When you think “HIPAA violation,” you probably picture patient complaints, invasive investigations, and millions of dollars in fines. Sure, lost dollars would take a toll on your organization. But there’s another aspect to HIPAA enforcement that may be more burdensome, time-consuming, and painful: corrective action plans.
What is a Corrective Action Plan?
A corrective action plan (CAP) is an aggressive enforcement action the Office for Civil Rights (OCR) takes in response to a HIPAA-covered entity or business associate that has egregiously violated HIPAA laws. The purpose of the CAP is to correct the underlying compliance issues that led to the HIPAA violation(s). The OCR develops and enforces a CAP after an investigation, resolution agreement, and fines.
A CAP often requires you to perform a closely monitored security risk analysis and develop a risk management plan. You should already be doing this. When you don’t conduct a risk analysis, you become blind to your risks and vulnerabilities. You open your organization up to all kinds of security issues and HIPAA violations. OCR may also require you to hire a third party to monitor your compliance, adding yet another burden.
CAPs may span a year or several years. During this time, you or your business associate regularly report to OCR and undergo audits. In a sense, OCR looks over your shoulder to make sure you get in compliance with HIPAA. Every step of the CAP has to be done according to the OCR’s strict timeline. Keep in mind, if you fail to carry out the terms of a CAP, it’s a breach of the resolution agreement.
See the chart below for the OCR’s total number of resolutions since 2003. In some cases, no violation is found, but in most cases, the OCR will find corrective action necessary.
Outline of a CAP
Corrective action plans are structured according to the following outline:
- Preamble. This introduces the parties involved in the CAP.
- Contact Persons and Submissions. This includes contact people from your organization and OCR. You should have proof that you’ve submitted reports to OCR.
- Effective Date and Term of CAP. This is the time period and conditions under which the CAP is enforced.
- Time. This refers to how time is prescribed.
- Corrective Action Obligations. This is the meat of the CAP. It reflects everything OCR requires your organization to do, which could include policies and procedures, business associate management, employee training, and reporting failure to comply with the CAP.
- Implementation Report and Annual Reports. The implementation report summarizes the status of your efforts to put the requirements of the CAP into practice. The annual report is a summary that you submit to the OCR every year during the term of the CAP.
- Document Retention. You must keep documents and records of your compliance with the CAP for six years from the effective date. The OCR may request those documents years after the resolution.
- Breach Provisions. This lays out the expectation of your organization to comply with the CAP, as well as procedures to request extensions and notify OCR of breaches of the CAP.
Example of a CAP in Action
Recently, OCR issued a CAP to Bayfront Health – St. Petersburg for initially failing to provide a parent access to her fetal monitoring strips and then for providing the records well beyond the 30 or 60 days required by HIPAA. This violated the mother’s right to access her child’s records. Bayfront Health agreed to pay the Department of Health and Human Services (HHS) $85,000 and complete the following corrective actions:
- Develop, maintain, and revise its policies and procedures, provide them to HHS within 60 days, implement them within 30 days of HHS’ approval, and distribute them to staff within 30 days
- Update the Designated Record Set Policy in relation to the right of access policy
- Provide HHS with names of business associates who fulfill access requests and training material for the workforce and business associates within 60 days of HHS’ approval of the access policy and procedures, and then provide staff and business associates training on the approved access policies and procedures within 60 days
- Provide a written report to HHS summarizing the status of the CAP within 120 days and annual written reports until HHS terminates the CAP
Clearly, CAPs are a huge burden to healthcare organizations. It costs a lot of money, time, and manpower to follow a corrective action plan to completion.
How Do I Prevent an OCR Investigation and Corrective Action Plan?
The simple answer? Get in compliance with HIPAA!
The longer answer? Conduct periodic risk analyses to discover gaps and risks in your HIPAA compliance and then use the results to develop a risk management plan that fills those gaps and lessens the risk to your patients’ data. In the event of an OCR investigation, they will want to see thorough, complete, and well-documented risk analyses.
A risk analysis will reveal common privacy and security violations. Common complaints that reach the OCR’s ears include:
- Impermissible uses and disclosures of protected health information (PHI)
- Incomplete/inaccurate risk analysis or risk management plan
- Lack of privacy safeguards to protect PHI
- Insecure transmission of ePHI or lack of security safeguards
- Inability of patients to access their PHI
- Lack of software patching
- Lack of business associate agreements with vendors that create, maintain, receive, or transmit PHI on your behalf
- Breaches caused by employees
- Failure to publish updated policies and procedures and train your staff on them
If you find one of these or other HIPAA violations at your organization, don’t look the other way or assume OCR won’t find out! OCR doesn’t expect you to be perfect and have a foolproof HIPAA program. With the complexities of modern healthcare, there are bound to be some risks involved.
When you identify your risks, you can accept low-risk issues and explain why you accepted them, but for the major risks, OCR wants to see that you have a plan to address them.
Are you prepared for a potential investigation?
Don’t wait until the Office of Civil Rights (OCR) comes knocking. Use this checklist to prepare now for potential investigations and find the confidence that comes from knowing you can prove compliance.