$750,000 Fine and Corrective Action Plan (CAP)

October 19, 2015

CAP or Corrective Action Plan may be an unfamiliar term to most practices and it is certainly one they don’t want to become familiar. But it is a simple explanation for how to avoid the fine and the CAP.

Let’s think about an Action Plan that will help you avoid the Corrective Action Plan. While there are hundreds of pages in the HIPAA HITECH Act and the Omnibus Rule there are three keys elements to HIPAA compliance: risk assessment, policies and procedures, and training. Leave out one leg of this three legged stool and your plan will tip over. Another key element is the “reasonable and appropriate” rule. Basically this says that you only need to comply with rules that fit your organization.

Let’s discuss each major element:

Risk Assessment
There are many versions of a risk assessment but only one standard that is accepted by all and that is the NIST protocol. A consultant coming to your site and using this protocol would charge you thousands of dollars. If they are not using this protocol then the risk assessment may not be acceptable to an auditor. There are automated programs that use the protocol and that are much less expensive than the on-site consultant. Our partner ACR2 Solutions delivers one of these programs. The goal of a risk assessment is to show you the gaps in your compliance program so you can fix it before you end up with a CAP. Periodic risk assessments should show that you are improving. Remember also that the goal is “Progress not Perfection”.

Policies and Procedures
Policies and procedures used to be characterized as a printed manual that sat up on a shelf gathering dust. The 21st century versions are electronic, accessible by all staff members, and updated on a routine basis or at least annually. HIPAA compliance is an on-going process that needs to change and evolve as your company changes and evolves and your policies and procedures must reflect that.

Training
Staff training needs to be focused on the updated policies and procedures that have been implemented. A written policy or procedure that is not followed is a red flag. Documenting staff training is much easier with on-line tools that let the staff watch a video, take a quiz and get a certificate.
If you stay focused on these three things you can feel assured that you are in a safe harbor.
For more information contact Jack@compliancehelper.com


Back to News