You may or may not be aware of all of the recent changes to HIPAA (that one should at least be familiar). New rules for business associates, and civil monetary penalties now exist. Even a Federal audit program is underway. (I have discussed some these things in detail in other blogs, so make sure you check them out.) But one thing has kind of been left out of the picture so far, and that is what happens if you are stuck with a breach of your protected health information (PHI). Everyone focuses on being proactive and preventing breaches. Even I do, because let’s face it, it’s better to stop something before it starts. However, you can follow every regulation to the letter, take every expert’s advice, implement it all beautifully and still potentially end up with a breach. So I want to briefly discuss with you something that may or may not become the next big acronym to know; something that the government is calling a Corrective Action Plan, or CAP for short.
These plans are developed by the Office of Civil Rights (OCR) and are given to covered entities that have experienced significant breaches of their PHI as an agreement to what steps they are going to take to ensure further breaches do not happen. To date, there have only been a handful issued, 7 to be exact, and they have all been for large and/or high profile breaches. (The most recent CAP was given to Blue Cross and Blue Shield of Tennessee in early March, who lost 57 hard drives with patient information affecting more than one million people.) I think that these may become more and more prominent, even with “smaller scaled” breaches going forward.
A CAP includes a number of items and, at face value, is an agreement between the organization and OCR that the outlined steps will take place over a specified period of time (usually 3 years). CAPs normally include specific obligations such as:
- Revising policies and procedures that directly relate to the matter of noncompliance. The new policies and procedures must be approved by OCR and distributed to all workforce members with acknowledgement of receipt and understanding.
- Additional training on the subject matter of the noncompliance. OCR must approve materials and the training must be completed within a specified timeframe.
- Internal monitoring, external monitoring (by a third-party), or both is typically required. Monitoring usually includes unannounced site visits, compliance reviews, investigation of problems, and a written report. In some cases, HHS has required that the monitoring be done by an external source.
- A written implementation report to describe exactly what steps the organization is going to take to achieve compliance.
- For any incidents of noncompliance during the agreement period, a report needs to be sent to OCR with detailed information of how the incident was handled.
- Annually or semiannually a report will need to be submitted to give the OCR an update on the compliance plan.
- The organization must agree to resolve any breaches within a specified time period or face renewed investigation and additional penalties.
With the frequency of breaches steadily rising, it may not be too farfetched to conceive of CAPs being delivered to all entities when a breach occurs. Certainly, CAPs that have been issued up to this point in time have resulted in substantial reporting and administrative requirements. Additionally, if required to enlist an external monitor, an organization can anticipate significant costs be accompanied with adherence to a CAP. Regardless of what happens to HIPAA regulations in the future, it seems clear to me that CAPs are going to have (for better or worse) a more prominent role in the remediation process.