Lawrence is the Chair for Obermayer’s Health Care Law Department and Election Law Practice Group. Lawrence’s Health Care Law legal experience includes the representation of Pennsylvania County governments in Behavioral Health Managed...Read More by Author
Ask the Health Law Gurus™: What Is a Civil Monetary Penalty and How Is It Different from an OCR Settlement?
The Health Law Gurus™ are here to help you stay current on issues and breaking news in health law. To help you stay up-to-date, we are excited to announce our new segment, “Ask the Health Law Gurus™.” Each month, we will select a reader’s question and answer it here, on the Health Law Gurus™ blog.
In response to our last blog post, “Historic Moment: Husband Reports Wife’s HIPAA Violation Triggering Six Figure Penalty Against Employer,” we received a question about civil monetary penalties. We address the question below.
QUESTION: What is a civil monetary penalty (“CMP”), and how is it different from a settlement with the Office for Civil Rights (“OCR”) for a violation of the Health Insurance Portability and Accountability Act (“HIPAA”)?
ANSWER: A CMP is a punitive civil penalty. After undertaking an investigation and collecting all necessary information, OCR will typically resolve a HIPAA investigation with a covered entity or business associate in one of two ways: (1) informal settlement – OCR will informally settle the matter through a resolution agreement and a corrective action plan; or (2) formal CMP – OCR will impose a CMP on the covered entity or business associate.
Informal Settlement: The covered entity or business associate and OCR will informally negotiate a resolution agreement and corrective action plan. In the resolution agreement, the covered entity or business associate will agree to settle potential violations of HIPAA by paying a certain sum of money. The covered entity or business associate will also agree to adopt a corrective action plan to address gaps in its compliance with HIPAA and any issues that led to the HIPAA violation.
Formal CMP: If OCR is unable to informally resolve a HIPAA violation through a resolution agreement and corrective action plan or determines that the covered entity or business associate is not cooperating with OCR’s investigation, it may impose a CMP. In assessing the amount of the CMP, OCR considers a number of factors, including: (a) the nature and extent of the violation, (b) the nature and extent of the harm, (c) the covered entity’s or business associate’s history of prior compliance; and (d) the financial condition of the covered entity or business associate. Before OCR imposes a CMP, it will notify the covered entity or business associate and provide it with an opportunity to supply written evidence of any circumstances that would reduce or bar a CMP. If OCR imposes a CMP, the covered entity or business associate may request a hearing in which an administrative law judge decides if the penalty is supported by the evidence gathered throughout the OCR investigation.
Informal Settlements are More Common: History indicates that the majority of HIPAA violations are settled informally through resolution agreements and corrective action plans. OCR has only twice imposed a CMP against a covered entity for violations of HIPAA. Each time, a U.S. Department of Health and Human Services administrative law judge has upheld the imposition of the CMP.
We look forward to your health law questions. If you have a question, please submit it to the Health Law Gurus™ at firstname.lastname@example.org.
DISCLAIMER: This post, and any other answers we provide in response to our readers’ questions, is only intended to provide a basic explanation. It does not constitute legal advice. Please consult a health law attorney for advice specific to individual circumstances.