In its recent settlement with L.A. Care Health Plan (LACHP), the HHS Office for Civil Rights (OCR) accused the plan of violating four provisions in the Security Rule. LACHP did not admit to wrongdoing but agreed to follow an extensive, three-year corrective action plan (CAP), OCR announced last month (see story, p. 1).[1] L.A. Care also paid $1.3 million as part of the settlement.
The settlement was triggered by breaches in 2014 and 2019 that collectively affected 2,250, L.A. Care officials told RPP in a statement, which added, “members’ data was inadvertently shared with individuals other than the member.”
In the settlement documents, OCR said L.A. Care “potentially” violated the following related to the loss of electronic protected health information (ePHI).[2]
-
“The requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by LACHP (See 45 C.F.R. § 164.308(a)(1)(ii)(A)).
-
“The requirement to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. (See 45 C.F.R. § 164.308(a)(1)(ii)(B).)
-
“The requirement to implement sufficient procedures to regularly review records of information system activity (See 45 C.F.R. § 164.308(a)(1)(ii)(D).)
-
“The requirement to perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI. (See 45 CFR F.R. § 164.308(a)(8).)
-
“The requirement to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. (See 45 C.F.R. 164.312(b)).”
Covered entities should review L.A. Care’s CAP for a compliance refresher, in particular, on the elements of a risk analysis and corresponding management plan that OCR considers essential.
PHI Inventory Key to Risk Analysis, Management
A risk analysis is the first task in the CAP. But L.A. Care cannot conduct one until OCR signs off on its plans. The CAP requires L.A. Care to submit “the scope and methodology by which it proposes to conduct” the analysis within 30 days of the effective date of the CAP. (The settlement posted online lists the dates July 28 and Aug. 1 next to the signature lines for L.A. Care and OCR officials, respectively.)
The analysis is to be a “complete an accurate, thorough, enterprise-wide analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by LACHP or its affiliates that are owned, controlled or managed by LACHP that contain, store, transmit or receive LACHP ePHI.”
The analysis must include “a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI, which will then be incorporated in its Risk Analysis,” and secondly, into a risk management plan. The analysis is to “document the security measures LACHP implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level,” while the risk management plan must “address and mitigate any security risks and vulnerabilities identified.”
L.A. Care also needs to specify a timeline and process for “implementation, evaluation, and revision of its risk remediation activities.”
Employee Violations Must Be Quickly Reported
Once OCR gives its okay on the operational steps for conducting the analysis, it must be completed and sent to OCR within 120 days. The risk management plan is due 60 days after the analysis is completed. With both the analysis and the management plan, OCR may require revisions.
When L.A. Care experiences “environmental or operational changes materially affecting the security of its ePHI” during the CAP period, it must document how it responds to the changes.
L.A. Care also must revise its policies and procedures related to the risk analysis and management plan and uses and disclosures of PHI as specified in 45 C.F.R. § 164.502(a) of the Privacy Rule. Although OCR did not provide specifics, the CAP calls for L.A. Care to “augment” its existing training programs for HIPAA and the Security Rule. “The Training Program shall include general instruction on compliance with LACHP’s HIPAA policies and procedures. LACHP shall submit its proposed training materials on the policies and procedures to HHS for its review and approval.” Training is to occur every 12 months or more often.
Periodic and annual implementation reports are also required under the CAP. L.A. Care must share with OCR its “schedule, topic outline, and copies of the training materials for the training programs attended in accordance with this CAP.”
The CAP calls on L.A. Care to report incidents to OCR that it determines to be HIPAA violations within 30 days of their occurrence.