.st0{fill:#FFFFFF;}

Podcast

OCR Sends Enforcement Message – Ep 425 

 September 22, 2023

By  Donna Grindle

Share0
Tweet0
Share0

Assuming large organizations with lots of healthcare clients have a proper HIPAA privacy and security program in place could be disastrous. OCR recently settled investigations with LA Care, a large health plan in California, for $1.3 million and a 3 year corrective action plan. Join us as we discuss this settlement and see what you can learn from someone else’s mistakes.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

OCR Sends Enforcement Message – Ep 425

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

HIPAA Briefs

[04:06] Is it possible to be both a CE and a BA at the same time?

Yes, you can be both. You can be a covered entity offering your services that you’re getting paid insurance payments for while providing services on behalf of another covered entity who’s getting paid by insurance, and then they’re paying you. If you are unsure which you are, ask someone who understands and can guide you.

OCR Sends Enforcement Message

[06:18] Everyone should pay attention to the not so subtle message that OCR has just sent with its latest resolution agreement. Of course, we have to read between the lines when you are listening to lawyers. They tell you what you need to understand in clear legal language.

This settlement will make headlines because it includes a $1.3m cash amount. Boom! As always the bigger issues are in the details, not the headlines. This case involves Local Initiative Health Authority for Los Angeles County, operating and doing business as a Care Health Plan.

L.A. CARE HEALTH PLAN Resolution Agreement and Corrective Action Plan | HHS.gov

The timeline in this one is the longest we have ever seen, because it goes back to an old investigation that appears to have never been closed. Then, a new breach happened. Honestly, not the place anyone should ever hope to be in and this settlement shows why.

January 13, 2016 OCR opened a compliance review based on an article published in March 3, 2014. It isn’t clear how this all happened, but back then things were very confusing since enforcement was really just getting its workflow sorted out. Remember, the HITECH rule was not completely implemented until 2013. (Except for a couple parts that aren’t included yet because it is very complicated to figure out how to implement them. Two of them are shared enforcement amounts and accounting of all TPO disclosures requirements.)

So, they notified them of the review on May 19, 2016. OCR had already been able to look at the details since it was publicly published information.

The online article said this:

on January 24, 2014….some L.A. Care Covered members who logged onto (their) payment portal were able to see another member’s name, address and member identification number…the disclosures took place between January 22, 2014 to January 24, 2014 and were the result of a manual information processing error

They filed a breach report about that incident on Feb 26, 2016. Yes, that is more than 60 days. Word got out apparently so they had to report.

[17:17] That situation never resolved before there was a data breach they reported March 15, 2019. That report said:
on or around January 30, 2019, Los Angeles Department of Public Social Services (DPSS) reported to LACHP that a LACHP member received identification (ID) cards for other members. LACHP discovered that a mailing error caused member ID cards to be mailed to the wrong members. Approximately 1,498 individuals were affected by the breach.

Things got more complicated from there based on what we see in this settlement. One settlement closing to investigations opened years apart with no clear effort to correct their program between the two breaches. At least based on what is published in the legal documents it appears that way.

Our quote from the director always tells you what to get out of this one. Here it is:

Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules. HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies. Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.OCR Director Melanie Fontes Rainer

Let’s make note of that language “systemic, noncompliance”, “ proactive in ensuring their compliance” and the big one “not wait for OCR to reveal long-standing HIPAA deficiencies”.

[23:16] The potential violations in this case included:

  • failure to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to ePHI across the organization,
  • failure to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level,
  • failure to implement sufficient procedures to regularly review records of information system activity,
  • failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI, and
  • failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
OCR’s investigation found evidence of potential noncompliance with the HIPAA Privacy and Security Rules across LA Care’s organization, a serious concern given the size of this covered entity.
[31:28] They agreed to a comprehensive corrective action plan that will be monitored for three, yes 3, years by OCR to ensure compliance with HIPAA:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization.
  • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
  • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan.
  • Report to HHS when it conducts an evaluation due to an environmental and operational change that affects the security of ePHI in LA Care’s possession or control.
  • Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Rules.

An interesting item listed on the CAP was for an evaluation report to be done. It states:

If during the Compliance Term LACHP has applied environmental or operational changes materially affecting the security of its ePHI, LACHP shall submit a written report (“Evaluation Report”) with documentation describing and evidencing to HHS the environmental or operational change and LACHP’s evaluation of such change pursuant to 45 C.F.R. § 164.308(a)(8) and consistent with LACHP’s policies and procedures.

There is significant pressure on both HHS and OCR to do more enforcement to get the industry in line with expectations. This may be a message of things to come for everyone on the enforcement front. It could be a message to those who have “systemic, noncompliance” but are not being “proactive in ensuring their compliance”. They are encouraging you to “not wait for OCR to reveal long-standing HIPAA deficiencies” or it will not be pretty.

Go to top

There’s a lot to learn from this settlement. Don’t assume that just because an organization is large and has lots of healthcare clients, that they have a solid HIPAA security program in place. That can be a costly mistake. Pay attention to resolution agreements and the CAPs. They make it pretty clear what HHS and OCR expect you to be doing. Start with conducting an accurate and thorough risk analysis and develop your risk management plan. This is the one consistent thing that appears on every corrective action plan.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: