Resolution Agreements and Civil Money Penalties – A resolution agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement likely would include the payment of a resolution amount. These agreements are reserved to settle investigations with more serious outcomes. When HHS has not been able to reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity. To date, HHS has entered into ten resolution agreements and issued CMPs to one covered entity.
A good example is the 42 CFR Part 488 Medicare and Medicaid Programs, Civil Money Penalties for Nursing Homes. This final rule will update the current Medicare and Medicaid regulations with regards to imposition and collection of civil money penalties when nursing homes are not in compliance.
Several resolution agreements have been in the news lately. These include agreements with the Alaska Department of Health and Human Services (DHHS), and the Massachusetts Eye and Ear Associates, Inc. (MEEI). Both of these resolution agreements include several consistent findings and enforcement actions, even though they originate in very disparate OCR Regions. Both include significant penalties, $1.7 million to DHHS and $1.5 million to MEEI. Additionally, both of the resolution agreements include significant, and thus expensive to implement, resolution plans, or Corrective Action Plans (CAPs). Both of the resolution plans include short term and long term milestones that must be achieved. Both of these CAPs also include the requirement that a third party who is an expert in these areas, monitor the progress of the entity, including both a “Monitor Plan” and “Monitor Reviews”.
Significantly identified in both resolution agreements by the OCR was a failure to demonstrate the conducting of a thorough analysis of the risk to the confidentiality of ePHI on an ongoing basis as a part of the security management process. This consistent finding points to the first Standard in the HIPAA Security Rule 164.308(a)(1)(i) Security Management Process, and the first two of Implementation Specifications including (A) Risk Analysis and (B) Risk Management. These sometimes overlooked and oft-delayed measures are the foundation of the HIPAA Security Rule. To implement security or corrective measures without first conducting a thorough risk analysis and developing a risk management plan are akin to beginning a long driving trip without looking up the directions. Or to bring the analogy up to date, without at least updating your GPS and bringing it along for the trip! In addition, a Covered Entity or Business Associate must update that analysis and plan periodically, thereby continuing to check their progress against their written directions or their GPS.