When the Department of Health and Human Services’ (DHHS) Office for Civil Rights (OCR) determines that a covered entity or business associate has violated HIPAA, OCR may, in addition to assessing fines, take enforcement action in terms of a HIPAA corrective action plan (CAP).

What is Required under a HIPAA Corrective Action Plan?

OCR may impose a HIPAA corrective action plan to correct the underlying HIPAA privacy and security compliance issues that led to the HIPAA violation in the first place. 

After investigation, entering into a resolution agreement (settlements of serious HIPAA violations) and imposing fines – after all of these measures – OCR may determine that further corrective action is necessary. This corrective action will come in the form of a corrective action plan.

The HIPAA corrective action plan typically imposes significant compliance requirements on covered entities and business associates. A HIPAA corrective action plan often requires a covered entity or business associate to perform a closely-monitored security risk analysis, and to develop a risk management plan. Risk analyses and risk management plans are measures that, under the Security Rule, organizations should have in the first instance; their not existing or not being executed, is what prompts a large number of fines. 

In extreme cases, OCR may require that you hire (at your own expense) a third party to monitor your compliance. Depending upon the severity of the HIPAA violation, a corrective action plan may span a year, or several years. Regardless, when an entity is under a CAP, that entity must make regular reports to OCR, and submit to audits. The plan typically specifies a timeline for completion of its required security measures. Failure to comply with the terms of a corrective action plan is regarded as a breach of the underlying resolution agreement. This failure can lead to additional penalties.

Specific corrective action plan measure may include:

• A requirement to develop, maintain, and revise policies and procedures; provide a copy of these to HHS by a certain date; and then implement them (ensuring to disseminate them to staff) upon HHS approval. This CAP requirement may be issued, for example, when an organization has failed to develop policies and procedures for compliance with the Privacy Rule right of access requirements, or failed to develop policies and procedures governing disposal of PHI.  
• In the case of our hypothetical right of access violation above, OCR may impose an additional corrective action plan measure. This measure may require the violating covered entity to provide HHS with names of business associates who fulfill access requests; and to provide OCR with revised training material on how to fulfill a right of access request. OCR, once it reviews this material and deems it satisfactory, may then require the covered entity to provide training on how to respond to right of access requests.
• Requiring a covered entity to provide a written report to HHS summarizing the status of the corrective action plan by a certain deadline (i.e. 60 days), and requiring a covered entity to submit annual written reports until HHS ends the corrective action plan.