What Is a HIPAA Corrective Action Plan? The Hidden Cost Beyond the Fine

When OCR resolves a HIPAA enforcement action, the financial penalty gets the headline. The Corrective Action Plan is what actually runs your practice’s compliance calendar for the next 2–3 years.

Understanding what a CAP requires — and which violations trigger one — is more operationally relevant than memorizing penalty tiers.

What Is a Corrective Action Plan?

A CAP is a formal agreement between OCR and a covered entity. OCR imposes it when an investigation finds a HIPAA violation and determines that informal resolution is insufficient. The CAP specifies:

• What the practice must do to remediate the violation
• The timeline for completing each step
• The reporting requirements back to OCR during the monitoring period
• The cooperation obligations if OCR conducts follow-up reviews

CAPs are public record. OCR posts resolution agreements and CAPs on its enforcement page. A practice subject to a CAP appears on that public list for the duration of the monitoring period.

The CAP is separate from the financial penalty. OCR can impose a CAP with a financial penalty, a CAP without a financial penalty, or — in informal resolutions — neither. For small practices, CAPs without penalties do occur when the practice cooperates fully and corrects the violation quickly during the investigation.

The 7 Standard CAP Requirements

While individual CAP terms vary, seven requirements appear consistently in small practice enforcement agreements.

1. Security risk analysis. Complete a documented risk analysis within 60–90 days of the agreement. This is requirement number one in virtually every CAP because its absence is the most common underlying violation.

2. Policy and procedure overhaul. Develop, revise, and implement written HIPAA privacy and security policies. These must reflect the practice’s actual operations — template policies copied unchanged typically don’t satisfy this requirement. Submit the policies to OCR for review.

3. Workforce retraining. Train all workforce members on the revised policies within a defined period, typically 30–60 days of policy implementation. Document attendance. Send OCR proof of completion.

4. Incident reporting obligations. Establish a process to report HIPAA incidents to OCR during the monitoring period. Any new breach or potential violation during the CAP period must be disclosed on a defined timeline. OCR has enhanced visibility into your practice’s operations for the full CAP duration.

5. Designated compliance contact. Identify a specific person as the OCR contact for all CAP-related correspondence. This person is responsible for all reporting obligations and must be available for OCR inquiries.

6. Compliance report submission. Submit compliance reports to OCR on a schedule defined in the agreement — typically quarterly in year one, then annually. Reports document what steps have been completed, what remains outstanding, and any incidents that occurred in the reporting period.

7. Cooperation with follow-up reviews. OCR may conduct follow-up investigations or request additional documentation at any point during the monitoring period. The practice must cooperate fully and on the stated timeline.

How Long Does a CAP Last?

Most CAPs run 2–3 years. The specific duration is set in the resolution agreement.

Some CAPs end early — OCR may close the monitoring period if the practice demonstrates complete remediation ahead of schedule and the compliance reports show no further deficiencies. This is more common in smaller cases where the original violation was isolated and quickly corrected.

Some CAPs are extended. If a practice misses a reporting deadline, submits incomplete documentation, or if OCR finds a new violation during the monitoring period, the CAP can be extended beyond the original end date. Repeated failures to meet CAP obligations can result in additional enforcement.

A 2-year CAP imposes a minimum of 2 years of compliance overhead on a practice that previously had none. Every staff change, every system update, every new vendor relationship has to be evaluated against the CAP terms and potentially reported to OCR.

The Real Cost: Why CAPs Often Exceed the Fine

The financial penalty is a one-time cost. The CAP generates recurring costs across the monitoring period.

The recurring costs include:

• Legal fees. Most practices engage an attorney to manage OCR correspondence, review compliance reports before submission, and advise on any new incidents that arise during the monitoring period. Legal fees for ongoing OCR engagement commonly run $5,000–$20,000 per year.
• Consultant costs. Developing compliant policies, running workforce training sessions, and preparing compliance reports often requires outside help for practices without compliance staff. Consulting costs for CAP compliance add $3,000–$10,000 per year in many small practice cases.
• Staff time. Designating a compliance contact, running training, gathering documentation, and preparing quarterly reports takes real staff hours. In a 5-person clinic, this is time taken from patient care or administrative operations.
• Remediation technology. Practices without existing compliance tools need them to satisfy CAP documentation requirements. The software cost is typically minor relative to the human costs, but it is an ongoing expense.

A $25,000 penalty (the Comprehensive Neurology amount) paired with a 2-year CAP can generate $30,000–$60,000 in total compliance costs before the monitoring period closes. Practices that treat the headline penalty number as the total cost of enforcement exposure are underestimating the risk.

Which Violations Trigger CAPs?

Three violation types are most likely to result in a CAP for a small practice.

Failure to conduct a security risk analysis. This appears in over 75% of current enforcement actions. OCR’s Risk Analysis Initiative, launched in 2022, specifically targets this deficiency. Bryan County Ambulance Authority’s $90,000 penalty — the first Risk Analysis Initiative action — included a CAP with a full set of remediation requirements. Comprehensive Neurology’s $25,000 case similarly included CAP terms.

Non-cooperation. Non-cooperation converts an investigation that might resolve informally into a formal enforcement action with both a penalty and a CAP. Gums Dental Care’s $70,000 CMP came with monitoring obligations. The CAP in that case was particularly burdensome because the non-cooperation pattern meant OCR had no confidence the practice would self-correct.

Impermissible PHI disclosures. The Manasa Health Center case (PHI in review responses, $30,000) and the Northcutt Dental case (patient list to political campaign, $62,500) both involved intentional or systematic disclosure patterns. These generate CAPs because OCR needs to verify that the practice has implemented controls to prevent recurrence.

How to Avoid a CAP

Each of the 7 CAP requirements maps to a proactive compliance step.

<DataTableBlock caption=“Proactive Steps That Prevent CAP Requirements” columns={[“CAP Requirement”, “Proactive Equivalent”]} rows={[ [“Security risk analysis”, “Complete an annual documented SRA before OCR asks”], [“Policy overhaul”, “Maintain current written HIPAA policies reviewed annually”], [“Workforce retraining”, “Run annual documented HIPAA training for all staff”], [“Incident reporting to OCR”, “Maintain an internal incident log and breach protocol”], [“Designated compliance contact”, “Formally designate a Privacy/Security Officer now”], [“Compliance report submission”, “Maintain ongoing compliance records ready for audit”], [“Cooperation with OCR”, “Respond to any OCR communication promptly and completely”], ]} />

A practice that has done these seven things before an OCR investigation is already in CAP compliance. If a complaint is filed or a breach triggers an investigation, OCR reviews a practice with existing documentation, trained staff, and a designated compliance contact — the conditions under which informal resolution is most likely.

The practices that get CAPs are, without exception, practices that have not done these things in advance. The CAP forces them to do what a basic compliance program would have accomplished proactively, under federal monitoring, at 3–5x the cost.