Media Inquiries
For general media inquiries, please contact media@hhs.gov.
An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
LA Care, the largest publicly operated health plan in the country paid $1,300,000 to settle
Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with LA Care, the nation's largest publicly operated health plan that provides health care benefits and coverage through state, federal, and commercial programs. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules that set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of protected health information (PHI). The settlement concludes two OCR investigations initiated from a large breach report and a media article regarding a separate security incident. Under the agreement, LA Care agreed to pay $1,300,000 and to implement a corrective action plan, discussed in further detail below, which identifies steps LA Care will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic protected health information (ePHI).
“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer. “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies. Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”
The potential violations in this case included:
OCR’s investigation found evidence of potential noncompliance with the HIPAA Privacy and Security Rules across LA Care’s organization, a serious concern given the size of this covered entity. In addition to the monetary settlement, LA Care has agreed to take the following steps under a comprehensive corrective action plan that will be monitored for three years by OCR to ensure compliance with HIPAA:
The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/la-care-health-plan/index.html
OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information. Guidance about the Privacy Rule, Security Rule, and Breach Notification Rules can also be found on OCR’s website. If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.
Receive the latest updates from the Secretary, Blogs, and News Releases
For general media inquiries, please contact media@hhs.gov.