Paying the $1.3 million fine is the easy part. Complying with the CAP is a different undertaking.
On Sept. 11, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an unprecedented resolution agreement and corrective action plan (“CAP”) with L.A. Care Health Plan to settle investigations over potential HIPAA violations.
As part of the resolution agreement, L.A. Care agreed to pay $1.3 million. That is the easy part—a minor endeavor compared to complying with the CAP. Attached to the resolution agreement as Appendix A, the CAP will keep the L.A. Care chief compliance officer, privacy officer and information security officer busy with the following tasks:
- Conducting an enterprise-wide risk analysis
- Developing and implementing a risk management plan
- Drafting an evaluation report
- Drafting policies and procedures to comply with the HIPAA Privacy Rule and Security Rule
- Augmenting the training program
- Ongoing reporting of reportable events such as workforce member noncompliance
The completion of these tasks will be held to HHS’s approval.
Although it may be tempting to cut costs by skimping on physical, administrative and technical security measures to protect the confidentiality, integrity and availability of protected health information (PHI), the lack of those measures can be easily highlighted through basic human error. Indeed, HHS has a webpage dedicated to “How to File a Civil Rights Complaint.”
In L.A. Care’s case, what appears to be a simple human error of sending approximately 1,498 member ID cards to the wrong individuals around January 2019 raised a red flag that was eventually noticed by the OCR. But this wasn’t the first red investigative flag. In January 2016, HHS started a compliance review after a March 3, 2013, article reported L.A. Care members seeing other member information upon logging onto the payment portable. Note that these are not hackers attempting to break into the system and steal data but human errors internal to the company.
HHS’s investigation of L.A. Care’s compliance with HIPAA rules revealed potential violations such as:
- Risk analysis of vulnerabilities and potential risks to the confidentiality, integrity and availability of electronic PHI (ePHI). 45 C.F.R. Section 308(a)(1)(ii)(A).
- Implementation of sufficient security measures for reducing risks and vulnerabilities. 45 C.F.R. Section 308(a)(1)(ii)(B).
- Procedures to regularly review records of system activity. 45 C.F.R. Section 308(a)(1)(ii)(D).
- Periodic technical and nontechnical evaluations. 45 C.F.R. Section 308(a)(8).
- Implementation of software, hardware and/or procedural mechanisms for recording and examining information system activity. 45 C.F.R. Section 312(b).
- Human error of disclosing 1,498 individuals’ ePHI. 45 C.F.R. Section 502(a).
No company is without security incidents that result from human error. It could be argued that if human error was the only issue, there would not have been a resolution agreement and CAP. That places the compliance spotlight squarely on lacking the mandatory physical, administrative and technical security controls to safeguard the confidentiality, integrity and availability of PHI.
Covered entities under HIPAA are also responsible for passing on these obligations to their business associates through a business associate agreement. A significant amount of security incidents occur at the vendor level. Accordingly, it is prudent for covered entities to review the vendor’s SOC 2 reports and cybersecurity risk frameworks such as ISO 27001:2013 or NIST CSF, in addition to the vendor’s privacy obligations.
To be clear, human errors, incidents and breaches happen to companies that have best-in-class protections, policies and procedures. The question is not if a human error, incident or breach will happen—it is when. When that happens and an OCR investigation ensues, the company that can provide evidence of proper compliance with HIPAA (through contractual, procedural, policy and governance evidence along with proper physical, administrative and technical controls evidence) will be better poised to avoid a resolution agreement and CAP.
We would be remiss if we didn’t acknowledge that HHS is not the only federal agency watching and acting on privacy concerns in health care. The Federal Trade Commission may also take action where it discovers deceptive privacy and security promises in covered entity privacy policies. Covered entities should therefore prioritize developing robust HIPAA compliance plans to mitigate the risk of such actions.
This document is intended to provide you with general information regarding the Department of Health and Human Services' Office of Civil Rights role in enforcing health privacy laws. The contents of this document are not intended to provide specific legal advice. If you have any questions about the contents of this document or if you need legal advice as to an issue, please contact the attorneys listed or your regular Brownstein Hyatt Farber Schreck, LLP attorney. This communication may be considered advertising in some jurisdictions. The information in this article is accurate as of the publication date. Because the law in this area is changing rapidly, and insights are not automatically updated, continued accuracy cannot be guaranteed.