Corrective Action Plans May Accompany HIPAA Fines
In serious breach cases, the HHS Office for Civil Rights may impose CAPs to prevent breaches from recurring.
The Office for Civil Rights (OCR) in the US Department of Health and Human Services has progressively increased fines for health care providers who experience HIPAA breaches (like Advocate Health Care's 2016 record-setting $5.5 million). These 7-figure fines have garnered a lot of attention, but there is another deterrent that can be just as painful, if not more so: the corrective action plan (CAP).
“Most people are struck by the monetary fine, but if you are subject to a CAP, you quickly realize that it can be a similarly severe penalty,” said Dianne Bourque, of the Boston law firm Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, PC.
Where fines are levied as punishment for breaches, a CAP is intended to correct underlying compliance problems and prevent breaches from recurring. Regulated entities must comply under OCR's strict supervision. According to Bourque, a CAP leaves providers with little control over the timeline or the process for implementing compliance fixes.
"Entities subject to a CAP will spend years under close OCR supervision after settling a breach," Bourque said. “It becomes a very aggressive, closely monitored process. Everything the entity does is subject to OCR's timing and oversight.”
For instance, when the entity has to draft policies and procedures, OCR may allow 30 to 60 days to do so. OCR will review them, and if they don't like the drafts, they will require revisions until the drafts are deemed acceptable. Every step of the CAP will have some kind of deadline.
Another challenge is the introduction of a third-party monitor. CAPs can require the regulated entity to find, retain, and pay a third party to independently monitor compliance efforts in conjunction with OCR's oversight.The monitor will perform site inspections – sometimes unannounced – and can talk with employees, inspect computers, and review compliance materials.
A CAP can also make it more difficult to work with other providers or business partners. For example, a CAP may make it difficult to change a business process without requesting modification of CAP requirements from OCR.
Entities under a CAP can also be required to do additional reporting that which is normally required under HIPAA. The following are examples:
- An entity may have to develop or revise HIPAA compliance policies and procedures, usually within 60 days, and send them to OCR for approval. After OCR provides feedback, the entity may have 30 days to revise the documentation. Then, within 30 days of final approval by OCR, those plans will have to be implemented. The entity may then have another month to provide a comprehensive report to OCR documenting implementation, including completion of an enterprise-wide risk assessment or training dates, for example.
- If encryption is an issue, an entity may have to provide encryption information multiple times over a CAP period. The entity may be required to provide a list of the encrypted devices, written evidence that they were encrypted, and justification for anything not encrypted.
- An entity may be given a limited time frame within which to provide HIPAA security training to all employees, documenting the materials used, topics, and dates of training for OCR.
- CAP-related documentation needs to be retained and available should OCR request it for a number of years beyond a CAP.
In the end, if an entity does not comply with a CAP, OCR can find the entity in breach of its original resolution agreement and impose additional fines.
The good news is that not everyone who has a breach will end up with a CAP. For example, if a breach occurs as a result of human error, but the organization otherwise has a comprehensive, thoughtfully implemented compliance infrastructure, the entity is at much lower risk for a CAP or other aggressive enforcement.
One way to get a compliance program up to snuff is to skim over enforcement actions from organizations that have resolution agreements after a breach. OCR publishes this information for teaching purposes on its website. Organizations can look at the mistakes of other regulated entities to perform a health check on their own compliance programs. The site goes into detail regarding what kind of breach occurred, how OCR became apprised of the situation, and what the organization might have done differently. It also offers copies of CAPs and resolution agreements.
If an organization's compliance program is poor, breaches are more likely, as are regulatory repercussions. This is especially the case if a large number of patients are affected or if the nature of the violation is particularly egregious (even with a small breach).
“We are approaching 20 years of HIPAA and OCR is reasonable to expect organizations to be complying by now,” Bourque said. It should not be surprising that common compliance failures lead to breaches, steeper fines, and more aggressive enforcement.
As fines have gotten larger, CAPs have also become more complicated and onerous. Again, this is a pattern that Bourque said should not shock anyone.
“I can't think of a better incentive than that to get--or keep--your own HIPAA compliance house in order,” she said.