The good news is that not everyone who has a breach will end up with a CAP. For example, if a breach occurs as a result of human error, but the organization otherwise has a comprehensive, thoughtfully implemented compliance infrastructure, the entity is at much lower risk for a CAP or other aggressive enforcement.
One way to get a compliance program up to snuff is to skim over enforcement actions from organizations that have resolution agreements after a breach. OCR publishes this information for teaching purposes on its website.
Organizations can look at the mistakes of other regulated entities to perform a health check on their own compliance programs. The site goes into detail regarding what kind of breach occurred, how OCR became apprised of the situation, and what the organization might have done differently. It also offers copies of CAPs and resolution agreements.
If an organization’s compliance program is poor, breaches are more likely, as are regulatory repercussions. This is especially the case if a large number of patients are affected or if the nature of the violation is particularly egregious (even with a small breach).
“We are approaching 20 years of HIPAA and OCR is reasonable to expect organizations to be complying by now,” Bourque said. It should not be surprising that common compliance failures lead to breaches, steeper fines, and more aggressive enforcement.
As fines have gotten larger, CAPs have also become more complicated and onerous. Again, this is a pattern that Bourque said should not shock anyone.
“I can’t think of a better incentive than that to get–or keep–your own HIPAA compliance house in order,” she said.
This article originally appeared on Cancer Therapy Advisor