Understanding HIPAA Resolution Agreements and Compliance Obligations

A Resolution Agreement is a formal settlement between the U.S. Department of Health and Human Services (HHS) and a HIPAA-covered entity or business associate. Under the agreement, the organization agrees to take specific corrective actions and submit regular compliance reports to HHS, typically over a three-year period. During this time, HHS monitors the organization’s adherence to these requirements.

If a covered entity fails to demonstrate compliance or complete corrective actions satisfactorily—whether through informal resolution or a resolution agreement—civil money penalties (CMPs), commonly referred to as HIPAA fines, may be imposed.


Common Requirements in a Resolution Agreement

Some typical obligations in a resolution agreement include:

  • Payment: The covered entity must pay the agreed-upon settlement amount within 30 days of the agreement’s effective date.
  • Policy Review: Within 30 days, the entity must review and, if needed, revise its policies related to patient access to protected health information (PHI), including methods for calculating fees.
  • Training: Within 60 days, training materials must be developed and provided to staff on patients’ rights to access their PHI.
  • Access Log Reporting: Every 90 days, starting within 90 days of HHS approval of policies, the entity must submit a log of PHI access requests, including key details such as dates, formats, and costs.
  • Implementation Report: Within 120 days of HHS’s approval of the policies, a written implementation status report must be submitted.
  • Annual Reporting: Each year of the compliance term (e.g., three years) is considered a “Reporting Period.” The entity must submit an annual report to HHS within 60 days of the end of each period.

Additional Enforcement Authorities

In addition to HHS and the Office for Civil Rights (OCR), other agencies may impose penalties:

  • State Attorneys General: For example, Florida’s Consumer Protection Division enforces the Florida Deceptive and Unfair Trade Practices Act and has recovered over $10 billion since 2011.
  • Federal Agencies: The Department of Justice (DOJ), Office of Inspector General (OIG), and Federal Trade Commission (FTC) can also pursue penalties for fraud, privacy violations, or deceptive practices.

Helpful Links:


Corrective Action Plans (CAPs)

Most resolution agreements include a Corrective Action Plan (CAP) monitored by OCR, typically for two years. CAPs require the entity to take defined steps to address HIPAA compliance deficiencies, including:

  • Conducting a comprehensive risk analysis of potential threats to ePHI.
  • Implementing a risk management plan based on identified vulnerabilities.
  • Updating and maintaining written HIPAA policies and procedures.
  • Providing tailored HIPAA training to workforce members.

OCR Recommendations for Preventing Cyber Threats

To reduce cybersecurity risks, OCR recommends that HIPAA-covered entities and business associates:

  • Identify how ePHI flows through their systems.
  • Integrate risk analysis and management into daily operations.
  • Implement and review audit controls regularly.
  • Use authentication mechanisms to ensure only authorized access to PHI.
  • Encrypt ePHI in transit and at rest when appropriate.
  • Learn from past security incidents to strengthen future protections.
  • Provide HIPAA training for all staff.

By proactively implementing these measures, organizations can better protect patient data and avoid costly penalties, enforcement actions, and reputational damage.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.

Healthcare Cyber Attacks went up almost 90% in 2017

By Aris Medical Solutions

There were 132 reported breaches under investigation from Health and Human Services’ (HHS) Office for Civil Rights (OCR) in 2017 related to Hacking/IT Incident. As you review the report you can see how many were related to email and desktop computers.

Click here to see a list of current data breaches: OCR breach portal

So how does this happen? More than likely it has been caused by an unsuspecting employee. Healthcare is typically targeted with ransomware through social engineering. Practices need to be vigilant in educating their staff to be extremely careful when it comes to clicking on emails or surfing the web with their work computers. That is why we always recommend work computers be used exclusively for work. Plus, personal email addresses should never be utilized to communicate with patients or vendors for a number of reasons, this being just one!

There were many server attacks as well. This can happen in the same manner, especially when someone is logged in with administrative rights when they should be logged in as a user instead.

When it comes to cloud storage or cloud based EHRs, these too can be hacked although it is not as common. Most of the time this is caused by a misconfiguration in the network.

What can you do to prevent this from happening to you?

First of all, conduct a full HIPAA Security Risk Analysis, you need to know where your data is in order to create a Risk Management Plan to protect your organization.
Secondly, continual education on new threats to inform your employees how to be diligent.
Most of all, make sure your IT professional is a network security specialist. Doing your own network security is not longer an option, you must utilize a professional to ensure your network is secure. This includes your websites and cloud services.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Automation, Education, and Support”

1557 Discrimination Law – is your practice at risk?

By Aris Medical Solutions

Section 1557 is the nondiscrimination provision of the Affordable Care Act (ACA). The law prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. Section 1557 builds on longstanding and familiar Federal civil rights laws: Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, Section 504 of the Rehabilitation Act of 1973 and the Age Discrimination Act of 1975. Section 1557 extends nondiscrimination protections to individuals participating in:

  • Any health program or activity any part of which received funding from HHS
  • Any health program or activity that HHS itself administers
  • Health Insurance Marketplaces and all plans offered by issuers that participate in those Marketplaces.

Section 1557 has been in effect since its enactment in 2010 and the HHS Office for Civil Rights has been enforcing the provision since it was enacted.
This provision goes much further than most practices are aware of including the fact this rule became effective July 18, 2016.

  • Take steps to ensure 1557 has been addressed:
  • Assign a Civil Rights Coordinator;
  • Revise your policies and procedures;
  • Incorporate a general assessment evaluation;
  • Review the patient intake process;
  • Track all requests for auxiliary aids and services;
  • Monitor performance of interpreter services to ensure effective communication;
  • Review your complaint process;
  • Post a Notice of Nondiscrimination;
  • Post a Nondiscrimination Statement; and
  • Conduct mandatory training for all staff.

Title II of the Americans with Disabilities Act of 1990 (Title II), Section 504 of the Rehabilitation Act of 1973 (Section 504) and Section 1557 of the Affordable Care Act of 2010 (Section 1557) requires an entity to take steps to ensure communication with individuals with disabilities is as effective as communication with others through the use of appropriate auxiliary aids and services. This includes people with as well as language barriers.

OCR has modified the notice requirement in § 92.8 to exclude publications and significant communications that are small in size from the requirement to post all of the content specified in § 92.8; instead, covered entities will be required to post only a shorter nondiscrimination statement in such communications and publications, along with a limited number of taglines. OCR also is translating a sample nondiscrimination statement that covered entities may use in fulfilling this obligation.
In addition, with respect to the obligation in § 92.8 to post taglines in at least the top 15 languages spoken nationally by persons with limited English proficiency, OCR has replaced the national threshold with a threshold requiring taglines in at least the top 15 languages spoken by limited English proficient populations statewide.

Samples can be downloaded here:
https://www.hhs.gov/civil-rights/for-individuals/section-1557/translated-resources/index.html

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

It’s not just HIPAA, think about the FTC!

By Aris Medical Solutions

Federal Trade Commission Logo

All of you know and follow the HIPAA regulations, but you also need to make sure you follow the Federal Trade Commission (FTC) guidelines as well. The Department of Health and Human Services (HHS) released an article explaining about the requirements.
HIPAA involves the Privacy of an individual and FTC Act prohibits companies from engaging in deceptive or unfair acts or practices in or affecting commerce. Keep in mind if you use a third party, you also need a business associate agreement in place. Anytime you share patient information outside of treatment, payment, or healthcare operations (TPO), you must have a written authorization from the patient. Organizations can not mislead patients about what is happening with their health information. The manner in which you share their information must be clear, concise, and written in plain language so they understand.

To read the entire article: https://www.hhs.gov/hipaa/for-professionals/special-topics/HIPAA-ftc-act

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

©2025 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC