Skip to main content

On the Tenth Day of Privacy, OCR Gave to Me.....

.................a cumbersome C-A-P

Written by Dianne Bourque 

The U.S Department of Health and Human Services Office for Civil Rights has received tremendous publicity in recent years for its upward-trending fines and aggressive enforcement of HIPAA violations.  Seven-figure fines are becoming the norm for serious violations, for example, in May of this year, OCR fined a hospital and university a combined total of $4.8 million dollars for their separate HIPAA violations.  While the risk of steep fines and bad publicity should be sufficient motivation for regulated entities to maintain a robust HIPAA compliance program, there is another aspect of HIPAA enforcement that receives far less media attention but can be just as onerous: the corrective action plan, or “CAP.”  

Much like a year-long membership in the Jelly of the Month Club, the CAP is the gift that keeps on giving – the whole year.  Actually, most CAPS spread the cheer for at least three years following an initial OCR settlement.  For the 10th Day of Privacy, we take a closer look at the CAP.  

When OCR settles a serious HIPAA violation with a regulated entity, it typically requires the entity to enter into a resolution agreement, which is a contract signed by both the regulated entity and OCR, and which obligates the entity to perform various compliance-related tasks and submit to monitoring for up to a three year period.  The compliance-related tasks are included in the CAP, which is attached to the resolution agreement.  Failure to comply with CAP requirements may result in a breach of the entire resolution agreement and further penalties and enforcement for the entity.  The following CAP provisions provide a sense of the compliance tasks and other requirements that regulated entities have received through their OCR resolution agreement CAPs.

  • Designate an independent, third party monitor with expertise in HIPAA Security Rule compliance, to monitor and review compliance with the CAP.  The monitor must submit a formal, written monitoring plan to OCR for OCR’s review and approval and must update the plan on at least an annual basis.


  • Within 120 days of the CAP effective date, at one year following the effective date, and at the conclusion of the following year, provide an update to OCR regarding encryption, including:  (i) the percentage of all devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) that are encrypted at that point in time; (ii) evidence that all new devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) have been encrypted; (iii)  An explanation for the percentage of devices and equipment that are not encrypted; and (iv)  A breakdown of the percentage of encrypted devices and equipment for each specific facility and worksite.
  • Agree to unannounced site inspections by an independent, third party monitor, who may interview employees, inspect laptops and USB flash drives and review training documentation to confirm compliance with CAP requirements.


  • Develop comprehensive written privacy and security policies and provide them to OCR within sixty (60) days of the CAP effective date, revise and resubmit the draft policies and procedures within thirty (30) days of receiving OCR’s comments, and implement the draft policies and procedures within thirty (30) days of OCR’s approval


  • Provide a comprehensive “implementation report” to OCR within 60 days of policy and procedure approval, with evidence of policy and procedure implementation, such as a comprehensive risk assessment, copies of training materials and verification of the dates on which training was held.


  • Within 120 days of the CAP effective date, provide security awareness training to all employees, and document to OCR: (i)  training materials; (ii)  all topics covered; (iii) The length of each session; and (iv)  The dates when the sessions were held.
The CAP makes a fruit cake look a lot more appealing, doesn’t it?  So how do you avoid getting an OCR CAP?  The best way is to engage in the types of practices required by a CAP, but in advance of a violation.  All regulated entities should have written policies and procedures, documented training, encryption in accordance with industry standards and the ability to survive a third party inspection or audit.  Focus on these and other compliance tasks will help you to avoid violations in the new year and to re-gift that CAP to another, more "deserving" recipient.  






Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.