's amazing but unfortunately believable to still be reading in 2023 that LA Care lacked the most basic compliance, security and risk management actions to protect health information.
OCR and LA Care agreed to a three year CAP and to a $1,300,000 settlement. No telling what LA Care is going to pay in their class action lawsuit and for their legal representation. It goes without saying that for thousands of dollars, they could have avoided paying over a million. We're curious what their insurance company says when they renew their application.
Reach out if you need a checkup or some advice getting your program in place or matured. We don't charge for a phone call, as long as you understand we also don't provide legal advice. Click the graphic below if you want to read about this case, as the details may compel your organization's leadership if they are hesitant to understand the consequences of failing to run a healthy program.
Stay (HIPAA) safe,