Skip to content Skip to menu Skip to footer

L.A. Care Health Plan pays $1.3M to settle potential HIPAA violations

U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) this week announced it settled potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with LA Care, the nation's largest publicly operated health plan that provides health care benefits and coverage through state, federal, and commercial programs. Under the agreement, LA Care agreed to pay $1.3 million and to implement a corrective action plan to resolve two potential violations of the HIPAA Security Rule dating that are linked to data breaches.

The incidents include a March 2014 online article that reported some LA Care members were able to see another member’s name, address, and member identification number when they logged onto the health plan’s member portal. The breach report potentially affected less than 500 individuals. The second incident occurred in January 2019 and involved member ID cards being mailed to the wrong members. Approximately 1,500 individuals were affected by the breach.

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA rules,” said OCR Director Melanie Fontes Rainer, in the announcement. “Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

The corrective action plan requires LA Care:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization.
  • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
  • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan.
  • Report to HHS when it conducts an evaluation due to an environmental and operational change that affects the security of ePHI in LA Care’s possession or control.
  • Report to HHS within 30 days when workforce members fail to comply with the HIPAA Rules.