Health care organizations, which have failed to comply with HIPAA, take risks to face a Corrective Action Plan (CAP). It is one of the most aggressive enforcement of the Department of Health and Human Services. If the DHHS` Office for Civil Rights detects serious HIPAA violations, they may impose a CAP in addition to substantial fines. The requirements can be issued if an organization does not provide policies and procedures governing the disposal of PHI in accordance with the Privacy Rule. In general, the CAP process is really burdensome and time-consuming.
Outline of a HIPAA Corrective Action Plan
The Office for Civil Rights (OCR) conducts an investigation and then enforces a corrective action plan if needed. Some organizations need to correct their security policies and procedures after analyzing risks and failures. Employees should be trained on how to deal with protected health information. Moreover, it often requires a covered entity or business associate to develop a risk management plan and perform a regular security risk analysis. It is not unheard of for organizations to hire a third party and take several audits to ensure compliance.
The CAP structure usually includes the following steps:
- Preliminary remarks;
- Contact individuals and submissions;
- Effective date and term;
- Time prescription;
- Corrective action obligations;
- Implementation report and annual reports;
- Document retention;
- Breach provisions.
The OCR introduces to an organization the parties involved in the corrective action plan. Then experts indicate the time period and conditions under which the CAP is enforced. It also includes the implementation of annual reports on your progress. You must keep documents and records of your compliance with the CAP for six years from the effective date. If you do not meet CAP demands, it is considered to be a breach of the underlying resolution agreement. In this case, you will possibly get new penalties and fines.
The main purpose of this action is to find the security issues within your organization and make you correct them. Sometimes the CAP timeline can span a couple of years. You will have to submit your organization to audits and report on your progress during this time. All these measures cost a healthcare organization a lot of money, time, and work. It is much better to avoid HIPAA violations and penalties.
Practical Tips to Prevent a CAP
The best way to keep away from corrective action plans is to get in HIPAA compliance beforehand. Healthcare providers should always monitor their organizations for security risks and safeguard PHI. For example, you can implement email encryption to avoid data breaches. No one will be able to access the email but the intended recipient. If you are not sure about your cybersecurity, conduct a risk analysis to find gaps in your system. It will allow you to develop a risk management plan and fix it before a breach occurred.
However, even if you are already HIPAA compliant, you could still face an audit by the OCR. They often want to see well-documented risk analyses that reveal common privacy and security violations. There is a list of common issues that can be a basis for a CAP:
- disclosures of ePHI;
- out of date HIPAA policies;
- breaches caused by staff;
- lack of privacy safeguards;
- patients` inability to access their PHI;
- inaccurate risk analysis.
Once you identified your risks, you are able to take the right measures to eliminate them. Our modern world requires constant development and changes. There is an avalanche of hackers on the network. So, you need to keep pace with technology to prevent cyberattacks and data breaches. Complying with HIPAA will be far less expensive than spending millions of dollars in fines and implementing a corrective action plan.