The Department of Health and Human Services Office for Civil Rights (OCR) has secured numerous multi-million dollar settlements from healthcare organizations for HIPAA violations, with recent cases including $3 million from Solara Medical Supplies, $1.5 million from Warby Parker, and $1.19 million from Gulf Coast Pain Consultants.
According to the HHS, "A resolution agreement is a settlement agreement signed by HHS and a covered entity or business associate in which the covered entity or business associate agrees to perform certain obligations and make reports to HHS, generally for a period of three years." During this period, HHS monitors the covered entity's compliance with its obligations, and if organizations cannot demonstrate satisfactory compliance or corrective action, civil money penalties may be imposed for noncompliance.
A HIPAA corrective action plan (CAP) is a structured remediation program that healthcare organizations must implement following identified compliance violations. According to the OCR enforcement data, these plans serve two purposes:
- addressing immediate security gaps that led to violations
- establishing sustainable compliance frameworks to prevent future breaches
Understanding the enforcement landscape
When OCR investigations reveal HIPAA violations, through breach reports, complaints, or compliance reviews, the agency evaluates whether systemic failures contributed to the incident. Single violations might result in technical guidance, but patterns of non-compliance trigger more serious interventions.
The January 2025 resolution agreement between OCR and PIH Health illustrates this escalation. Following a phishing attack that exposed 189,763 individuals' electronic protected health information (ePHI), OCR's investigation uncovered multiple violations beyond the initial breach. PIH failed to conduct accurate risk analyses, implement adequate safeguards, and notify affected individuals within the required 60-day window. The result was a $600,000 monetary settlement plus a two-year corrective action plan requiring fundamental changes to PIH's privacy and security programs.
As noted in training materials from the University of North Carolina Privacy Office, corrective action plans address seven elements of privacy compliance:
- professional standards
- policies and procedures
- training
- auditing
- incident reporting
- Investigations
- sanctions
This comprehensive approach reflects OCR's shift from addressing individual incidents to requiring company wide transformation.
Gordon et al, writing in the Journal of AHIMA, emphasize that effective compliance requires understanding how PHI flows throughout an organization. "The risk assessment process serves as a useful institutional checkup for privacy practices in the digital age," they note, providing "the necessary blueprint for action in the development and implementation of a HIPAA privacy compliance program."
Core components and timelines
Modern corrective action plans impose strict deadlines and specific deliverables across multiple compliance domains:
- Enterprise risk analysis (30-120 days): Organizations must inventory all systems containing ePHI and assess vulnerabilities across their entire technology infrastructure. PIH's CAP required submitting their risk analysis methodology within 30 days for OCR approval, then completing the full assessment within 120 days. This includes affiliated entities, business associates, and third-party vendors.
- Risk management planning (60 days post-analysis): Following risk identification, organizations must develop remediation strategies addressing each vulnerability. PIH's plan required documenting specific timelines, resource allocations, and success metrics for every identified risk. OCR reviews these plans iteratively, often requiring multiple revisions before approval.
- Policy overhaul (60 days post-approval): CAPs mandate comprehensive policy updates addressing impermissible uses and disclosures, minimum necessary standards, sanctions for violations, security awareness requirements, and breach notification procedures. Organizations must demonstrate how revised policies close specific gaps identified during the investigation.
- Workforce training (90 days from policy approval): All employees with PHI access must complete HIPAA training on new policies and procedures. PIH's agreement required signed certifications from every workforce member, with the organization prohibited from granting PHI access to anyone who hasn't completed training. Annual retraining continues throughout the compliance period.
- Implementation verification (120 days): Organizations submit detailed reports documenting compliance efforts, including attestations from senior leadership, copies of training materials, lists of all covered locations, and evidence of policy distribution. These reports become legal documents that OCR can reference in future enforcement actions.
- Ongoing monitoring (continuous): CAPs establish "Reportable Events" provisions requiring immediate OCR notification whenever workforce members violate HIPAA policies. This creates a self-reporting obligation that continues throughout the compliance term, with organizations essentially auditing themselves on OCR's behalf.
Avoiding corrective action plans
The UNC Privacy Office identifies common triggers that lead to CAPs:
- unencrypted devices containing ePHI
- insufficient risk assessments dating back years without updates
- email compromises exposing patient data
- failure to execute business associate agreements with vendors
Document retention requirements add another layer of complexity. Organizations must maintain all CAP-related documentation for six years beyond the agreement's end date, meaning a two-year CAP creates an eight-year documentation obligation. This includes training records, risk assessments, policy versions, audit logs, and correspondence with OCR.
FAQs
Can organizations negotiate CAP terms?
While organizations can request extensions for specific deadlines with advance written notice, the core requirements and compliance standards are generally non-negotiable once the resolution agreement is signed.
What is electronic protected health information (ePHI)?
Electronic protected health information is any individually identifiable health information that is created, received, maintained, or transmitted in electronic form by a covered entity or business associate. This includes patient records, billing information, and any health data stored on computers, transmitted via email, or maintained in electronic health record systems.
What is a risk analysis under HIPAA?
A risk analysis is an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
