HIPAA Corrective Action Plan: Steps to Address and Remediate Compliance Issues

HIPAA Corrective Action Plan: Steps to Address and Remediate Compliance Issues

HIPAA violations often result in hefty penalties and fines. On top of that, covered entities may also need to submit a corrective action plan (CAP) after violating HIPAA. Failure to comply with HIPAA can take a toll on patients and even cause damage to your organization’s reputation.

Read on to discover why developing and implementing an effective HIPAA corrective action plan can help address violations and mitigate future consequences.

HIPAA Corrective Action Plan: Steps to Address and Remediate Compliance Issues

Understanding the HIPAA Corrective Action Plan

A HIPAA corrective action plan is a remedial action imposed by the Office for Civil Rights (OCR) on liable covered entities or business associates. CAPs are developed to keep medical providers compliant with HIPAA regulations. These typically last one to three years until the organization fully corrects the underlying compliance issues.

The OCR requires covered entities to revise their policies and specific procedures to manage the security risks found from the investigation. Organizations are also required to submit reports to OCR during this period.

What Triggers a HIPAA Corrective Action Plan?

The primary purpose of a HIPAA corrective action plan is to resolve privacy and security issues that stem from HIPAA violations. After an investigation, the OCR forwards a resolution agreement to the covered entities involved. This document highlights the amount of settlement, penalties, and the details of the CAP.

Sometimes, the OCR will require the organization to hire a third party to monitor and assess your compliance, which can be costly. While the CAP is ongoing, covered entities must submit regular reports to OCR for updates on the current status.

HIPAA Corrective Action Plan: Steps to Address and Remediate Compliance Issues

Developing an Effective Corrective Action Plan

An excellent corrective action plan addresses not only the surface issues but also the root cause of the HIPAA violation. When developing a CAP, consider including the following elements:


First, the preamble states that the parties, including the covered entities or business associates, will enter the CAP. It also gives an overview of what to expect in the rest of the document.

Contact persons and submissions

Second, this part indicates the authorized representatives and contact persons from the organization and the OCR. It also shows proof of submissions, such as emails, notifications, and reports.

Effectivity date and terms of CAP

This section outlines the particular terms of compliance that apply to the implementation of the CAP. It also specifies the obligations of the covered entity. The stated conditions will also indicate when the compliance term ends.


The period designated for the CAP, from start to finish, shall be determined solely by the OCR.

Corrective action obligations

The most crucial part of the HIPAA corrective action plan indicates what the organization needs to do and what must be revised in its current policies and procedures. It also highlights important compliance efforts such as employee training, business associate management, reporting failures, and more.

Implementation report and annual reports

Organizations must report a summary of their implementation efforts. They must also submit an annual report to the OCR while the CAP is ongoing. This includes a copy of the training materials used and the attestation signed by the covered entity’s authorized representative.

Document retention

All files and records relating to compliance with the CAP must be stored for safekeeping for six years from the effective date. It’s best to keep them accessible and secure as the OCR may ask for those documents after years of resolution.

Breach provisions

Lastly, this section specifies that organizations must comply with the corrective action plan. It also indicates that they may submit a timely written request for an extension at least five days before the expected due date.

HIPAA Corrective Action Plan: Steps to Address and Remediate Compliance Issues

Monitoring and Evaluating the Effectiveness of the CAP

Risk assessments are there for a good reason. Performing security checks can help determine the effectiveness of your corrective action plan. Without a risk analysis, you won’t be able to identify possible vulnerabilities, putting your system at further risk of committing another HIPAA violation.

CAPs may last for several years. During this period, you should be doing regular audits. Also, note the OCR’s strict timeline when submitting your progress reports. Failure to abide by the resolution terms may result in an agreement breach.

Avoiding a CAP by Ensuring Compliance

The only way to prevent obtaining a notice of corrective action plan from the OCR is by staying HIPAA compliant. Covered entities, including private practice clinics, hospitals, and other healthcare organizations, must strictly monitor and safeguard patient PHI to avoid HIPAA violations. By being proactive in HIPAA compliance, you can spare your organization from implementing CAP, which requires additional spending on hiring consultants and training staff.

Kent Cañas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
When Is HIPAA Misused or Abused?
When Is HIPAA Misused or Abused?

When is HIPAA misused or abused? Follow along to gain a deeper insight into what can lead to the misuse…

Read Story
HIPAA Violation Statistics: Key Insights and Trends
HIPAA Violation Statistics: Key Insights and Trends

This article provides an in-depth overview of HIPAA violation statistics, including trends and key insights into the types of violations…

Read Story
Medical Record Mishandling: Risks, Consequences, and Best Practices
Medical Record Mishandling: Risks, Consequences, and Best Practices

This article examines the issues of medical record mishandling, highlighting their consequences and what can be done to prevent them.

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.