Recently, HIPAA enforcement over data breaches is increasing – a lot. This year has seen some of the largest monetary penalties. Why is this happening?
I had the chance to interview Katherine Keefe, who leads the Beazley Breach Response (BBR) Services Group. I am particularly interested in the insurer’s perspective, so I interviewed Katherine.
Katherine directs the management of breach incidents reported by BBR policyholders and develops Beazley’s risk management services designed to minimize the occurrence and impacts of data breaches. She has been a practicing lawyer for more than 25 years and is a nationally-known HIPAA expert. Prior to her work at Beazley, Katherine was in-house counsel with two hospital systems and a large Blue Cross plan. She has thus seen HIPAA from many angles.
Solove: What are the recent trends you’re seeing in OCR HIPAA enforcement?
Keefe: OCR’s enforcement activities have stepped up last few years; the numbers of matters they are extracting financial payments and the amounts of those payments have increased. (I say “payments” rather than fines and penalties due to the resolution agreement process used by OCR. Under this process, at the conclusion of a post-breach investigation, OCR issues a proposed resolution agreement, corrective action plan and a monetary demand (called a “resolution amount”).
Solove: How are the resolution amounts determined? Are these negotiated between OCR and the entity under investigation?
Keefe: There is little negotiation of the terms or the amount and most entities pay up rather than fight with OCR. If the entity falls down in its compliance with the agreement/corrective action plan, OCR has the authority to revert the matter to the civil monetary penalty process under which the health care entity would likely fare far worse.)
Solove: You say that the resolution amounts have increased. How significant is this increase?
Keefe: In 2014 and 2015 there were roughly 13 or 14 total resolution agreements ranging from about $125K to $3.5M per resolution payment (average of a little over $1M each). In 2016 there were about 13 resolution agreements and so far in 2017 there have been 9 (and the year is not over yet!). For 2016 and so far in 2017 the payments range from $31K to $5.5M per matter (average of about $1.8M each).
Solove: What explains this rise in enforcement and rise in penalties?
Keefe: OCR has “matured” in its knowledge and in its resources. As to resources, the resolution payments get funneled back into OCR in order that they can pursue their enforcement initiatives and this has led to increases in staffing and certain restructurings throughout OCR’s regional offices. The more they extract money, the more resources to extract money further!
As to penalties, there are a couple of important dynamics at play. First, OCR takes the financial health of the organization into consideration when it is nearing conclusion of its investigation, so that resolution amounts are neither too great (putting the entity out of business) or too light (OCR wants health care organization to feel it!).
Second, some of the trending to larger amounts are likely reflective of the fact that OCR has expressed that it is sick and tired of HIPAA non-compliance. Kind of like “C’mon already! HIPAA has been on the books since 2003 and 2005 (privacy and security rules, respectively), why are we still dealing with entities that do not take encryption of remote devices seriously? Or why are entities still not conducting security risk assessments and implementing risk mitigation plans? Or why are policies and procedures sitting in draft form and are not implemented or updated?” So I think that there is a certain component of these rising resolution payments that are borne of OCR’s frustrations over failures of basic HIPAA 101.
Solove: What insights and views do you have from your vantage point at an insurer? Are there things you now realize or see differently from this perspective?
Keefe: We have two bird’s eye views: (1) Our Beazley Breach Response (BBR) Services team sees--- at the front end when our insured health care entities contact us for the breach assistance covered by the BBR policy --- the privacy and security failures that underpin healthcare data breaches. Over the life of our BBR program, since 2009, we have managed nearly 4,000 health care data incidents. Whether it’s not appropriately doing employee background checks resulting in a previously convicted identity thief taking patient SSNs, or lack of role-based medical records access allowing nosey employees to snoop into the records of neighbor, ex-lover or celebrity patients, or boxes of unaccounted-for paper patient records suddenly discovered as left behind in a medical office relocation, or malware attacks resulting from unpatched software in systems “inherited” and not properly vetted during hospital M and A due diligence….we’ve seen these issues and hundreds more.
Then (2) Post-breach, because the BBR policy also covers indemnification for assistance with regulatory enforcement actions and related fines and penalties, Beazley sees hundreds of OCR enforcement actions undertaken against our insured health care entities around the country. So we see the issues that OCR is investigating, the questions asked, the “hot button” areas OCR cares about.
Solove: What are some lessons that you’ve learned from your vantage point at Beazley that organizations should be aware of?
Keefe: First, OCR uses post-breach investigations as an excuse to investigate an organization’s basic HIPAA compliance. So health care entities reporting breaches to OCR should realize this and be ready for a fulsome HIPAA inquiry.
Second, the resolution agreement process is not a quick process. In 2016 and 2017, for each of its investigations it took OCR years to make a payment demand and finalize the investigation. For the resolution agreements announced in 2016, OCR took from 3-6 years between the time of the reported breach to OCR and the dates of the resolution agreements, and between 2 and 6 years for the agreements OCR announced thus far in 2017.
Solove: Why does the long length of the resolution agreement process matter?
Keefe: Most health care organizations do not budget for this kind of financial exposure; speculation about size and timing of a potential payment demand from OCR places organizations in the spot of having to somehow realistically plan for these unknown eventualities. And from the insurance carrier perspective where reimbursement for fines and penalties is part of the cyber coverage, keeping a claim open and holding reserves for several years waiting for the OCR to act –where data breaches are typical shorter-term events -- is not particularly ideal.
Solove: Anything else that can be learned from OCR’s HIPAA enforcement?
OCR’s trail of resolution agreements provides a roadmap to hot button issues that health care organizations can use to self-audit. OCR’s activities and focus areas in post-breach investigations serve as important clues to health care organizations—and their business associate vendors—as to the expected “best practices” and they should review their programs accordingly to see how they would fare if the same light shines on them. Some of these areas: device encryption, workforce education and training, updated policies and procedures, eliminating old data, security risk assessments and risk mitigation plans, vendor management, and using the minimum amount of PHI.
All resolution agreements and corrective actions are posted and available on OCR’s website. Healthcare organizations would be very wise to use these as a resource for self-improvement and to soften the potential blow of an OCR investigation.
Solove: Thanks, Katherine, for these terrific insights!
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder ofTeachPrivacy, a privacy awareness and security training company. He is the author of 10 books and more than 50 articles.
