In a recent development, L.A. Care Health Plan, a HIPAA covered firm with nearly 3 million members, has settled for a payment of $1.3 million along with a three-year corrective action plan (CAP). This agreement follows the allegation of significant failings in the firm’s security risk analysis and corresponding risk management planning. This case traces back to a breach experienced approximately 11 years ago. A detailed report on the issue is available on JDSupra.com.
In an age where data security has become fundamental to every organization dealing with sensitive information, conventional wisdom dictates that a risk analysis, and a corresponding risk management plan, are non-negotiable. By 2016, such practices had already become compliance basics, particularly for HIPAA covered entities. However, this recent settlement agreement reflects a notable discrepancy in the application of such principles.
The L.A. Care Health Plan’s handling of their patient data security issues came under scrutiny from the HHS Office for Civil Rights (OCR). The OCR is responsible for ensuring data privacy and security, safeguarding the rights of individuals and ensuring public trust.
Despite apparent processing errors that L.A. Care Health Plan attributed to causing their data breaches, the firm still faces consequences for their deep-rooted shortcomings. Tangible repercussions emerged in the form of a $1.3 million economic sanction, supported concurrently by the enforced execution of a three-year corrective action plan.
While this case sets an example for corporations dealing with sensitive information, it also offers a platform for the reemphasis of important compliance practices. Indeed, it iterates the importance of fundamental risk analyses and management planning in the preservation of data security – a lesson to remember for all firms in the HIPAA sphere.