Ask the Health Law Gurus™: What Is a Civil Monetary Penalty and How Is It Different from an OCR Settlement?
The Health Law Gurus™ are here to help you stay current on issues and breaking news in health law. To help you stay up-to-date, we are excited to announce our new segment, “Ask the Health Law Gurus™.” Each month, we will select a reader’s question and answer it here, on the Health Law Gurus™ blog.
In response to our last blog post, “Historic Moment: Husband Reports Wife’s HIPAA Violation Triggering Six Figure Penalty Against Employer,” we received a question about civil monetary penalties. We address the question below.
QUESTION: What is a civil monetary penalty (“CMP”), and how is it different from a settlement with the Office for Civil Rights (“OCR”) for a violation of the Health Insurance Portability and Accountability Act (“HIPAA”)?
ANSWER: A CMP is a punitive civil penalty. After undertaking an investigation and collecting all necessary information, OCR will typically resolve a HIPAA investigation with a covered entity or business associate in one of two ways: (1) informal settlement – OCR will informally settle the matter through a resolution agreement and a corrective action plan; or (2) formal CMP – OCR will impose a CMP on the covered entity or business associate.
Informal Settlement: The covered entity or business associate and OCR will informally negotiate a resolution agreement and corrective action plan. In the resolution agreement, the covered entity or business associate will agree to settle potential violations of HIPAA by paying a certain sum of money. The covered entity or business associate will also agree to adopt a corrective action plan to address gaps in its compliance with HIPAA and any issues that led to the HIPAA violation.
Formal CMP: If OCR is unable to informally resolve a HIPAA violation through a resolution agreement and corrective action plan or determines that the covered entity or business associate is not cooperating with OCR’s investigation, it may impose a CMP. In assessing the amount of the CMP, OCR considers a number of factors, including: (a) the nature and extent of the violation, (b) the nature and extent of the harm, (c) the covered entity’s or business associate’s history of prior compliance; and (d) the financial condition of the covered entity or business associate. Before OCR imposes a CMP, it will notify the covered entity or business associate and provide it with an opportunity to supply written evidence of any circumstances that would reduce or bar a CMP. If OCR imposes a CMP, the covered entity or business associate may request a hearing in which an administrative law judge decides if the penalty is supported by the evidence gathered throughout the OCR investigation.
Informal Settlements are More Common: History indicates that the majority of HIPAA violations are settled informally through resolution agreements and corrective action plans. OCR has only twice imposed a CMP against a covered entity for violations of HIPAA. Each time, a U.S. Department of Health and Human Services administrative law judge has upheld the imposition of the CMP.
We look forward to your health law questions. If you have a question, please submit it to the Health Law Gurus™ at firstname.lastname@example.org.
DISCLAIMER: This post, and any other answers we provide in response to our readers’ questions, is only intended to provide a basic explanation. It does not constitute legal advice. Please consult a health law attorney for advice specific to individual circumstances.