OCR reaches a new $1.3 million dollar settlement with a health plan for HIPAA violations.
OCR says, “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.”
Employers that offer Employee Benefits must evaluate if they are responsible for a health plan with HIPAA compliance obligations.
Subscribe HERE to Legal HIE’s backend compliance library to gain access to tools, checklists, whitepapers, sample policies and a lot more to help your organization stay on top of the newest compliance challenges in 2023!
On September 11, 2023, the Office for Civil Rights (OCR) announced in a Press Release that it reached a $1.3 million dollar settlement agreement with L.A. Care Health Plan over potential violations of the HIPAA Security & Privacy Rules. L.A. Care Health Plan is said to be the nation’s largest publicly operated health plan that provides health care benefits and coverage through state, federal, and commercial programs.
The issue was initially brought to OCR’s attention due to a breach involving PHI. Specifically, on January 13, 2016, HHS opened a compliance review of L.A. Care Health Plan based on a March 3, 2014, online media article which reported that,
“on January 24, 2014….some L.A. Care covered members who logged onto (their) payment portal were able to see another member’s name, address and member identification number…the disclosures took place between January 22, 2014 to January 24, 2014 and were the result of a manual information processing error.”
During the course of OCR’s investigation, and despite the fact that the incident is said to have affected fewer than 500 individuals, L.A. Care Health Plan decided to file a breach report regarding this incident with OCR on February 26, 2016. [Importnat Note: breaches involving fewer than 500 individuals do not need to be reported to HHS immediately, but rather can be reported at the end of the calendar year in which they were discovered (i.e., a covered entity has 60 days from December 31st to submit all of the “small breaches” on HHS’s portal)]. On May 19, 2016, OCR notified L.A. Care Health Plan of its investigation regarding L.A. Care Health Plan ‘s compliance with the HIPAA Rules.
If that wasn’t enough, then on March 15, 2019, L.A. Care Health Plan reported to OCR that on or around January 30, 2019, L.A. Department of Public Social Services (DPSS) reported to L.A. Care Health Plan that one of its members received identification (ID) cards for other members. L.A. Care Health Plan discovered that a L.A. Care Health Plan caused member ID cards to be mailed to the wrong members. Approximately 1,498 individuals were affected by the second Breach.
OCR found numerous potential violations of the HIPAA Privacy & Security Rules and specifically pointed out,
“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer. “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies . . . .”
Even if you are not a “traditional” health plan, all organizations and busisses must evaluate if they are offering a benefit that “pays for” health care. In an employer context, this most often comes up when a company or organization offers an Employee Benefit that pays for the cost of medical, dental, prescription drug, vision, or offer medical reimbursement accounts (e.g., flex spending accounts for health care).
If you are uncertain whether your organization might be operating a HIPAA-covered health plan, check out our HIPAA Assessment of HIPAA Health Plans as a starting point. Always consult with your attorney to make any final determiantions regarding your HIPAA obligations.
