A Los Angeles County healthcare organization agreed to pay $1.3 million to settle allegations by the U.S. Department of Health and Human Services (HHS) it potentially violated the Health Information Portability and Accountability Act (HIPAA).

L.A. Care Health Plan agreed to the settlement with the HHS’s Office for Civil Rights (OCR) addressing alleged noncompliance with HIPAA’s Security and Privacy Rules, the agency announced in a press release Monday.

The rules govern the security of electronic protected health information and require notification in the case of a breach.

The details: Two separate incidents in 2014 and 2019 caused L.A. Care’s apparent HIPAA violations, according to a resolution agreement.

In 2014, an online payment portal displayed the protected health information of approximately 750 members to the wrong individuals because of a processing error, according to an emailed statement from L.A. Care.

In 2019, a data processing error resulted in approximately 1,500 membership identification cards being mailed to the wrong individuals, per the OCR.

“HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA rules and not wait for OCR to reveal long-standing HIPAA deficiencies,” said OCR Director Melanie Fontes Rainer in the release.

Compliance considerations: A corrective action plan requires L.A. Care to conduct an enterprise-wide risk analysis; implement a risk management plan; and develop new policies, procedures, and training.

Company response: In an emailed statement, L.A. Care said it takes the privacy and security of members’ data seriously and self-reported the two incidents. The company noted the incidents were not intentional and that the HHS concluded it took reasonable corrective action upon discovery.

“L.A. Care regrets these incidents occurred and remains committed to continuous improvement in order to maintain the trust of our members and protect their data,” the company stated.