image of a magnifying glass on paper

Anatomy of a HIPAA Corrective Action Plan

HIPAA Enforcement Can be Painful

When the Office for Civil Rights (OCR) discovers HIPAA violations and requires a settlement, three things happen: a resolution agreement, payment of money, and a corrective action plan. While the dollar amounts can be large (from the tens of thousands, to millions) the more painful part may be the corrective action plan (or CAP). It’s mandatory, burdensome and constantly monitored.

OCR enforces HIPAA for both covered entities and business associates. Both have been required to submit to CAPs.

All of it is avoidable by taking basic HIPAA compliance steps before OCR comes calling. It’s not a guessing game. Simple steps lead to pain avoidance.

HIPAA Compliance Off the Track

The number one reason organizations are hit with big settlements and corrective action plans is there was no Risk Analysis. Proper HIPAA Risk Analysis – Risk Management reveals what the risks are and provides a path to reduce the risks. No organization is required to be perfect or airtight. But they need to know the gaps and have a plan to manage and reduce the gaps.

When organizations do an annual Risk Analysis, they are ahead of the game and a less likely target for OCR. If they ignore these basics, an investigation will probably end up as a settlement – and a settlement almost always requires a supervised annual HIPAA Risk Analysis. It’s at the heart of the corrective action plan.

What is a Corrective Action Plan?

Corrective action plans last one to three years and are designed to manage the specific risks that were uncovered in the investigation. They provide a way for OCR to look over the shoulder of violators and keep them in compliance.

They require specific procedures to address violations discovered by OCR that would have been prevented if a proper Risk Analysis had been done in the first place. While the CAP is in place the organization is required to submit regular reports to OCR and submit to oversight and audits.

Usually OCR is doing the oversight, but sometimes the settlement requires the organization to hire (and pay for) a 3rd party to oversee their compliance. It’s all very time-consuming and expensive.

The key requirements of a CAP are usually:

  • Conduct a Risk Analysis every year
  • Develop and implement a Risk Management Plan
  • Report events that may lead to HIPAA violations
  • Keep documentation for six years

Other requirements will be included that relate to that organization’s specific weaknesses. Some include better oversight of business associates, or updated policies, or workforce training.

How is HIPAA Compliance Assured?

Strict compliance with the CAP is crucial. Any deviation will void the settlement, allow OCR to go to court, and the “statute of limitations” will be suspended. That means a lawsuit could be filed on the same violations years later. All of it is costly, time-consuming and unnecessary if a proper Risk Analysis had been done in the first place, with a Risk Management Plan in place.

Avoid the Pain – Do the Right Thing Now

All the pain can be prevented by following the steps of HIPAA compliance. People think it’s hard, but it’s not, if you know the steps. The very most important thing is a proper HIPAA Risk Analysis, an honest assessment of your risks, with a follow up to use a Risk Management Plan specific to your situation. The HIPAA E-Tool® has step-by-step guidance to the Risk Analysis and every question you need to ask, in a form that allows you to do it yourself without expensive outside help.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2024 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU