New CAP Calls for Compliance Rep, External Assessor

The most recent settlement between a HIPAA covered entity (CE) and the HHS Office for Civil Rights (OCR) calls for an extensive, three-year corrective action plan (CAP) (see story p. 1).

In several ways, the CAP deviates from the norm. Among the unusual requirements in the CAP that accompanied 21st Century Oncology’s (21CO) $2.3 million settlement are the hiring of an external “assessor” who must make surprise visits to the practice’s locations, submission of 21CO’s business associate agreements (BAAs), and reporting to OCR all violations of HIPAA policies and procedures.

The CAP makes repeated references to electronic protected health information (ePHI), though as a CE, 21CO and its workforce are required to safeguard protected health information (PHI) regardless of where it is used or disclosed, including on paper. A review of the CAP may be a useful exercise for CEs and business associates (BAs) as it lays out OCR’s current thoughts on compliance and oversight, spelling out strategies these organizations can adopt to ensure their own efforts are up to snuff.

The following are highlights of the CAP.

◆ 21CO is required to appoint a compliance representative (CR) who “shall be responsible for assuring 21CO’s compliance with this Agreement and the CAP and for arranging for the provision of such assistance as 21CO may require to comply with the Agreement and the CAP, including, but not limited to, arranging for and/or providing policies, procedures, training and internal monitoring services, and including after resolution of 21CO’s bankruptcy.” The CR must be “knowledgeable about the HIPAA Rules and about the policies and practices of 21CO with respect to” ePHI.

This document is only available to subscribers. Please log in or purchase access.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field