Resolution agreements are signed settlement agreements between a covered entity or business associate, and the U.S. Department of Health and Human Services (HHS) in which the entity agrees to perform certain obligations as a result of potential violations. There is no finding of violation when a resolution agreement is entered. Resolution agreements usually contain a resolution amount and a corrective action plan (CAP).  The resolution amount is monetary sanction determined by the egregiousness of the potential violation. This year resolution amounts varied from $25,000 up to $5.5 million.

As of September 1 the largest number of resolution agreements in one calendar year have been entered. We can expect more especially in light of HHS’s recent announcement that it will investigate repeat breaches affecting under 500.

Corrective Action Plan

The second part of resolution agreements is the CAP.  It ordinarily contains obligations such as: enterprise-wide analysis, development, revision, and implementation of a risk-management plan to mitigate security risks; annual assessment of potential risks and vulnerabilities to the confidentiality of electronic protected health information (ePHI); review and revision of policies and procedures; oversight and approval from HHS on revised policies and procedures; training; and annual reporting by a designated interior monitor.

Failure to Comply

Should HHS find a failure to demonstrate compliance, civil money penalties may be enforced against the entity. Given the significant cost of resolution amounts and HHS oversight for up to 3 years, it is critical to practice due diligence in identifying and addressing risks and vulnerabilities and implementing appropriate safeguards to protect PHI in compliance with HIPAA.