Corrective Action Plan

Outcomes of a HIPAA Investigation
Abyde News, Best Practices, HIPAA

The Final Verdict: HIPAA Investigation Outcomes

March 3, 2025 No comments yet

March 3, 2025   Welcome to the fourth and final installment of Abyde’s HIPAA Investigation Survival Series. We’ve already reviewed the initial breach, the letter you received, organizing documentation in response to the letter and data request from the OCR, and now the possible outcomes of a HIPAA investigation.  There are a few possible outcomes for a HIPAA investigation. As discussed at the end of the previous blog post, the ultimate judgment from the OCR could be levied months or even years after the investigation started.  What are the possible outcomes of a HIPAA Investigation? The most favorable outcome of an investigation is when the OCR closes your investigation. Your OCR investigator will inform you through writing, either through an official email or letter, that your documentation was sufficient, showcasing that your practice is implementing the right safeguards to secure Protected Health Information (PHI). Once an investigation is closed, you’ve officially passed the investigation.  However, the OCR can and will levy monetary fines if your documentation is insufficient. Monetary fines range from $141 to over $2 million per violation. Fines are tiered, starting with tier 1, which is the least serious based on a sincere lack of knowledge of a violation, to tier 4, or willful neglect of a situation if not corrected within 30 days. These fines are also adjusted yearly based on inflation.  HIPAA fines are categorized into two types: Civil Monetary Penalties and Settlements. Civil Monetary Penalties are imposed when a practice is found guilty of violating HIPAA regulations. The practice and the OCR negotiate settlements, and the practice does not admit to any HIPAA violations once paying the fine.  Both forms of penalties are highlighted on the OCR’s website as press releases and written about by numerous healthcare compliance news professionals, meaning this fine will live on the internet forever.  Lastly, the OCR can levy a Corrective Action Plan (CAP) in addition to a monetary penalty. A CAP requires a fined practice to be monitored by the OCR for several years, as defined by the CAP. This leaves the practice subject to government scrutiny, another hurdle.    How Can I Avoid This? Proactive measures are key when it comes to avoiding a HIPAA investigation. By implementing the appropriate safeguards before a situation occurs and properly training all staff, your practice can avoid common mistakes leading to breaches.  Utilizing a software solution is imperative when handling HIPAA compliance. Outsourcing compliance streamlines compliance for your practice, freeing your time and providing an easily accessible hub for all documentation.  To learn more about simplifying HIPAA compliance for your practice, schedule a consultation with one of our experts today.  To visit our first installment of this series about the breach that likely causes an investigation, please visit here, learn more about the audit letter, visit here, and learn more about organizing documentation for an investigation here.   

Corrective Action Plan Fine
Fines, HIPAA

Fool me once, shame on you… Fool me twice, here’s a Corrective Action Plan

December 16, 2022 Comments Off on Fool me once, shame on you… Fool me twice, here’s a Corrective Action Plan

December 16, 2022 On Wednesday, the HHS Office for Civil Rights announced a settlement with a California dental practice over impermissible disclosure of patient-protected health information (PHI). The practice faces potential violations of the HIPAA Privacy Rule by inappropriate use of social media to respond to patient reviews and disclosing protected health information.  OCR Director, Melanie Fontes Rainer, stated, “This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews.”  The practice faces a lofty fine of $23,000 and a Corrective Action Plan that will be monitored by the OCR for the next two years. Within the CAP, the practice is responsible for updating and maintaining all policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information. Additionally, all members of the staff must receive training within 30 days of the updated policies and procedures to comply with the Privacy Rule within 30 calendar days of the implementation of the policies and procedures.  This is the second offense for the same office in the last 5 years. In November 2017, the OCR received a complaint regarding impermissibly disclosed PHI in online review responses. The protected health information included patient names, treatment, and insurance information. Through the investigation, the OCR found other violations including failure to provide an adequate Notice of Privacy Practices and implement Privacy policies and procedures.  As a word of advice from your HIPAA and compliance experts, review all PHI and Privacy Rule policies and procedures with any members of your staff that handle online reviews and social media responses. And while you’re at it, for those of you who may use a third party to handle reputation management, check those Business Associate Agreements, and remind them of our best practices.

What is a HIPAA Corrective Action Plan?
Audits, Fines, HIPAA

What is a ‘Corrective Action Plan’?

September 9, 2020 Comments Off on What is a ‘Corrective Action Plan’?

September 9, 2020 HIPAA Settlements are more than just $$$ If you’re like most practices, you might just see $$$ when a HIPAA fine makes the news. And yeah – million dollar fines are no joke. But a HIPAA violation settlement is more than just a dollar sign, and often includes something called a ‘corrective action plan’.  This corrective action plan, or CAP, is basically equivalent to ‘you messed up, here’s two years of administrative paperwork to fix your issues and think about what you’ve done.’ Yeah, you read that right – two years. If you thought paying a fine and putting it behind you was the extent of the bad news, we’re here to tell you why a CAP is just as important if slapped with a HIPAA violation. ALL the Paperwork The goal of a CAP is to correct the issues that caused the HIPAA violation in the first place. However, CAP requirements aren’t just a simple ‘do this next time’ and involve quite a bit of paperwork. Over the course of the designated time frame, one to typically two years, practices are required to: Lets face it, no one likes paperwork (even hearing that word makes us cringe). Having to complete what’s required in a CAP is often far more paperwork than maintaining a regular HIPAA compliance program would be – another reason to be compliant before an incident occurs. Even More Consequences Failing to complete a corrective action plan within the designated time frame can void the initial settlement and can leave a practice open to additional fines and penalties – yikes. It may just be paperwork, but the OCR takes it seriously, and leaves practice’s having to juggle a CAP on top of their already full plate of patient care, regular operations, and reputation management after landing in the news for a HIPAA violation.  So, who doesn’t want to be stuck with a mound of paperwork and the OCR breathing down your neck? (We’re raising our hand – both hands actually.) Getting ahead of violations by completing the SRA and HIPAA program requirements before a breach, complaint or audit will save your practice the pain of a CAP and help avoid a violation in the first place. After all, if you have all the right policies, SRA, and risk management plan in place before a breach you’ve already got OCR requirements down – but with less time spent, on your own schedule, and without the OCR looking over your shoulder.

Is your practice prepared for a HIPAA investigation? Get educated with our new eBook.

DOWNLOAD NOW
X