Resolution Agreements- Brush Up Your Knowledge as OCR on Track for Banner Year



Resolution agreements are signed settlement agreements between a covered entity or business associate, and the U.S. Department of Health and Human Services (HHS) in which the entity agrees to perform certain obligations as a result of potential violations. There is no finding of violation when a resolution agreement is entered. Resolution agreements usually contain a resolution amount and a corrective action plan (CAP).  The resolution amount is monetary sanction determined by the egregiousness of the potential violation. This year resolution amounts varied from $25,000 up to $5.5 million.

As of September 1 the largest number of resolution agreements in one calendar year have been entered. We can expect more especially in light of HHS’s recent announcement that it will investigate repeat breaches affecting under 500.

Corrective Action Plan

The second part of resolution agreements is the CAP.  It ordinarily contains obligations such as: enterprise-wide analysis, development, revision, and implementation of a risk-management plan to mitigate security risks; annual assessment of potential risks and vulnerabilities to the confidentiality of electronic protected health information (ePHI); review and revision of policies and procedures; oversight and approval from HHS on revised policies and procedures; training; and annual reporting by a designated interior monitor.

Failure to Comply

Should HHS find a failure to demonstrate compliance, civil money penalties may be enforced against the entity. Given the significant cost of resolution amounts and HHS oversight for up to 3 years, it is critical to practice due diligence in identifying and addressing risks and vulnerabilities and implementing appropriate safeguards to protect PHI in compliance with HIPAA.


Read More

OCR Issues Bulletin on HIPAA Privacy due to Ebola Outbreak

The Office for Civil Rights (OCR) issued a bulletin November 10, 2014 on “HIPAA Privacy in Emergency Situations.” The stated purpose of the bulletin is to assure that covered entities and their business associates know how protected health information that may be shared during an emergency and that the privacy protections are not suspended during emergencies. The OCR has issued the bulletin in part due to the recent Ebola outbreak. Read the OCR bulletin Here.

Read More

HIPAA and Same-sex Marriage: Understanding Spouse, Family Member, and Marriage in the Privacy Rule

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has developed guidance to assist covered entities in understanding how the decision by the Supreme Court in United States v. Windsor may affect certain parts of their HIPAA Privacy Rule obligations.

Spouses Often Play an Integral in A Patient’s Health.


The HIPAA Privacy Rule recognizes that family members, such as spouses, often play an integral role in a patient’s health care.  For example, the Privacy Rule allows covered entities to share information about the patient’s care with family members in various circumstances.


In addition, the Privacy Rule provides protections against the use of genetic information about the individual, which includes certain information about family members of the individual, for underwriting purposes.

OCR’s guidance on HIPAA and Same-sex Marriage addresses the effect of the 2013 Supreme Court decision regarding the Defense of Marriage Act (DOMA) on these provisions, making clear that spouses include both same-sex and opposite-sex individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.

OCR’s guidance on the Windsor decision may be found at: HERE.

Read More

HIPAA Omnibus Bill Is Here

Anesthesia Compliance Consultants has summarized the major provisions of the HIPAA Omnibus Rule, which will be effective March 26, 2013 with a compliance date of September 23, 2013. This will affect anesthesia practices in many ways.


1.  Final modifications to HIPAA

  •   Make business associates of covered entities directly liable for compliance with HIPAA Privacy and Security Rules’ requirements.
  •   Strengthen the limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes, and prohibit the sale of PHI without individual authorization.
  •   Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
  •   Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.
  •   Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
  •   Adopt the additional HITECH Act enhancements to the Enforcement Rule such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
Read More

Lack of HIPAA Policies is Expensive

The Office for Civil Rights announced a settlement of potential violations of the HIPAA and Breach Notification Rules on December 27, 2013 with Adult & Pediatric Dermatology, P.C., of Concord, Mass., (AP Derm).

AP Derm settled potential violations with the OCR for a $150,000 payment and a corrective action plan. AP Derm is a private dermatology practice with four locations in Massachusetts and two in New Hampshire.

Read More