19 August 2019Analysis

Office for Civil Rights increases pressure on healthcare companies over data security

The Office for Civil Rights (OCR), the federal Health Insurance Portability and Accountability Act (HIPAA) enforcer, issued average resolution agreement payments of $2.6 million in 2018 related to data breaches.

It was a significant increase on the payments ordered the previous year, when the average payment was $1.9 million. This defied expectations that OCR may be less active under the current administration, noted Beazley in its latest breach insights report.

The report said OCR resolution agreement amounts paid in 2018 ranged from $100,000 at the low end to $16 million, its largest ever resolution agreement payment. This payment was made in connection with Anthem in its capacity as a HIPAA business associate, as the result of its 2015 data breach affecting over 78 million individuals’ protected health information.

But OCR investigations are taking longer to close, Beazley noted, with investigations ranging from three to seven years in length for the resolution agreements issued in 2018.

From the time of the data breach to the final OCR resolution agreement, OCR took an average of 4.3 years to bring matters to closure last year, compared with an average of 4 years in 2017 and 3.6 years in 2016.

OCR is also increasingly scrutinising reports of small breaches for patterns of noncompliant behavior. For example, Frensenius Medical Care paid OCR $3.5 million for five separate breaches by subsidiary companies affecting between 10 and 245 individuals each.

Katherine Keefe, head of breach response (BBR) services at Beazley, said: “Post-breach enforcement by OCR makes it imperative for healthcare organisations to ensure their security risk analyses and risk mitigation plans are reviewed regularly and updated.”

With OCR investigating smaller scale data breaches than it previously did, she advised “healthcare organisations of all sizes review their cyber security policies, practices and employee training programs and engage their insurer or broker in building a robust HIPAA–compliant risk management program,” she said.