RESOLUTION AGREEMENT. I. Recitals

Similar documents
rdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4

BUSINESS ASSOCIATE AGREEMENT

EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS

HIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS

Model Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

HIPAA Privacy Rule Compliance Issues

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

HITECH Omnibus Business Associate Agreement DU Hybrid CE ra FINAL

ORANGE AND ROCKLAND UTILITIES, INC. CONSOLIDATED BILLING AND ASSIGNMENT AGREEMENT

Agent/Agency Agreement

HIPAA DATA USE AGREEMENT

THE LAW SOCIETY CONVEYANCING ARBITRATION RULES

BUSINESS ASSOCIATE AGREEMENT WITH COVERED ENTITY

INDEPENDENT CONTRACTOR AGREEMENT

Special Needs Assistance Program (SNAP) Member Enrollment Application

BULK USER AGREEMENT RECITALS

National Patent Board Non-Binding Arbitration Rules TABLE OF CONTENTS

EXHIBIT L FORM OF VIOLATIONS PROCESSING SERVICES AGREEMENT

SETTLEMENT AGREEMENT. I. Recitals

ADR CODE OF PROCEDURE

EWR, INC. PARTICIPANT AGREEMENT

Provider Electronic Trading Partner Agreement

EXHIBIT H Strategic Partnership Agreement

EWR, INC. PEANUT PARTICIPANT AGREEMENT. THIS AGREEMENT is entered into as of the day of, by and between EWR,

CUSTODIAL AGREEMENT. by and among THE TORONTO-DOMINION BANK. as Issuer, Seller, Servicer and Cash Manager. and

GRANT AGREEMENT ( Agreement ) Effective as at the last date of signing.

Warehouse Agreement. WHEREAS, Warehouse Operator is in the business of warehousing and storing goods; and

BALTIMORE GAS AND ELECTRIC COMPANY. Residential Customer List Agreement

PERSONAL SERVICES CONTRACT

DATED [ ] 201[ ] NATIONAL GRID ELECTRICITY TRANSMISSION PLC (1) and [ ] (2) FIRM FREQUENCY RESPONSE AGREEMENT

Limited Data Set Data Use Agreement

South Carolina Department of Motor Vehicles

RULES OF TENNESSEE DEPARTMENT OF LABOR AND WORKFORCE DEVELOPMENT DIVISION OF WORKERS COMPENSATION

PROPOSAL SUBMISSION AGREEMENT

Cooperate Key Form. Please complete this form if you would like to use your Electronic Key in The Greater Hartford area.

Sales Order (Processing Services)

DATABASE AND TRADEMARK LICENSE AGREEMENT

CONSUMER PRODUCT SAFETY COMMISSION. [CPSC Docket No. 14-C0003] HMI Industries, Inc., Provisional Acceptance of a Settlement Agreement and Order

STREAMLINED JAMS STREAMLINED ARBITRATION RULES & PROCEDURES

SCHOOL FACILITIES MITIGATION AGREEMENT

METER DATA MANAGEMENT SERVICES AGREEMENT BETWEEN AMEREN SERVICES COMPANY AND

CONCILIATION RULES. - to conciliation in accordance with The Institute of Arbitrators & Mediators Australia Mediation and Concilliation Rules; or

MATERIALS TRANSFER AND EVALUATION LICENSE AGREEMENT. Carnegie Mellon University

CITY OF RIVERSIDE FERC Electric Tariff Volume 1 First Revised Sheet No. 1 CITY OF RIVERSIDE, CALIFORNIA FERC ELECTRIC TARIFF

California Independent System Operator Corporation Fifth Replacement Tariff. Appendix B.16 Pseudo-Tie Participating Generator Agreement

Bankruptcy Exit Agreement

Commercial Arbitration Rules and Mediation Procedures (Including Procedures for Large, Complex Commercial Disputes)

HEARTLAND INFORMATION SERVICES, INC. INVESTIGATIVE SERVICES AGREEMENT

Agreement for EDGAR Filing Services

SAMPLE PROPERTY AND LIABILITY INSURANCE BROKER SERVICES AGREEMENT BETWEEN SPOKANE AIRPORT AND

CITY OF RICHMOND PERFORMANCE BOND

General Conditions for Non-Construction Contracts Section I (With or without Maintenance Work)

Consolidated Arbitration Rules

United States v. Westlake Services, LLC, et al. (C.D. Cal.), Civil No. 2:17-cv-07125

Client Order Routing Agreement Standard Terms and Conditions

NEW YORK INDEPENDENT SYSTEM OPERATOR

ADMINISTRATIVE GRIEVANCE PROCEDURES

A Practitioner s Guide to Instream Flow Transactions in California

Telekom Austria Group Standard Data Processing Agreement

SETTLEMENT AGREEMENT AND RELEASE. This settlement agreement was executed by and between Plaintiffs Amelia Thompson

General Conditions for Non-Construction Contracts Section I (With or without Maintenance Work)

SBA Procedural Notice

DATA USE AGREEMENT RECITALS

CASH DEPOSIT AND MAINTENANCE AGREEMENT

CENTRAL HUDSON GAS & ELECTRIC CORP. CONSOLIDATED BILL BILLING SERVICES AGREEMENT

WHEREAS, this Resolution also sets forth the process for the denial of a request for public records;

DATA COLLECTION AGREEMENT MASTER TERMS RECITALS

I. PURPOSE AND SCOPE. WHEREAS, [SITE] and its employees or agents will collaborate as a study site; and

AGREEMENT FOR SERVICES OF INDEPENDENT CONTRACTOR

STRATEGIC PARTNERSHIP AGREEMENT BETWEEN THE CITY OF [ ], TEXAS AND [WATER CONTROL AND IMPROVEMENT DISTRICT OR MUNICIPAL UTILITY DISTRICT]

DATA COMMONS SERVICES AGREEMENT

KENTUCKY BROADCASTERS ASSOCIATION

Labor Chapter ALABAMA DEPARTMENT OF LABOR ADMINISTRATIVE CODE CHAPTER ADMINISTRATIVE PROCEDURE TABLE OF CONTENTS

Affordable Housing Program Direct Subsidy Agreement Homeownership Set-Aside Program

AMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D)

SOUTHERN GLAZER S WINE AND SPIRITS, LLC. EMPLOYMENT ARBITRATION POLICY

COLORADO C-PACE NEW ENERGY IMPROVEMENT DISTRICT PARTICIPATION AGREEMENT

AMENDED AND RESTATED LIQUIDITY AGREEMENT. between TEXAS PUBLIC FINANCE AUTHORITY. and TEXAS COMPTROLLER OF PUBLIC ACCOUNTS

NEBRASKA RULES OF BANKRUPTCY PROCEDURE. Adopted by the United States District Court for the District of Nebraska April 15, 1997

BANK ACCOUNT AGREEMENT. by and among. NBC COVERED BOND (LEGISLATIVE) GUARANTOR LIMITED PARTNERSHIP as Guarantor. and

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA. Plaintiff, Civil Action No. CONSENT OF DEFENDANT SIEMENS AKTIENGESELLSCHAFT

SETTLEMENT AGREEMENT I. PARTIES. This Settlement Agreement ("Agreement") is entered into among the

NORTH AMERICAN REFRACTORIES COMPANY ASBESTOS PERSONAL INJURY SETTLEMENT TRUST

SUPPLEMENTAL AGREEMENT TO PROVIDE CONSOLIDATED BILLING SERVICE FOR COMPETITIVE ENERGY SUPPLIER

Proceedings Relative to Debarment and Suspension from Contracting Appendix D: Rules of Practice in

PARTICIPATING GENERATOR AGREEMENT (PGA)

usdrp DISPUTE PROVIDER AGREEMENT (Approved by the U. S. Dept. of Commerce on February 21, 2002)

!! 1 Page! 2014 PEODepot. All rights reserved. PEODepot and peodepot.com are trademarks of PEODepot. INITIAL! BROKER AGREEMENT

Rules of the Equal Opportunities Commission November 10, 2016

INTERCONNECTION AND PARALLEL OPERATING AGREEMENT FOR CATEGORY 1 AND CATEGORY 2 PROJECTS (PROJECTS UP TO 150 kw)

ARBITRATION RULES. Arbitration Rules Archive. 1. Agreement of Parties

2016-CFPB-0017 Document 26 Filed 01/30/2017 Page 1 of 15 UNITED STATES OF AMERICA CONSUMER FINANCIAL PROTECTION BUREAU

INTERNAL REGULATIONS OF THE FEI TRIBUNAL

1000. MEMBERSHIP, REGISTRATION AND QUALIFICATION REQUIREMENTS Application and Membership Interview

3/12/14. TERMS AND CONDITIONS TO SUPPLY and SALES AGREEMENTS

SUBLEASE AGREEMENT WITNESSETH:

LICENSE AGREEMENT THIS AGREEMENT is dated the of, 2014.

Attachment 1 Federal Requirements for Procurements in Excess of $150,000 Not Including Construction or Rolling Stock Contracts

Transcription:

RESOLUTION AGREEMENT I. Recitals 1. Parties. The Parties to this Resolution Agreement ( Agreement ) are the United States Department of Health and Human Services, Office for Civil Rights ( HHS ) and Affinity Health Plan, Inc.( the covered entity ). HHS and the Covered Entity shall together be referred to herein as the Parties. A. Authority of HHS HHS enforces the Federal standards that govern the privacy of protected health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the Privacy Rule ), the security of electronic protected health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the Security Rule ), and the notification in case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of Part 164, the Breach Notification Rule. HHS has the authority to conduct the investigations of complaints alleging violations of the Privacy and Security Rules by covered entities, and a covered entity must cooperate with HHS investigation. 45 C.F.R. 160.306(c) and 160.310(b). Affinity Health Plan (AHP) is a covered entity, as defined at 45 C.F.R. 160.103, and therefore is required to comply with the Privacy and Security Rules. 2. Factual Background and Covered Conduct On April 15, 2010, the HHS Office for Civil Rights (OCR) received notification from AHP regarding a breach of its unsecured electronic protected health information (EPHI). On May 19, 2010, OCR notified AHP of OCR s investigation regarding AHP s compliance with the Privacy, Security, and Breach Notification Rules. OCR s investigation indicated that the following conduct occurred ( Covered Conduct ): a. AHP impermissibly disclosed the EPHI of up to 344,579 individuals when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company. b. AHP failed to assess and identify the potential security risks and vulnerabilities of EPHI stored in the photocopier hard drives. c. AHP failed to implement its policies for the disposal of EPHI with respect to the aforementioned photocopier hard drives. 3. No Admission. This Agreement is not an admission of liability by AHP.

4. No Concession. This Agreement is not a concession by HHS that AHP is not in violation of the Privacy and Security Rules and that AHP is not liable for civil money penalties. 5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve the OCR Complaint No. 10-150600, and any violations of the HIPAA Privacy and Security Rules related to the Covered Conduct specified in paragraph 2 of this Agreement. In consideration of the Parties interest in avoiding the uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve these matters according to the terms and conditions below. II. Terms and Conditions 6. Payment. AHP agrees to pay HHS the amount of $1,215,780 ( Resolution Amount ). AHP agrees to pay the Resolution Amount by electronic funds transfer pursuant to written instructions to be provided by HHS. AHP agrees to make this payment on or before the date it signs this Agreement. 7. Corrective Action Plan. AHP has entered into and agrees to comply with the Corrective Action Plan (CAP), attached as Appendix A, which is incorporated into this Agreement by reference. If AHP breaches the CAP, then AHP will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph 8 of this Agreement. 8. Release by HHS. In consideration and conditioned upon AHP s performance of its obligations under this Agreement, HHS releases AHP from any actions it has or may have against AHP under the Privacy and Security Rules arising out of or related to the Covered Conduct identified in paragraph 2. HHS does not release AHP from, nor waive any rights, obligations, or causes of action other than those specifically referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. 1320d-6. 9. Agreement by Released Parties. AHP shall not contest the validity of its obligations to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. AHP waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. 1320a- 7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount. 10. Binding on Successors. This Agreement is binding on AHP and its successors, transferees, and assigns. 11. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.

12. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only. By this instrument the Parties do not release any claims against any other person or entity. 13. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement shall be set forth in writing and signed by both Parties. 14. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) on the date that both Parties sign this Agreement and CAP (Effective Date). 15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. 1320a-7a(c)(1), a civil money penalty (CMP) must be imposed within six years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this agreement, AHP agrees that the time between the Effective Date of this Agreement and the date this Resolution Agreement may be terminated by reason of AHP s breach, plus one-year thereafter, will not be included in calculating the six year statute of limitations applicable to the violations which are the subject of this Agreement. AHP waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct identified in paragraph 2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Resolution Agreement. 16. Disclosure. HHS places no restriction on the publication of the Agreement. This Agreement and information related to this Agreement may be made public by either party. In addition, HHS may be required to disclose this Agreement and related material to any person upon request consistent with the applicable provisions of the Freedom of Information Act, 5 U.S.C. 552, and its implementing regulations, 45 C.F.R. Part 5. 17. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement. 18. Authorizations. The individual(s) signing this Agreement on behalf of AHP represent and warrant that they are authorized to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represents and warrants that she is signing this Agreement in her official capacities and that she is authorized to execute this Agreement.

For Affinity Health Plan, Inc. /s/ Bertram L. Scott President and CEO August 7, 2013 Date For the United States Department of Health and Human Services /s/ Linda C. Colón Regional Manager, Region II Office for Civil Rights August 7, 2013 Date

Appendix A CORRECTIVE ACTION PLAN BETWEEN THE UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES AND AFFINITY HEALTH PLAN, INC. I. Preamble Affinity Health Plan, Inc. (AHP) hereby enters into this Corrective Action Plan (CAP) with the United States Department of Health and Human Services, Office for Civil Rights (HHS). Contemporaneously with this CAP, AHP is entering into a Resolution Agreement (Agreement) with HHS, and this CAP is incorporated by reference into the Resolution Agreement as Appendix A. AHP enters into this CAP as consideration for the release set forth in paragraph 8 of the Agreement. II. Contact Persons and Submissions A. Contact Persons AHP has identified the following individual as its contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports: Ms. Caron R. Cullen Senior Vice President and Compliance Officer Compliance & Regulatory Affairs Affinity Health Plan, Inc. 2500 Halsey Street Bronx, New York 10461 HHS has identified the following individual as its authorized representative and contact person with whom AHP is to report information regarding the implementation of this CAP: Linda C. Colón, Regional Manager, Region II Office for Civil Rights U.S. Department of Health and Human Services 26 Federal Plaza, Suite 3312 New York, New York 10278 Voice Phone (212) 264-4136 Fax: (212) 264-3039 Linda.Colon@HHS.gov

AHP and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above. B. Proof of Submissions. Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt. III. Effective Date and Term of CAP The Effective Date for this CAP shall be calculated in accordance with paragraph 14 of the Agreement (Effective Date). The period for compliance with the obligations assumed by AHP under this CAP shall begin on the Effective Date of this CAP and end in one hundred twenty (120) days from the Effective Date except that, after this period, AHP shall be obligated to comply with the document retention requirement set forth in section VI. IV. Time In computing any period of time prescribed or allowed by this CAP, the day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days. V. Corrective Action Obligations AHP agrees to the following: 1. Within five (5) days of the Effective date, AHP shall use its best efforts to retrieve all photocopier hard drives that were contained in photocopiers previously leased by AHP that remain in the possession of Canon Financial Services, and safeguard all EPHI contained therein from impermissible disclosure. If AHP cannot retrieve said hard drives, AHP shall provide OCR with documentation explaining its best efforts and the reason it was unable to retrieve said hard drives. If AHP retrieves said hard drives, AHP shall provide OCR written certification that it has completed the requirements specified in this paragraph. AHP s compliance with this corrective action will be based on the Region s review and approval of the documentation explaining why its efforts failed to retrieve the hard drives. 2. Within thirty (30) days of the Effective Date, AHP shall conduct a comprehensive risk analysis of the EPHI security risks and vulnerabilities that incorporates all electronic equipment and systems controlled, owned or

leased by AHP. AHP shall also, within this time period develop a plan, to address and mitigate any security risks and vulnerabilities found in this analysis and, if necessary, revise its present policies and procedures. The plan and any revised policies and procedures shall be forwarded to OCR for its review consistent with paragraph 3 below. 3. OCR shall review and recommend changes to the plan and any revised policies and procedures specified in paragraph 2. Upon receiving OCR s recommended changes, AHP shall have thirty calendar days to provide a revised plan and any revised policies and procedures to OCR for review and approval. AHP shall implement the plan and distribute and train staff members on any revised policies and procedures within thirty (30) calendar days of OCR s approval. VI. Document Retention AHP shall maintain for inspection and copying all documents and records relating to compliance with this CAP for six years from the Effective Date. VII. Breach Provisions AHP is expected to fully and timely comply with all provisions of its CAP obligations. A. Timely Written Requests for Extensions AHP may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act or file any notification or report required by this CAP. A timely written request is defined as a request in writing received by HHS at least five (5) business days prior to the date such an act is required or due to be performed. B. Notice of Breach and Intent to Impose CMP. The Parties agree that a breach of this CAP by AHP constitutes a breach of the Agreement. Upon a determination by HHS that AHP has breached this CAP, HHS may notify AHP of: (a) AHP s breach; and (b) HHS intent to impose a CMP pursuant to 45 C.F.R. Part 160 for the Covered Conduct set forth in paragraph 2 of the Agreement and for any other conduct that constitutes a violation of the HIPAA Privacy and Security Rules (Notice of Breach and Intent to Impose CMP). C. AHP s Response. AHP shall have 30 days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS satisfaction that:

1. AHP is in compliance with the obligations of the CAP cited by HHS as being the basis for the breach; 2. The alleged breach has been cured; or 3. The alleged breach cannot be cured within the 30-day period, but that: (i) AHP has begun to take action to cure the breach; (ii) AHP is pursuing such action with due diligence; and (iii) AHP has provided to HHS a reasonable timetable for curing the breach. D. Imposition of CMP. If at the conclusion of the 30-day period, AHP fails to meet the requirements of section VII.C to HHS satisfaction, HHS may proceed with the imposition of a CMP against AHP pursuant to 45 C.F.R. Part 160 for the Covered Conduct set forth in paragraph 2 of the Agreement and for any other conduct that constitutes a violation of the HIPAA Privacy and Security Rules. HHS shall notify AHP in writing of its determination to proceed with the imposition of a CMP. For Affinity Health Plan, Inc. /s/ Bertram L. Scott President and CEO August 7, 2013 Date For the United States Department of Health and Human Services /s/ Linda C. Colón Regional Manager, Region II Office for Civil Rights August 7, 2013 Date

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback