Newsletter


19 August 2019Analysis

Office for Civil Rights increases pressure on healthcare companies over data security


The Office for Civil Rights (OCR), the federal Health Insurance Portability and Accountability Act (HIPAA) enforcer, issued average resolution agreement payments of $2.6 million in 2018 related to data breaches.

It was a significant increase on the payments ordered the previous year, when the average payment was $1.9 million. This defied expectations that OCR may be less active under the current administration, noted Beazley in its latest breach insights report.

The report said OCR resolution agreement amounts paid in 2018 ranged from $100,000 at the low end to $16 million, its largest ever resolution agreement payment. This payment was made in connection with Anthem in its capacity as a HIPAA business associate, as the result of its 2015 data breach affecting over 78 million individuals’ protected health information.

But OCR investigations are taking longer to close, Beazley noted, with investigations ranging from three to seven years in length for the resolution agreements issued in 2018.

From the time of the data breach to the final OCR resolution agreement, OCR took an average of 4.3 years to bring matters to closure last year, compared with an average of 4 years in 2017 and 3.6 years in 2016.

OCR is also increasingly scrutinising reports of small breaches for patterns of noncompliant behavior. For example, Frensenius Medical Care paid OCR $3.5 million for five separate breaches by subsidiary companies affecting between 10 and 245 individuals each.

Katherine Keefe, head of breach response (BBR) services at Beazley, said: “Post-breach enforcement by OCR makes it imperative for healthcare organisations to ensure their security risk analyses and risk mitigation plans are reviewed regularly and updated.”

With OCR investigating smaller scale data breaches than it previously did, she advised “healthcare organisations of all sizes review their cyber security policies, practices and employee training programs and engage their insurer or broker in building a robust HIPAA–compliant risk management program,” she said.



Editor's picks

news
Micro captives stay on IRS Dirty Dozen list
12 April 2024

Editor's picks

news
Micro captives stay on IRS Dirty Dozen list
12 April 2024   The federal agency has released its Dirty Dozen list for 2024.
news
Giles to join ClearPoint Health
9 April 2024
news
RMC emerges victorious against IRS in micro captive case
8 April 2024
news
CCRIF unveils four Ivan+20 scholarships
4 April 2024
news
Ryskex opens office in Lloyd’s building
4 April 2024
news
Giles leaves MSL Captive Solutions
1 April 2024

Related content

Committed to the captives sector
Captives and investments portfolios: separating myth from reality
Revolutionising risk transfer: the emergence of 144A cat bonds in captive
20 years on: evolving in tandem
A strong sense of purpose
Captive change and evolution
Celebrating 20 years of growth
Cayman Islands: 20 years of insurance