What OCR Corrective Action Plans really tell us about HIPAA in America

When the Office for Civil Rights (OCR) investigates a HIPAA complaint or breach, the resolution often includes a Corrective Action Plan — a CAP. These documents are publicly available, legally binding, and remarkably revealing. They show exactly what went wrong, what OCR considers unacceptable, and what the agency requires to fix it.

For independent healthcare practices, CAPs are the closest thing to an answer key for what not to do. The patterns across hundreds of enforcement actions are consistent, specific, and almost entirely preventable.

What a Corrective Action Plan actually is

A CAP is not a fine. It is a remediation agreement attached to a settlement or enforcement action. When OCR finds violations — through a breach investigation, a complaint, or a compliance audit — the resulting resolution typically includes two parts:

1. A monetary settlement — ranging from $16,000 to over $4 million depending on the severity and duration of noncompliance
2. A Corrective Action Plan — a detailed, multi-year compliance roadmap that the organization must follow under OCR monitoring

The CAP specifies exactly what the practice must implement, the timelines for implementation, and the reporting requirements to prove completion. Most CAPs run two to three years. During that period, the practice operates under direct OCR oversight — submitting progress reports, producing documentation on demand, and funding independent assessments.

The cost of a CAP extends far beyond the settlement check. Monitored compliance consumes staff time, requires outside consultants, and creates operational drag that persists for years.

The five failures that appear in nearly every CAP

After reviewing publicly available resolution agreements from OCR, the same violations surface repeatedly. These are not edge cases. They are systemic failures that affect practices of every size.

| Failure Type | % of CAPs Citing This | |---|---| | Risk Analysis Not Conducted | 61% | | Inadequate Policies & Training | 49% | | Improper Access Management | 42% | | Lack of Encryption | 34% | | No Business Associate Controls | 28% |

1. Missing or inadequate risk assessments

This is the single most cited failure in OCR enforcement actions. Not a weak risk assessment — a missing one entirely, or one that was conducted once and never updated.

The HIPAA Security Rule requires a thorough and accurate assessment of risks and vulnerabilities to ePHI. OCR expects this to be current, comprehensive, and repeated whenever material changes occur. Most practices that end up with a CAP either never conducted one or treated it as a one-time checkbox exercise years ago.

The risk assessment tool exists specifically to address this gap. It takes less than ten minutes and produces an actual baseline — not a binder that gathers dust.

2. No Business Associate Agreements

Business Associate Agreements (BAAs) are legally required for every vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Every billing company, every IT provider, every cloud storage vendor, every shredding service.

CAPs frequently cite practices that had no BAAs in place — or had agreements that were incomplete, outdated, or missing key provisions. In several high-profile cases, the practice had a BAA template but never executed it with the actual vendor.

3. Insufficient access controls

OCR expects role-based access controls, unique user IDs, automatic session timeouts, and audit logging. CAPs reveal that many practices still operate with shared logins, no automatic logoff, and no system for reviewing who accessed what.

The change from a single shared workstation password to proper access controls is not a technology problem. It is a policy problem — and one that CAPs make clear is non-negotiable.

4. Inadequate workforce training

HIPAA requires training for all workforce members on policies and procedures related to PHI. CAPs consistently cite practices where training either never happened, happened once at onboarding and was never repeated, or was so generic that it had no practical connection to the practice's actual workflows.

Effective training is specific to the role. A front desk receptionist handling intake forms faces different risks than a dental hygienist with EHR access. CAPs require that remediated training programs reflect this reality.

5. No breach notification procedures

Multiple CAPs have cited the absence of documented breach notification procedures. When a breach occurs, practices must notify affected individuals within 60 days, notify HHS, and in some cases notify media outlets. Without a written procedure, practices miss timelines, under-report incidents, and compound the original violation.

What CAPs actually cost

The settlement payment gets the headline. The CAP itself is where the real cost lives.

Direct costs of a typical two-to-three-year CAP:

• Independent assessor fees: $15,000 to $75,000 per assessment
• Outside counsel for compliance reporting: $200 to $500 per hour
• Staff time allocated to documentation and monitoring: hundreds of hours annually
• Technology upgrades mandated by the plan: varies widely, but rarely under $10,000

Indirect costs:

• Operational distraction — leadership time spent on compliance reporting instead of patient care
• Reputational damage — CAPs are public record, searchable, and frequently cited in media coverage
• Staff turnover — compliance burden creates friction, especially in small teams
• Insurance premium increases — liability carriers adjust rates after enforcement actions

For a small or mid-size practice, a CAP can consume 10 to 20 percent of annual revenue for two or more years. That is on top of the settlement payment.

How to avoid triggering a Corrective Action Plan

The path to a CAP almost always follows the same sequence: a breach occurs or a complaint is filed, OCR investigates, and the investigation reveals systemic noncompliance that predates the incident. The breach is the trigger. The underlying failures are what produce the CAP.

Prevention means addressing those underlying failures before they are discovered by OCR:

• Conduct and maintain a current risk assessment. Not once. Continuously. The HIPAA compliance checklist provides a structured roadmap for what this looks like in practice.
• Audit your BAAs. Every vendor, every year. If you cannot produce a signed, current BAA for every business associate on demand, you have a gap.
• Implement real access controls. Unique logins, role-based permissions, automatic timeouts, audit trails. No exceptions.
• Train your workforce — and document it. Annual training at minimum, with additional training when policies change or new threats emerge. Keep signed attestations.
• Write and test your incident response plan. Document the exact steps for breach identification, containment, notification, and reporting. Then walk through it with your team at least once a year.

The bigger picture

CAPs are OCR's corrective mechanism when voluntary compliance fails. The patterns in these documents are a warning — not about exotic security threats, but about basic obligations that hundreds of practices have neglected.

The breach dashboard tracks enforcement actions and breach reports in real time. Reviewing it monthly gives you direct visibility into what OCR is investigating and what kinds of failures are producing enforcement actions right now.

Healthcare breaches cost an average of $9.8 million per incident. Attacks on independent providers have risen 6x since 2021. The enforcement environment is tightening. The proposed 2025 HIPAA Security Rule amendments would eliminate the distinction between required and addressable safeguards, making many currently flexible requirements absolute mandates.

The practices that end up with Corrective Action Plans are not, in most cases, careless. They are busy, under-resourced, and operating without the infrastructure to stay current. That is exactly the problem Patient Protect was built to solve — continuous compliance for practices that cannot afford a full-time compliance department, but cannot afford the consequences of operating without one.