A Corrective Action Plan (CAP) is an enforcement action the Office for Civil Rights (OCR) demands a Covered Entity or Business Associate undertake in response to a violation of HIPAA laws. The CAP is to correct compliance issues that led to the HIPAA violation(s). A CAP requires the organization to perform a closely monitored Security Risk Analysis (SRA) and to develop a risk management plan, reporting back to OCR on these, which are already expected (and required) to be in place per the HIPAA Security Rule.
Depending on the violation/breach other areas that will be addressed may include:
- Requirements to develop, maintain and, if necessary, revise policies and procedures, providing copies to HHS/OCR. Once approved these will need to be disseminated to staff.
- Right of Access policies and procedures updated depending on the violation, to include staff training in this area.
- Staff training on all things HIPAA, security awareness and cybersecurity updates and reminders.
The CAP may remain in place for up to three years, depending on the severity of the HIPAA violation/breach. OCR will expect regular implementation reports summarizing the status of the organization’s efforts to put the requirements of the CAP into practice.
How to prevent an OCR investigation and a CAP? Complete the requirements for HIPAA Privacy and Security compliance. Safeguard PHI at all levels to avoid HIPAA violations.
HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.