OCR Corrective Action Plan: What to Expect and How to Respond

You have been through an OCR investigation. The interviews, document requests, and anxious weeks of waiting have led to this: the Office for Civil Rights has determined that your practice violated HIPAA and is requiring a corrective action plan. If you are reading this, you are probably holding the resolution agreement or the letter outlining what OCR expects you to do next. This is the enforcement mechanism that most practices fear — but understanding what a CAP actually requires and how to execute it effectively is the difference between a manageable compliance project and an escalating enforcement nightmare.

What a Corrective Action Plan Actually Is

A corrective action plan (CAP) is a formal, binding agreement between your practice and OCR that specifies exactly what compliance deficiencies must be remediated and the timeline for doing so. CAPs are typically attached to a resolution agreement, which may or may not include a monetary settlement. The resolution agreement is the contract; the CAP is the work plan.

OCR issues CAPs in two primary contexts. First, as part of a formal resolution agreement that settles an investigation — these are the high-profile enforcement actions that appear on OCR’s public breach portal and press releases. Second, as informal corrective action following a compliance review or complaint investigation where OCR finds deficiencies but determines that a formal resolution agreement is not warranted. The second type is far more common and receives less publicity, but it carries real obligations.

Typical CAP Requirements

Every CAP is tailored to the specific violations found during the investigation, but most include several standard elements:

Risk Analysis and Risk Management

If your investigation revealed deficiencies in your security risk assessment — and it almost always does — the CAP will require you to conduct a thorough, organization-wide risk analysis consistent with 45 CFR 164.308(a)(1)(ii)(A). This is not a checkbox exercise. OCR expects a comprehensive evaluation of all systems that create, receive, maintain, or transmit ePHI, with a corresponding risk management plan that addresses every identified vulnerability with specific, documented remediation steps.

Policy and Procedure Revision

The CAP will typically require you to review and revise your HIPAA policies and procedures to address the specific areas where violations occurred. Revised policies must be submitted to OCR for review and approval. OCR may require multiple rounds of revision before accepting your policies — this is common and should be anticipated in your timeline. Your compliance program must demonstrate that policies are not just written but implemented and enforced.

Workforce Training

Nearly every CAP requires enhanced workforce training. This means training that specifically addresses the violations found in your practice — not generic HIPAA awareness content. OCR expects training to be role-specific, documented with completion records and attestations, and repeated at defined intervals. You must demonstrate that training content was updated to reflect the issues that led to the enforcement action.

Monitoring and Reporting

The monitoring period is the heart of the CAP and the element that most practices underestimate. Typical monitoring periods range from one to three years. During this time, you must submit periodic compliance reports to OCR (usually annually, sometimes more frequently) that document your progress on each element of the CAP. You must also report any new HIPAA incidents or complaints that arise during the monitoring period, which OCR will scrutinize more closely than it would for a practice not under a CAP.

Implementation Reports

Within a specified timeframe (often 90 to 180 days), you must submit an initial implementation report demonstrating that you have begun executing the CAP. This report typically must include evidence of the completed risk analysis, revised policies and procedures, training completion records, and documentation of any new technical safeguards implemented.

The Negotiation Window

What many practices do not realize is that CAP terms are often negotiable. When OCR presents a draft resolution agreement and CAP, you typically have the opportunity to propose modifications. This is where experienced HIPAA counsel is invaluable. Common negotiation points include the monetary settlement amount, which can sometimes be reduced based on demonstrated financial hardship or cooperation, the scope of required policy revisions, the length of the monitoring period, the frequency and detail of reporting requirements, and specific deadlines that may be unrealistic given your practice size and resources.

Negotiation must be conducted carefully. OCR expects good-faith engagement, and an adversarial approach can backfire. The goal is to ensure the CAP is achievable within your operational constraints while still satisfying OCR’s remediation objectives.

What Happens If You Fail to Comply with the CAP

Non-compliance with a CAP is treated extremely seriously. If OCR determines that you have failed to meet the terms of your corrective action plan, the consequences escalate rapidly. OCR may extend the monitoring period, impose additional corrective requirements, refer the matter to the Department of Justice for criminal enforcement (in cases involving willful neglect or intentional conduct), or impose civil monetary penalties on top of any settlement amount already paid. In the most severe cases, OCR can seek to exclude your practice from participating in Medicare and Medicaid — effectively a death sentence for most medical practices.

The lesson is straightforward: once you have agreed to a CAP, treat every deadline, every reporting requirement, and every remediation item as non-negotiable.

Building Your CAP Execution Team

Executing a CAP is a project management challenge as much as a compliance challenge. You need a designated CAP coordinator (often your Privacy or Security Officer) who owns the timeline, an attorney experienced in HIPAA enforcement to review submissions before they go to OCR, technical resources to implement required security upgrades, and a documentation system that tracks every action taken and every piece of evidence generated. Do not attempt to execute a CAP with the same informal processes that led to the violations in the first place. OCR will be reviewing your submissions with the same scrutiny they applied to the original investigation.

How a CAP Affects Your Practice Long-Term

A formal resolution agreement with a CAP becomes part of your practice’s compliance history. OCR maintains records of enforcement actions, and a prior CAP makes your practice more likely to receive heightened scrutiny in future audits or complaint investigations. It also means that any future violation will be viewed in the context of your prior enforcement history, which can increase penalty exposure under the HIPAA penalty tiers.

However, a successfully completed CAP also demonstrates that your practice took corrective action seriously. Many practices emerge from the CAP process with a stronger compliance program than they had before the investigation. The key is to treat the CAP not as a punishment to endure but as a forced investment in the compliance infrastructure you should have built earlier.

If you are facing an OCR investigation or expect enforcement action, start building your compliance foundation now. A comprehensive security risk assessment and documented training program are the two elements that most directly influence how OCR approaches enforcement — having them in place before the investigation concludes strengthens your negotiating position significantly.