OCR CAP (Corrective Action Plans) in HIPAA Settlements are something to pay close attention and not ignore.

When the news breaks about a settlement with OCR over HIPAA breaches and violations, everyone talks about the money agreed upon to settle. What we really watch closely is the OCR CAP that almost always comes with any settlement. No one seems to talk about it much, but, it is where you learn what is really expected of your compliance program.

The Breach

Cancer Care Group, P.C – July 19, 2012, a laptop bag was stolen from an employee’s car in Indianapolis which contained the ePHI of approximately 55,000 individuals.

August 31, 2015 – $750,000 OCR settlement – 3 year OCR CAP

The CAP is the hard work the compliance team has to do for the next three years with very specific details.

If they fail to comply with this CAP, the settlement is over and OCR can apply the full enforcement options of the law to the letter, if they choose.

Corrective Action Plan Obligations

  1. Conduct HIPAA Risk Analysis.
  2. Develop and Implement Risk Management Plan
  3. Review and Revise Policies and Procedures.
  4. Review and Revise Training Program.
  5. Reportable Events.
  6. Annual Reports

But the details matter.

  1. Conduct HIPAA Risk Analysis: Conduct a current, comprehensive and thorough Risk Analysis…… CCG shall submit the Risk Analysis to HHS – within ninety (90) days of the Effective Date – for HHS’ review, and either approval or disapproval.
  2. HHS will respond within 60 days and provide CCG with a detailed, written explanation of the basis of its disapproval, including comments and recommendations that CCG can use to prepare a revised Risk Analysis.
  3. CCG has 60-days to make updates and re-submit

This cycle continues until approved version.

Then, they start doing the same thing with the Risk Management Plan which must be implemented within 60 days. The same thing then begins with P&P and Training Program plans and review process. Although, there are 30-day timelines on a lot of the other stuff.

The last two requirements are completely outside the normal requirements for HIPAA compliance:

Reportable Events

Upon receiving information that a workforce member may have failed to comply with its Policies & Procedures, promptly investigate the matter. If CCG determines, after review and investigation, that a member of its workforce has failed to comply with these policies and procedures, CCG shall notify HHS in writing within thirty (30) days.

Such violations shall be known as Reportable Events. The report to HHS shall include the following information

  1. A complete description of the event, including the relevant facts, the persons involved, and the provision(s) of the policies and procedures implicated; and
  2. A description of the actions taken and any further steps CCG plans to take to address the matter to mitigate any harm, and to prevent it from recurring, including application of appropriate sanctions against workforce members who failed to comply with its Policies and Procedures.

Annual HIPAA Compliance Reports

CCG shall submit each Annual Report to HHS no later than thirty (30) days
after the end of each corresponding Reporting Period (each one year period).

The Annual Report shall include:

  1. A detailed description of updates or changes, if any, to the risk analysis or risk management plan. This shall include a summary of CCG’s strategy related to the assessment of the potential risks and vulnerabilities to the CIA of e-PHI held by CCG; the identification of all outside entities assisting CCG in this process; and documentation related to the security measures CCG implemented or is implementing, if any, to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level;
  2. A detailed description of any revisions to CCG’s Policies and Procedures and training materials, if any;
  3. A summary of Reportable Events, as defined in section V.E, if any, identified
    during the Reporting Period and the status of any corrective and preventative action relating to all such Reportable Events; and
  4. An attestation signed by an owner or officer of CCG attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.

Another important note re: how often to do a Risk Analysis:

CCG shall review the HIPAA Risk Analysis annually (or more frequently, if appropriate) and shall promptly update the Risk Analysis in response to environmental or operational changes affecting the security of electronic protected health information. Following an update to the Risk Analysis, CCG shall assess whether its existing security measures are sufficient to protect its electronic protected health information, and revise its Risk Management Plan, Policies and Procedures, training materials, and implement additional security measures, as needed.




Kardon Compliance

Episode 13: What is a HIPAA Risk Analysis