An August, 2019 report from the Beazley Group, a well-known Lloyd’s of London Risk Underwriter Participant, should put to rest the belief that Office for Civil Rights (OCR) enforcement activity with respect to HIPAA, is less active under the current presidential administration.
A Beazley Breach Response Services analysis of 2018 OCR enforcement activity reveals that in 2018, OCR enforcement of the HIPAA regulations was quite thorough. The analysis includes the following findings:
- 2018 OCR Enforcement activity included OCR having entered into its largest Resolution Agreement payment to date – a $16 million agreement with Anthem. Anthem, in its capacity as a business associate, had committed a data breach in 2015 that affected over 78 million individuals’ protected health information (PHI).
- OCR Resolution Agreement amounts paid in 2018 ranged from a low of $100,000 to the high of Anthem’s $16 million. The 2018 average payment was $2.6 million, up significantly from 2017’s $1.9 million average payment.
- Increased OCR enforcement activity also manifested itself in another way in 2018: OCR investigations are now taking longer to close. Investigations ranged from three to seven years in length for Resolution Agreements issued in 2018. From the time of the data breach to the final OCR Resolution Agreement, OCR took an average of 4.3 years to bring matters to closure last year in 2018 (compared with an average of 4 years in 2017 and an average of 3.6 years in 2016).
- Enhanced 2018 OCR enforcement activity has also taken the form of greater scrutiny of small breaches. Specifically, in 2018, OCR actively scrutinized reports of small breaches for patterns of noncompliant behavior. For example, in 2018, Frensenius Medical Care paid OCR $3.5 million to cover five separate breaches at five separate covered entities. Each breach affected between 10 and 245 individuals. Significantly, each breach involved the same root cause – lost or stolen devices, drives, or desktops.
- As part of the settlement, OCR issued a corrective action plan requiring the Frensenius entities to conduct comprehensive, organization-wide HIPAA Security Rule risk analyses to identify all risks to the confidentiality, integrity, and availability of ePHI; and to then develop a risk management plan to address the identified risks and reduce them to the reasonable and acceptable level required by under the HIPAA Security Rule.
The Beazley report’s findings bring home an important point made clear by the 2018 enforcement activity efforts: A major breach is not required to trigger an OCR investigation; rather, as is demonstrated by the Frensenius settlement, OCR is now scrutinizing all breach reports, and attempting to detect patterns indicating noncompliance.
