L.A. Care, a Los Angeles-based health plan for Medi-Cal recipients, has agreed to pay $1.3 million in a settlement to resolve two privacy and security rule violations and chart a corrective plan to secure their members' information.
The violations involve the Health Insurance Portability and Accountability Act of 1996 that covers what specific healthcare organizations can share about patients without their consent.
The settlement came after the Department of Health and Human Services' Office of Civil Rights investigation was initiated by a report of a breach from L.A. Care and a media article regarding a separate security incident, according to the department's announcement.
In a statement, L.A. Care said it reported to multiple regulatory agencies two incidents in 2014 and 2019 when data from a combined 2,250 members were inadvertently shared with individuals other than the L.A. Care members.
The first incident took place when an online payment portal displayed the personal health information of about 750 members to the wrong individuals because of a processing error, the statement said.
The second incident was due to a data processing error and resulted in about 1,500 membership cards being mailed to the wrong individuals.
As a result of the investigation into the two violations, the Office for Civil Rights found evidence of potential noncompliance with HIPAA privacy and security rules across the L.A. Care organization, "a serious concern given the size of this covered entity."
Those potential violations included failure to take precautionary measures and periodical evaluations of potential risks to its members' protected health information.
“The Department of Health and Human Services Office of Civil Rights investigated both incidents and concluded that the conduct was not intentional and that L.A. Care took reasonable and corrective action upon discovery,” L.A. Care's statement said.
According to an L.A. Care spokesperson, affected members were notified soon after L.A. Care identified the issues, within the federal notification time frames.
Melanie Fontes Rainer, director of the Office for Civil Rights, said breaches of protected health information by a HIPAA-regulated organization "often reveal systemic noncompliance with the HIPAA Rules."
“Entities such as L.A. Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare and Affordable Care Act health plans," she said.
L.A. Care said in its statement that the organization discovered other ways to strengthen the privacy and security of member data and was working to implement those changes.
L.A. Care and the the Office for Civil Rights have agreed to a corrective action plan to reduce the risk of similar events occurring in the future, L.A. Care said. The office will monitor the plan for three years to ensure compliance.
The plan calls on L.A. Care to conduct risk analysis to determine vulnerabilities to patient data across the organization, develop a risk management plan and report to the Department of Health and Human Services when there's a potential HIPAA violation, among other changes.
This story originally appeared in Los Angeles Times.