In the wake of HHS’s contract with KPMG to perform 150 HIPAA compliance audits in 2011 and 2012, it is clear that the government is moving into a phase of active and aggressive enforcement, which will mean an uptick in the number and types of providers that face HHS OCR investigations and possible penalties. Providers concerned about these investigations should develop a better understanding of the tools that HHS Office of Civil Rights (OCR) has used to resolve major noncompliance with the Privacy and Security Rules: Resolution Agreements and Corrective Action Plans (CAPs). Increasingly, providers who are found to have violated the requirements of HIPAA are asked to sign a Corrective Action Plan, obligating themselves to reporting and monitoring responsibilities that more resemble a Corporate Integrity Agreement (CIA) than a simple settlement agreement.
In 2004 (the first full year for which HHS OCR has published data) 4,799 incidents resulted in 1,393 HHS OCR investigations. Of those investigations, only 74 percent (1,033) resulted in some sort of corrective action. Typically, the corrective action was as simple as a revision of policies, or a commitment to better monitor or account for a particular risk. By 2010, the number of total incidents had nearly doubled to 9,158, spawning 4,229 investigations and 2,703 corrective actions. In 2008, HHS OCR added Resolution Agreements and CAPs to its toolkit. One agreement was entered into in 2008, one in 2009, two in 2010, and as of this writing, two agreements have been published for the first half of 2011, along with the first-ever imposition of a civil money penalty.
Please see full publication below for more information.