DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The Department of Health and Services' Office for Human Rights (OCR) enforces the HIPAA law and regulations. OCR has the authority to resolve investigations of a covered entity or business associate, when there has been an allegation that the covered entity or business associate violated one or more provisions of HIPAA. OCR may resolve investigations in one of several ways.
One way is by providing technical assistance to the covered entity or business associate. Say that a patient has filed a complaint with OCR, alleging that their CE healthcare provider has failed to timely provide the patient with access to their PHI. OCR may choose to resolve the matter by giving the provider documentation that explains the rule requiring providers to provide access to PHI; and having the provider ask if the provider has any questions on the documentation, the rule, or the requirement to have a policy and procedure covering the patient's right to request (and receive) access to their PHI.
Often, technical assistance to covered entities who have missed a deadline. The HIPAA right of access rule generally requires providers to respond to patient requests for PHI access within 30 days of the request. HHS may, upon receiving a complaint alleging the provider has not timely responded, give the provider technical assistance. It is expected that a provider who receives the technical assistance and who states that they understand and agree to abide by the technical assistance, actually follow the assistance. OCR has the discretion to provide technical assistance.
OCR may not provide technical assistance upon completion of an investigation. Instead (and this has happened in several cases) if OCR determines during an investigation that there has been a possible, probable, or actual violation of one or more HIPAA provisions, OCR may issue a notice of proposed resolution to settle the matter. In this notice, OCR informs the covered entity that OCR has determined that there has been a possible, probable, or actual violation of HIPAA, and proposes to settle the matter of the potential violation. Settlement proposals can contain one element or two. A settlement proposal can contain a monetary amount - a dollar figure OCR indicates is acceptable to settle the matter. The proposal may also contain a proposed "corrective action plan" - OCR might, in the settlement, inform the CE or BA, that "We propose to settle this investigation for $100,000 and through the CE's or BA's entering into a 2-year corrective action plan (CAP)." Under a CAP, OCR monitors an entity's compliance efforts. If OCR issues a notice of proposed settlement, a covered entity or business associate may reply to the notice. The covered entity may agree to the terms, or attempt to negotiate more favorable terms. If a monetary settlement is eventually reached, an entity complies with that settlement by paying the required sum. If a CAP is imposed, an entity complies with the CAP by taking the specific actions required by the CAP.
In some instances, a covered entity or business associate makes no effort to respond to a request for technical assistance, or no effort to respond to a proposed settlement. If a covered entity or business associate is non-cooperative - if it refuses to work with the investigator or contact the investigator by a required deadline, OCR is authorized to issue a civil monetary penalty. In such cases, a "settlement" is not the action OCR would take - settlement requires agreement by two parties, and by definition, a party who has been non-responsive to an OCR investigation has not agreed to anything. A civil monetary penalty is synonymous with the word "fine." Before a civil monetary penalty or fine can be imposed, OCR must seek approval from the US. Department of Justice to impose it.
An investigation may be resolved by a monetary settlement,the terms of which are included in what OCR calls a "resolution agreement." A settlement is different from a fine. Resolution agreements are different outcomes than are impositions of civil monetary penalties. If OCR describes having "entered into a settlement for X amount of money" with a HIPAA-covered entity, OCR has settled the matte (entered into a monetary settlement). It has not fined the entity. In contrast, if the headline reads, "OCR imposes civil monetary penalty on entity X," OCR has fined the entity. Most OCR actions involving a monetary payment have involved settlement, not fines. Only in a handful of instances has an entity been completely non-responsive to OCR's investigation or attempt to settle potential violations.
An example of a monetary settlement can be found here. An example of the issuance of a civil monetary penalty for failure to cooperate with an OCR investigation can be found here.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article