By 2016, it should have been clear to HIPAA covered entities that a security risk analysis—and corresponding risk management plan—were compliance basics. Yet, a new settlement agreement between the HHS Office for Civil Rights (OCR) and L.A. Care Health Plan, which has nearly 3 million members, alleges the plan failed in both respects. L.A. Care agreed to pay $1.3 million and implement a three-year corrective action plan (CAP) to settle these and other related “potential” violations.^[1]

A three-year CAP has become a rarity in recent years, and the settlement harkens back to past OCR agreements in another way: it has often taken OCR more than five years to resolve an investigation with enforcement action. In this case, the agency cited a 2014 disclosure, followed by another in 2019, as among the alleged HIPAA infractions underlying the settlement with the nation’s largest publicly operated health plan.

Interestingly, OCR’s own website reveals L.A. Care reported a breach in 2012 that mirrors the 2019 incident and which potentially affected nearly 10 times the number of individuals cited in the new resolution agreement.^[2] Following that report, OCR warned it to conduct the risk analysis it now alleges was never completed.

At the time, OCR “provided technical assistance regarding a covered entity’s obligation to conduct an accurate and thorough risk analysis and implement security measures sufficient to reduce those risks and vulnerabilities identified in the analysis,” according to the website.

The settlement, announced last month but signed during the summer, marks only the second penalty of more than $1 million announced since OCR lowered tiers of fines in 2019, following a successful challenge by the University of Texas MD Anderson of a $4.3 million penalty OCR sought to impose.^[3] In February, OCR announced that Banner Health of Phoenix, Arizona, agreed to a $1.25 million settlement for a 2016 hacking estimated to affect 2.81 million individuals.^[4]