DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses the differences between two types of Office for Civil Rights (OCR) Enforcement Actions: a Settlement Agreement (formally called a "Resolution Agreement") in which OCR resolves an enforcement action with a covered entity or business associate through the covered entity's or business associate's paying of a monetary sum, and an enforcement action under which OCR imposes a fine (formally known as a "Civil Monetary Penalty," or CMP).
How Does OCR Enforce Compliance With HIPAA?
The Department of Health and Services' Office for Human Rights (OCR) enforces the HIPAA law and regulations. OCR has the authority to resolve investigations of a covered entity or business associate, when there has been an allegation that the covered entity or business associate violated one or more provisions of HIPAA. OCR may complete investigations in one of several ways.|
What is Technical Assistance?
One way is by providing technical assistance to the covered entity or business associate. Say that a patient has filed a complaint with OCR, alleging that their covered entity healthcare provider has failed to timely provide the patient with access to their PHI. OCR may choose to resolve the matter by giving the provider documentation that explains the rule requiring providers to provide access to PHI; and having the provider ask if the provider has any questions on the documentation, the rule, or the requirement to have a policy and procedure covering the patient's right to request (and receive) access to their PHI. It is expected that an entity that receives the technical assistance and that states that they understand and agree to abide by the technical assistance, actually follow the assistance. OCR has the discretion to provide technical assistance.
What is a Resolution Agreement?
OCR may not provide technical assistance upon completion of an investigation. It may Instead propose another course of action. If OCR determines during an investigation that there has been a possible, probable, or actual violation of one or more HIPAA provisions, OCR may issue a notice of proposed resolution to settle the matter.
In this notice, OCR informs the covered entity that OCR has determined that there has been a possible, probable, or actual violation of HIPAA, and proposes to settle the matter of the potential violation.
Proposed resolutions commonly contain one element or two. A proposed resolution agreement can contain a monetary amount - a dollar figure, payable to OCR, that OCR indicates is acceptable to settle the matter. The proposal may also contain a proposed "corrective action plan" - OCR might, in the settlement, inform the CE or BA, that "We propose to settle this investigation for $100,000 and through the CE's or BA's entering into a 2-year corrective action plan (CAP)." Under a CAP, OCR monitors an entity's compliance efforts. If OCR issues a notice of proposed settlement, a covered entity or business associate may reply to the notice. The covered entity may agree to the terms, or attempt to negotiate more favorable terms. If a monetary settlement is eventually reached, an entity complies with that settlement by paying the required sum. If a CAP is imposed, an entity complies with the CAP by taking the specific actions required by the CAP.
In some instances, a covered entity or business associate makes no effort to respond to a request for technical assistance, or no effort to respond to a proposed settlement. If a covered entity or business associate is non-cooperative - if it refuses to work with the investigator or contact the investigator by a required deadline, OCR is authorized to issue a civil monetary penalty. In such cases, a "settlement" is not the action OCR would take - settlement requires agreement by two parties, and by definition, a party who has been non-responsive to an OCR investigation has not agreed to anything. A civil monetary penalty is synonymous with the word "fine." Before a civil monetary penalty or fine can be imposed, OCR must seek approval from the US. Department of Justice to impose it.
An investigation may be resolved by a monetary settlement, the terms of which are included in what OCR calls a "resolution agreement." A settlement is different from a fine.
OCR may also, under certain circumstances, seek to take enforcement action by proposing a civil monetary penalty (CMP). A civil monetary penalty is, in essence, a fine. Commonly, OCR seeks a CMP after it has attempted a resolution and has been unsuccessful (for example, the HIPAA-regulated entity has not responded to the proposal or has refused to otherwise respond to OCR since the proposal was issued). Resolution agreements are different outcomes than impositions of civil monetary penalties. Both are enforcement actions. The former is essentially a "settlement" or resolution (agreement) while the latter is essentially a "fine" (it is generally only issued after attempts at resolution have failed.
Most OCR actions involving a monetary payment have been resolution agreements (settlements), not civil monetary penalty actions. An example of a monetary settlement can be found here. An example of the issuance of a civil monetary penalty for failure to cooperate with an OCR investigation can be found here.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article