HIPAA Resolution Agreement: What It Is, How It Works, and Real OCR Settlement Examples

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

HIPAA Resolution Agreement: What It Is, How It Works, and Real OCR Settlement Examples

Kevin Henry

HIPAA

June 27, 2026

7 minutes read
Share this article
HIPAA Resolution Agreement: What It Is, How It Works, and Real OCR Settlement Examples

Definition of HIPAA Resolution Agreement

A HIPAA Resolution Agreement is a formal settlement between the Office for Civil Rights (OCR) and a Covered Entity or Business Associate to resolve alleged violations of the HIPAA Privacy Rule and HIPAA Security Rule. It typically includes a monetary “resolution amount” and a multi‑year Corrective Action Plan (CAP) that compels concrete, verifiable compliance steps.

Resolution Agreements are negotiated outcomes. They allow OCR to remediate risks and drive systemic improvements without protracted litigation. Most agreements expressly state that the entity does not admit liability, while still committing to specific actions and reporting duties.

How Resolution Agreements differ from Civil Money Penalties

Civil Money Penalties (CMPs) are unilateral fines that HHS can impose after finding a violation. A Resolution Agreement, by contrast, is a voluntary settlement with tailored obligations, a defined monitoring period, and an agreed payment. OCR often favors Resolution Agreements when rapid corrective change and sustained oversight are feasible.

Purpose of Resolution Agreements

OCR uses Resolution Agreements to correct noncompliance, reduce risk to individuals’ protected health information (PHI), and deter similar conduct across the industry. The approach prioritizes operational fixes that you can measure, not just a financial sanction.

These settlements also promote transparency and accountability. By requiring written plans, training, and attestations from leadership, a Resolution Agreement embeds privacy and security governance into day‑to‑day operations.

When OCR pursues a Resolution Agreement

  • After significant breaches or repeated incidents indicating systemic gaps.
  • When investigations uncover failures in risk analysis, risk management, or vendor oversight.
  • Where a CAP can realistically remediate issues faster than formal penalty proceedings.

Components of a Resolution Agreement

Parties and scope

The agreement identifies the Covered Entity and, if applicable, any Business Associate involved, defines the enterprise scope, and specifies the HIPAA Privacy Rule and HIPAA Security Rule provisions at issue.

Statement of potential violations

OCR outlines factual findings and areas of alleged noncompliance. The entity typically denies wrongdoing but agrees to undertake corrective actions to resolve the matter.

Resolution amount and payment terms

The settlement sets a resolution amount, with timing and method of payment. It may allow installments and requires documentation of payment completion.

Corrective Action Plan (CAP)

The CAP is incorporated by reference and details required actions, deliverables, milestones, and reporting schedules. It is the operational heart of the settlement.

Reporting, recordkeeping, and cooperation

Agreements require implementation reports, annual compliance reports, and prompt notice of material events. Entities must keep records and cooperate with OCR reviews and information requests.

Breach of the agreement

Failure to meet CAP tasks or reporting deadlines can trigger stipulated remedies, additional oversight, or referral for Civil Money Penalties. The agreement specifies how OCR determines and enforces a breach.

Corrective Action Plan Requirements

Risk analysis and risk management

You must complete an enterprise‑wide risk analysis that inventories systems containing ePHI, identifies threats and vulnerabilities, and ranks risks. A corresponding risk management plan must assign owners, deadlines, and mitigation measures.

Policies, procedures, and workforce training

Updated, role‑specific policies and procedures are required for the Privacy Rule and Security Rule. Entities must train all workforce members and document completion, retraining intervals, and sanctions for noncompliance.

Technical and physical safeguards

  • Access controls, unique user IDs, strong authentication, and timely termination of access.
  • Encryption of ePHI at rest and in transit, endpoint protection, and device/media controls.
  • Audit controls, centralized logging, and routine log review with follow‑up on anomalies.

Vendor and Business Associate management

You must maintain current Business Associate Agreements, vet security practices, and monitor performance. The CAP often mandates standardized onboarding, due diligence, and corrective action for vendors.

Incident response and breach notification

Agreements require documented incident response playbooks, tabletop exercises, and prompt investigation protocols. Entities must meet HIPAA breach notification timelines and maintain evidence of determinations.

Documentation and executive accountability

CAPs require attestations from a senior official, board or committee oversight, and retention of all CAP‑related records for inspection. Deadlines for implementation and annual reports are explicit.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Resolution Amount and Financial Settlements

OCR tailors the resolution amount to the severity and duration of noncompliance, the number of individuals affected, the sensitivity of PHI, the entity’s level of culpability (e.g., willful neglect), corrective efforts, prior history, and financial condition. Larger, long‑running, or preventable failures usually command higher amounts.

Unlike CMPs, a negotiated settlement can align payment with forward‑looking improvements. Some agreements permit installments, but they uniformly require timely pay‑in‑full and proof of remittance, regardless of ongoing CAP obligations.

Budgeting for sustained compliance

Beyond the settlement payment, expect significant investment in people, processes, and technology to satisfy the CAP. Building these costs into your multiyear budget prevents future gaps and demonstrates good‑faith compliance.

Monitoring Period and Compliance Enforcement

Monitoring typically spans one to three years, scaled to risk and the breadth of required remediation. OCR reviews implementation reports and annual certifications, and may request evidence at any time.

What OCR expects during monitoring

  • A completed risk analysis and documented risk treatment plan within set timeframes.
  • Revised policies, workforce training rosters, and proof of technical safeguard deployment.
  • Periodic audit results, issue remediation logs, and executive attestations.

Consequences of noncompliance

Missing deliverables or failing to implement controls can extend the monitoring period, invite targeted reviews, or lead to Civil Money Penalties. Material breaches of the agreement allow OCR to pursue additional enforcement.

Examples of HIPAA Resolution Agreements

Anthem (2018) — large‑scale cyberattack

Following a sophisticated intrusion that exposed millions of records, Anthem entered a Resolution Agreement with a record settlement amount at the time and a detailed CAP. OCR emphasized enterprise risk analysis, monitoring of system activity, and access control discipline.

Premera Blue Cross (2020) — prolonged network compromise

Premera resolved findings tied to a multi‑year network intrusion. The settlement underscored risk management, timely patching, and audit controls, plus stronger oversight of systems handling ePHI.

Excellus Health Plan (2021) — persistent vulnerabilities

Excellus settled allegations related to longstanding vulnerabilities exploited by attackers. The CAP required a refreshed, enterprise‑wide risk analysis and documented remediation with executive certifications.

University of Rochester Medical Center (2019) — lost unencrypted devices

URMC resolved device and media control failures after the loss of unencrypted portable media. The agreement prioritized encryption, workforce training, and tighter endpoint management.

Touchstone Medical Imaging (2019) — unsecured server exposure

Touchstone settled allegations after an imaging server left PHI accessible online. The CAP focused on access controls, vendor oversight as a Business Associate issue, and continuous monitoring.

Lifespan ACE (2020) — laptop theft and encryption gaps

Lifespan resolved findings stemming from a stolen, unencrypted laptop containing ePHI. The agreement required full‑scale encryption, asset tracking, and strengthened device policies.

Key takeaways

  • Resolution Agreements pair a settlement payment with a CAP that makes privacy and security operational, measurable, and auditable.
  • OCR expects documented risk analysis, active risk mitigation, and vendor governance from both Covered Entities and Business Associates.
  • Consistent execution during the monitoring period is essential to avoid further enforcement or Civil Money Penalties.

FAQs

What is a HIPAA resolution agreement?

It is a negotiated settlement with the Office for Civil Rights (OCR) that resolves alleged HIPAA Privacy Rule and HIPAA Security Rule violations. The agreement includes a financial resolution amount and a Corrective Action Plan (CAP) with specific, time‑bound compliance tasks.

How does the corrective action plan work in a resolution agreement?

The CAP outlines required actions—such as risk analysis, policy updates, training, technical safeguards, and vendor controls—plus deadlines and evidence you must submit. You provide implementation and annual reports, and OCR monitors progress for a defined period.

What happens if an entity fails to comply with the agreement?

Missing CAP milestones or reporting duties can be deemed a breach, prompting additional oversight, extension of the monitoring period, or pursuit of Civil Money Penalties. OCR may also impose stipulated remedies specified in the agreement.

How are resolution amounts determined?

OCR weighs factors like the scope and duration of noncompliance, number of individuals affected, sensitivity of PHI, level of culpability, corrective efforts, prior history, and ability to pay. More severe or prolonged risks typically lead to higher settlement amounts.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles