A Resolution Agreement is a formal settlement between the U.S. Department of Health and Human Services (HHS) and a HIPAA-covered entity or business associate. Under the agreement, the organization agrees to take specific corrective actions and submit regular compliance reports to HHS, typically over a three-year period. During this time, HHS monitors the organization’s adherence to these requirements.
If a covered entity fails to demonstrate compliance or complete corrective actions satisfactorily—whether through informal resolution or a resolution agreement—civil money penalties (CMPs), commonly referred to as HIPAA fines, may be imposed.
Common Requirements in a Resolution Agreement
Some typical obligations in a resolution agreement include:
- Payment: The covered entity must pay the agreed-upon settlement amount within 30 days of the agreement’s effective date.
- Policy Review: Within 30 days, the entity must review and, if needed, revise its policies related to patient access to protected health information (PHI), including methods for calculating fees.
- Training: Within 60 days, training materials must be developed and provided to staff on patients’ rights to access their PHI.
- Access Log Reporting: Every 90 days, starting within 90 days of HHS approval of policies, the entity must submit a log of PHI access requests, including key details such as dates, formats, and costs.
- Implementation Report: Within 120 days of HHS’s approval of the policies, a written implementation status report must be submitted.
- Annual Reporting: Each year of the compliance term (e.g., three years) is considered a “Reporting Period.” The entity must submit an annual report to HHS within 60 days of the end of each period.
Additional Enforcement Authorities
In addition to HHS and the Office for Civil Rights (OCR), other agencies may impose penalties:
- State Attorneys General: For example, Florida’s Consumer Protection Division enforces the Florida Deceptive and Unfair Trade Practices Act and has recovered over $10 billion since 2011.
- Federal Agencies: The Department of Justice (DOJ), Office of Inspector General (OIG), and Federal Trade Commission (FTC) can also pursue penalties for fraud, privacy violations, or deceptive practices.
Helpful Links:
Corrective Action Plans (CAPs)
Most resolution agreements include a Corrective Action Plan (CAP) monitored by OCR, typically for two years. CAPs require the entity to take defined steps to address HIPAA compliance deficiencies, including:
- Conducting a comprehensive risk analysis of potential threats to ePHI.
- Implementing a risk management plan based on identified vulnerabilities.
- Updating and maintaining written HIPAA policies and procedures.
- Providing tailored HIPAA training to workforce members.
OCR Recommendations for Preventing Cyber Threats
To reduce cybersecurity risks, OCR recommends that HIPAA-covered entities and business associates:
- Identify how ePHI flows through their systems.
- Integrate risk analysis and management into daily operations.
- Implement and review audit controls regularly.
- Use authentication mechanisms to ensure only authorized access to PHI.
- Encrypt ePHI in transit and at rest when appropriate.
- Learn from past security incidents to strengthen future protections.
- Provide HIPAA training for all staff.
By proactively implementing these measures, organizations can better protect patient data and avoid costly penalties, enforcement actions, and reputational damage.
If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.
