Smaller Breaches Being Scrutinized

While some leaders have speculated that OCR has lessened its enforcement of HIPAA, Beazley finds the agency has remained active and smaller breaches are increasingly being scrutinized.

By Jessica Davis

– The Department of Health and Human Services Office for Civil Rights enforcement of HIPAA has remained strong over the last year, with renewed focus on smaller breaches and the need for performing and documenting routine security risk assessments, according to Beazley Breach Response Services.

While some have speculated that OCR has eased its enforcement around HIPAA compliance, the latest BBR report on the agency’s 2018 activity revealed that’s not the case.

In 2018, OCR issued its largest resolution to date to Anthem for $16 million over its 2015 data breach of 78 million patient records. Civil monetary penalties ranged from $100,000 to $16 million last year, which averages to $2.6 million in payments for noncompliance. 

In 2017, the average payment was $1.9 million, the report showed.

BBR also found OCR is taking longer to complete investigations with 2018 investigations lasting between three to seven years. The average length was four years in 2017 and 3.6 years in 2016.

Smaller breaches are now under closer scrutiny, where OCR officials are looking for patterns of non-compliance during their investigations.

For example, Frensenius Medical Center was issued a $3.5 million civil monetary payment in 2018 after five separate breaches at its subsidiaries. While each breach only impacted between 10 and 245 patients, the security incidents stemmed from lost of stolen devices, desktops, or drives that were left unencrypted.

In its decision, OCR focused on the lack of policies and procedures around Frensenius’ device management and failure to perform adequate risk assessments around its devices.

The researchers also noted that the University of Texas MD Anderson Cancer Center settlement provided insight into how OCR exercises its authority on imposing civil monetary penalties. MD Anderson was handed a $4 million penalty, which the Texas provider appealed. The administrative law judge upheld OCR’s penalty, although MD Anderson is still protesting the fine in federal court.

However, the settlement shined light on just what OCR prioritizes in its audits: documented risk mitigation plans must be followed, patient health information must be secured even though there is no direct regulatory requirement to encrypt data, PHI does not need to be seen by someone to be disclosed, and employers are responsible for employees that do not follow policies.

Lastly, OCR officials believed MD Anderson could have reduced its exposure to HIPAA’s non-disclosure requirements if it had implemented the HIPAA hybrid entity structure.

The researchers also found the enforcement actions showed that OCR is prioritizing routine security risk analyses and the need for business associate agreements, as well as clear policies around media access.

To BBR, organizations can prevent severe OCR scrutiny through routine employee training around HIPAA and documenting the education. Employees should also receive training on email guidance for communications within the organization, with external providers or business associates, and with patients. Employees also need guidance around encryption solutions in place.

Risk assessments should also be performed for all PHI and ePHI. Data should be encrypted in transit and at rest, while the minimum amount of PHI should be utilized when data is relayed.

Patients must be notified in a timely manner, without reasonable delay and no later than 60 days following the discovery of a breach. Organizations also need to ensure business associate agreements are in place, current, executed, and easy to locate in the event of a security incident or OCR audit.

“Post-breach enforcement by OCR makes it imperative for healthcare organizations to ensure their security risk analyses and risk mitigation plans are reviewed regularly and updated,” “Katherine Keefe, head of BBR Services at Beazley, said in a statement. “As well as issuing larger fines for major breaches, OCR is investigating smaller scale data breaches than previously,” she added. “BBR Services strongly recommends that healthcare organizations of all sizes review their cyber security policies, practices and employee training programs and engage their insurer or broker in building a robust HIPAA–compliant risk management program.”