The Office for Civil Rights (OCR), the federal Health Insurance Portability and Accountability Act (HIPAA) enforcer, issued average resolution agreement payments of $2.6 million in 2018 related to data breaches.
It was a significant increase on the payments ordered the previous year, when the average payment was $1.9 million. This defied expectations that OCR may be less active under the current administration, noted Beazley in its latest breach insights report.
The report said OCR resolution agreement amounts paid in 2018 ranged from $100,000 at the low end to $16 million, its largest ever resolution agreement payment. This payment was made in connection with Anthem in its capacity as a HIPAA business associate, as the result of its 2015 data breach affecting over 78 million individuals’ protected health information.
But OCR investigations are taking longer to close, Beazley noted, with investigations ranging from three to seven years in length for the resolution agreements issued in 2018.
From the time of the data breach to the final OCR resolution agreement, OCR took an average of 4.3 years to bring matters to closure last year, compared with an average of 4 years…
