Case Examples and Resolution Agreements

These examples show how covered entities can effectively comply with the requirements of the Privacy Rule. Periodically, we update this page with case examples of the corrective actions that OCR obtains from covered entities through our enforcement efforts.

Case Examples

Case Examples Organized by Covered Entity		Case Examples Organized by Issue
General Hospitals Health Care Providers Health Plans / HMOs Outpatient Facilities Pharmacies Private Practices		Access Authorizations Business Associates Confidential Communications Disclosures to Avert a Serious Threat to Health or Safety Impermissible Uses and Disclosures Minimum Necessary Notice Safeguards

Resolution Agreements

A Resolution Agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement likely would include the payment of a resolution amount. These agreements are reserved to settle investigations with more serious outcomes, when OCR has not been able to reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means. To date, HHS has entered into 2 resolution agreements.

Resolution Agreement with Providence Health & Services--July 16, 2008

Resolution Agreement with CVS Pharmacy, Inc.--January 16, 2009