CAP (Compliance Assessment Program)

The Compliance Assessment Program (CAP) is a voluntary program designed to help organizations ensure that their information security practices comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The program is run by the Department of Health and Human Services' Office for Civil Rights (OCR), which is responsible for enforcing the HIPAA Security Rule.

The HIPAA Security Rule requires covered entities (health plans, healthcare clearinghouses, and healthcare providers that transmit any health information in electronic form) and their business associates (any person or entity that performs a function or service on behalf of a covered entity that involves the use or disclosure of protected health information) to implement certain administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI).

The CAP is a three-stage process that begins with a self-assessment of an organization's compliance with the Security Rule, followed by a site visit by a team of OCR auditors to verify the organization's compliance, and ends with the OCR providing the organization with a report of its findings and recommendations for improvement.

Stage 1: Self-Assessment

The first stage of the CAP is the self-assessment stage. In this stage, the organization conducts a self-assessment of its compliance with the HIPAA Security Rule using the CAP's audit protocol. The audit protocol is a comprehensive checklist of questions and requirements related to each standard and implementation specification of the Security Rule.

The audit protocol covers the following areas:

  1. Administrative safeguards, including risk analysis and risk management, workforce security, information access management, security awareness and training, and contingency planning.
  2. Physical safeguards, including facility access controls, workstation security, and device and media controls.
  3. Technical safeguards, including access control, audit controls, integrity controls, transmission security, and encryption and decryption.

The organization completes the self-assessment using the CAP's online tool, which guides the organization through the audit protocol and provides instructions for each question. The organization must also submit supporting documentation, such as policies, procedures, and other evidence of compliance, to the CAP.

Once the self-assessment is complete, the organization submits it to the CAP for review.

Stage 2: Site Visit

The second stage of the CAP is the site visit stage. In this stage, a team of OCR auditors conducts a site visit to the organization to verify its compliance with the Security Rule. The site visit is scheduled in advance and is conducted over a period of several days.

During the site visit, the auditors review the organization's policies, procedures, and other evidence of compliance, and conduct interviews with the organization's workforce members to verify that they are aware of and following the organization's policies and procedures.

The auditors also conduct a physical inspection of the organization's facilities to verify that physical safeguards are in place, such as facility access controls and workstation security.

At the end of the site visit, the auditors provide the organization with a preliminary report of their findings.

Stage 3: Report and Recommendations

The third and final stage of the CAP is the report and recommendations stage. In this stage, the OCR provides the organization with a report of its findings and recommendations for improvement.

The report includes a summary of the auditors' findings, including any areas of non-compliance, as well as recommendations for improvement. The OCR may also provide technical assistance to the organization to help it address any areas of non-compliance.

The organization has 10 business days to review and respond to the report. The organization may dispute any findings of non-compliance and provide additional evidence of compliance. The OCR then has 30 days to review the organization's response and issue a final report.

Benefits of the CAP

Participating in the CAP has several benefits for organizations, including:

Enhanced compliance

Participating in the CAP can help organizations ensure that their information security practices comply with the HIPAA Security Rule. The self-assessment stage allows organizations to identify any areas of non-compliance and take corrective action before the auditors arrive for the site visit. The site visit stage provides organizations with a thorough assessment of their compliance with the Security Rule and identifies any remaining areas of non-compliance. The final report provides organizations with recommendations for improvement and technical assistance, if needed, to help them address any areas of non-compliance.

Reduced Risk of Enforcement Action

Participating in the CAP can reduce an organization's risk of enforcement action by the OCR. If an organization is found to be in compliance with the Security Rule during the site visit, it may be less likely to be targeted for a compliance review or enforcement action by the OCR in the future. Additionally, if an organization is found to be in non-compliance during the site visit, it has the opportunity to correct any issues before the OCR takes enforcement action.

Improved Security Posture

Participating in the CAP can help organizations improve their overall security posture. The CAP's audit protocol covers a wide range of administrative, physical, and technical safeguards that are necessary to protect ePHI. By conducting a self-assessment and undergoing a site visit, organizations can identify areas where their security practices could be improved and take steps to strengthen their overall security posture.

Public Recognition

Organizations that successfully complete the CAP may be publicly recognized by the OCR for their commitment to information security and compliance with the HIPAA Security Rule. This can help organizations build trust with their patients, business partners, and other stakeholders.

Cost Savings

Participating in the CAP can also lead to cost savings for organizations. If an organization is found to be in compliance during the site visit, it may be less likely to be targeted for a compliance review or enforcement action in the future, which can result in significant cost savings in legal fees and fines. Additionally, by identifying areas of non-compliance and taking corrective action before the auditors arrive, organizations can avoid costly remediation efforts that may be required if non-compliance is discovered during an enforcement action.

Conclusion

The Compliance Assessment Program (CAP) is a voluntary program designed to help organizations ensure that their information security practices comply with the HIPAA Security Rule. The program is run by the Department of Health and Human Services' Office for Civil Rights (OCR) and consists of three stages: self-assessment, site visit, and report and recommendations. Participating in the CAP has several benefits for organizations, including enhanced compliance, reduced risk of enforcement action, improved security posture, public recognition, and cost savings. Organizations that are interested in participating in the CAP should contact the OCR for more information.