SlideShare a Scribd company logo

DHHS OCR data breach resolution agreement

•
•
David Sweigert
David Sweigert

Posted as a courtesy by: Dave Sweigert CISA CISSP HCISPP PMP Security+

Healthcare
1 of 10
1 RESOLUTION AGREEMENT I. Recitals 1. Parties. The Parties to this Resolution Agreement (“Agreement”) are: A. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b). B. Anchorage Community Mental Health Services, Inc. (“ACMHS”), which is a covered entity, as defined at 45 C.F.R. § 160.103, and therefore is required to comply with the HIPAA Rules. ACMHS is a nonprofit, community, mental-health care provider that provides care, including care for the uninsured and underinsured, to the Anchorage community and surrounding areas. HHS and ACMHS shall together be referred to herein as the “Parties.” 2. Factual Background and Covered Conduct. On March 2, 2012, the HHS Office for Civil Rights (OCR) received notification from ACMHS regarding a breach of unsecured electronic protected health information (e-PHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. On June 1, 2012, OCR notified ACMHS of OCR’s investigation regarding ACMHS’s compliance with the Privacy, Security, and Breach Notification Rules. OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”): A. From April 21, 2005, the compliance date of the Security Rule, until March 12, 2012, ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by ACMHS (See 45 C.F.R. § 164.308(a)(1)(ii)(A)); B. From April 21, 2005, the compliance date of the Security Rule, until March 12, 2012, ACMHS failed to implement policies and procedures requiring implementation of security measures sufficient to reduce risks and
2 vulnerabilities to its e-PHI to a reasonable and appropriate level (See 45 C.F.R. § 164.308(a)(1)(ii)(B)); and C. From January 1, 2008, until March 29, 2012, ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network (See 45 C.F.R. § 164.312(e)) by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches. 3. No Admission. This Agreement is not an admission of liability by ACMHS. 4. No Concession. This Agreement is not a concession by HHS that ACMHS is not in violation of the Privacy Rule, the Security Rule, or the Breach Notification Rule and that ACMHS is not liable for civil money penalties. 5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve OCR Transaction Number: 12-139936 and any violations of the HIPAA Privacy, Security, and Breach Notification Rules related to the Covered Conduct specified in paragraph I.2. of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below. II. Terms and Conditions 6. Payment. HHS has agreed to accept, and ACMHS has agreed to pay HHS, the amount of $150,000 (“Resolution Amount”). ACMHS agrees to pay the Resolution Amount on the Effective Date of this Agreement as defined in paragraph II.14 by automated clearinghouse transaction pursuant to written instructions to be provided by HHS. 7. Corrective Action Plan. ACMHS has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference. If ACMHS breaches the CAP, and fails to cure the breach as set forth in the CAP, then ACMHS will be in breach of this Agreement and HHS will not be subject to the terms and conditions in the Release set forth in Paragraph 8 of this Agreement. 8. Release by HHS. In consideration of and conditioned upon ACMHS’ performance of its obligations under this Agreement, HHS releases ACMHS from any actions it has or may have against ACMHS under the Privacy, Security, and Breach Notification Rules arising out of or related to the Covered Conduct specified in paragraph I.2. of this Agreement. HHS does not release ACMHS from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
3 9. Agreement by Released Party. ACMHS shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. ACMHS waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a-7a); 45 C.F.R. Part 160, Subpart E; and HHS Claims Collection provisions, 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount. 10. Binding on Successors. This Agreement is binding on ACMHS and its successors, heirs, transferees, and assigns. 11. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement. 12. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only, and by this instrument the Parties do not release any claims against or by any other person or entity. 13. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement must be set forth in writing and signed by both Parties. 14. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (“Effective Date”). 15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty (“CMP”) must be imposed within six years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, ACMHS agrees that the time between the Effective Date of this Agreement and the date this Resolution Agreement may be terminated by reason of ACMHS’s breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement. ACMHS waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct specified in paragraph I.2. that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement. 16. Disclosure. HHS places no restriction on the publication of the Agreement. In addition, HHS may be required to disclose material related to this Agreement to any person upon request consistent with the applicable provisions of the Freedom of Information Act, 5 U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5. 17. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement.
4 18. Authorizations. The individual(s) signing this Agreement on behalf of ACMHS represent and warrant that they are authorized by ACMHS to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement. For Anchorage Community Mental Health Services, Inc. /s/ 12/02/2014 ____________________________ ____________ Jerry Jenkins Date Chief Executive Officer Anchorage Community Mental Health Services, Inc. For the United States Department of Health and Human Services /s/ 12/02/2014 ____________________________ _____________ Linda Yuu Connor Date Regional Manager, Region X Office for Civil Rights
5 Appendix A CORRECTIVE ACTION PLAN BETWEEN THE U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES AND ANCHORAGE COMMUNITY MENTAL HEALTH SERVICES, INC. I. Preamble Anchorage Community Mental Health Services, Inc. (hereinafter referred to as “ACMHS”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”). Contemporaneously with this CAP, ACMHS is entering into a Resolution Agreement (“Agreement”) with HHS, and this CAP is incorporated by reference into the Agreement as Appendix A. ACMHS enters into this CAP as part of the consideration for the release set forth in paragraph 8 of the Agreement. II. Contact Persons and Submissions A. Contact Persons. ACMHS has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports: Jerry Jenkins, Chief Executive Officer Anchorage Community Mental Health Services, Inc. 4020 Folker Street Anchorage, AK 99508 Telephone: 907-563-1000 Facsimile: 907-563-2045 HHS has identified the following individual as its contact person with whom ACMHS is to report information regarding the implementation of this CAP: Linda Yuu Connor, Regional Manager Office for Civil Rights, Region X Department of Health and Human Services 701 Fifth Avenue, Suite 1600, MS-11 Seattle, WA 98104
6 Telephone: 206-615-2290 Facsimile: 206-615-2297 ACMHS and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above. B. Proof of Submissions. Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt. III. Effective Date and Term of CAP The Effective Date for this CAP shall be calculated in accordance with paragraph 14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by ACMHS under this CAP shall begin on the Effective Date of this CAP and end two (2) years from the Effective Date unless HHS has notified ACMHS under section VIII hereof of its determination that ACMHS has breached this CAP. In the event of such a notification by HHS under section VIII hereof, the Compliance Term shall not end until HHS notifies ACMHS that it has determined that the breach has been cured. After the Compliance Term ends, ACMHS shall still be obligated to submit the final Annual Report as required by section VI and comply with the document retention requirement in section VII. IV. Time In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day that is not one of the aforementioned days. V. Corrective Action Obligations ACMHS agrees to the following: A. Revision and Distribution of Policies and Procedures. 1. ACMHS shall provide an updated version of its Security Rule Policies and Procedures, which were submitted to OCR on May 20, 2013, to HHS within sixty (60) days of the Effective Date for review and approval. Upon receiving any recommended changes to such policies and procedures from HHS, ACMHS shall have thirty (30) days to revise such policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval.
7 3. ACMHS shall officially adopt the revised Security Rule Policies and Procedures within thirty (30) days of receipt of HHS’ approval. 4. ACMHS shall distribute its revised Security Rule Policies and Procedures to all members of the workforce who use or disclose e-PHI concomitantly with general security awareness training as required by section V.B.3 and to new members of the workforce who will use or disclose e-PHI within thirty (30) days of their beginning of service. 5. ACMHS shall require, at the time of distribution of its Security Rule Policies and Procedures, and shall maintain for its files, a signed written or electronic initial compliance certification from all members of the workforce, stating that the workforce members have read, understand, and shall abide by the Security Rule Policies and Procedures. B. Training. 1. ACMHS shall provide HHS with general security awareness training materials for all workforce members who use or disclose e-PHI within sixty (60) days of the Effective Date for review and approval. 2. Upon receiving notice from HHS specifying any required changes, ACMHS shall make the required changes and provide revised general security awareness training materials to HHS within thirty (30) days for review and approval. 3. Upon receiving approval from HHS, ACMHS shall provide general security awareness training for each workforce member who uses or discloses e-PHI within sixty (60) days of HHS approval and at least every twelve (12) months thereafter. ACMHS shall also provide such training to each new member of the workforce who uses or discloses e-PHI within thirty (30) days of their beginning of service. 4. Each workforce member who is required to attend training shall certify, in electronic or written form, that he or she received the training. The training certification shall specify the date training was received. All course materials shall be retained in compliance with section VII. 5. ACMHS shall review the training at least annually, and, where appropriate, update the training to reflect any changes in Federal law or HHS guidance, any issues discovered during audits or reviews, or any other relevant developments. C. Security Management Process. ACMHS shall annually, as required by ACMHS’ “IT Risk Management” policy and procedure, conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by ACMHS and document the security measures ACMHS implemented or is implementing to
8 sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level. D. Reportable Events. 1. During the Compliance Term, ACMHS shall, upon receiving information that a workforce member may have failed to comply with its Security Rule Policies and Procedures, promptly investigate the matter. If ACMHS determines, after review and investigation, that a member of its workforce has failed to comply with its Security Rule Policies and Procedures, ACMHS shall notify HHS in writing within thirty (30) days. Such violations shall be known as “Reportable Events.” The report to HHS shall include the following: a. A complete description of the event, including the relevant facts, the persons involved, and the provision(s) of ACMHS’s Security Rule Policies and Procedures implicated; and b. A description of the actions taken and any further steps ACMHS plans to take to address the matter, to mitigate any harm, and to prevent it from recurring, including the application of appropriate sanctions against workforce members who failed to comply with its Security Rule Policies and Procedures . 2. If no Reportable Events occur within the Compliance Term, ACMHS shall so inform OCR in its Annual Reports. VI. Annual Reports The one-year period beginning on the Effective Date and each subsequent one- year period during the course of the period of compliance obligations shall be referred to as “the Reporting Periods.” ACMHS shall submit to HHS Annual Reports with respect to the status of and findings regarding ACMHS’s compliance with this CAP for each Reporting Period. ACMHS shall submit each Annual Report to HHS no later than twenty (20) days after the end of each corresponding Reporting Period. The Annual Report shall include the following items: 1. An attestation signed by an owner or officer of ACMHS attesting that the Security Rule Policies and Procedures have been distributed to all members of the workforce who use or disclose e-PHI and that ACMHS has obtained all of the compliance certifications required by section V.A.2; 2. An attestation signed by an owner or officer of ACMHS attesting that all members of the workforce have completed general security awareness training as required by this CAP and have executed the training certifications required by section V.B.4;
9 3. Either a copy of the general security awareness training materials used for the training required by this CAP if revised pursuant to section V.B.5. or an attestation signed by an owner or officer of ACMHS attesting that he or she has reviewed the general security awareness training materials and no revisions were made; 4. An attestation signed by an owner or officer of ACMHS attesting that all information system resources are currently supported and updated with available patches; 5. An updated risk analysis and updated risk management plan pursuant to section V.C.; 6. A summary of Reportable Events (defined in section V.D.1.) identified during the Reporting Period and the status of any corrective and preventative action relating to all such Reportable Events; 7. An attestation signed by an owner or officer of ACMHS attesting that ACMHS has complied with the obligations of this CAP; and 8. An attestation signed by an owner or officer of ACMHS attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful. VII. Document Retention ACMHS shall maintain for inspection and copying, and shall provide to OCR upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date. VIII. Breach Provisions ACMHS is expected to fully and timely comply with all provisions contained in this CAP. A. Timely Written Requests for Extensions. ACMHS may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least five (5) days prior to the date such an act is required or due to be performed. B. Notice of Breach of this CAP and Intent to Impose Civil Money Penalty. The Parties agree that a breach of this CAP by ACMHS constitutes a breach of the Agreement. Upon a determination by HHS that ACMHS has breached this CAP, HHS may notify ACMHS of (1) ACMHS’ breach; and (2) HHS’ intent to impose a civil money penalty (“CMP”), pursuant to 45 C.F.R. Part 160, or other remedies for the Covered Conduct set forth in paragraph I.2. of the Agreement and for any other conduct
10 that constitutes a violation of the HIPAA Privacy, Security, or Breach Notification Rules (“Notice of Breach and Intent to Impose CMP”). C. ACMHS Response. ACMHS shall have thirty (30) days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’ satisfaction that: 1. ACMHS is in compliance with the obligations of this CAP that HHS cited as the basis for the breach; 2. the alleged breach has been cured; or 3. the alleged breach cannot be cured within the 30-day period, but that: (a) ACMHS has begun to take action to cure the breach; (b) ACMHS is pursuing such action with due diligence; and (c) ACMHS has provided to HHS a reasonable timetable for curing the breach. D. Imposition of CMP. If at the conclusion of the 30-day period, ACMHS fails to meet the requirements of section VIII.C. of this CAP to HHS’ satisfaction, HHS may proceed with the imposition of the CMP against ACMHS pursuant to 45 C.F.R. Part 160 for any violations of the Privacy, Security, and Breach Notification Rules related to the Covered Conduct set forth in paragraph I.2. of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Privacy, Security, or Breach Notification Rules. HHS shall notify ACMHS in writing of its determination to proceed with the imposition of a CMP. For Anchorage Community Mental Health Services, Inc. /s/ 12/02/2014 ____________________________ _____________ Jerry Jenkins Date Chief Executive Officer Anchorage Community Mental Health Services, Inc. For the United States Department of Health and Human Services /s/ 12/02/2014 ____________________________ _____________ Linda Yuu Connor Date Regional Manager, Region X Office for Civil Rights

Recommended

Adult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action PlanAdult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action Plandata brackets
 
Oregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA FinesOregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA Finesdata brackets
 
Catholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action PlanCatholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action PlanAlex Slaney
 
Qca agreement
Qca agreementQca agreement
Qca agreementdata brackets
 
North memorial ra and cap march 2016 (508)
North memorial ra and cap march 2016 (508)North memorial ra and cap march 2016 (508)
North memorial ra and cap march 2016 (508)Alex Slaney
 
Shasta agreement
Shasta agreementShasta agreement
Shasta agreementdata brackets
 
HIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRHIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRDavid Sweigert
 
Affinity agreement
Affinity agreementAffinity agreement
Affinity agreementdata brackets
 

Recommended

Adult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action PlanAdult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action Plandata brackets
 
Oregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA FinesOregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA Finesdata brackets
 
Catholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action PlanCatholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action PlanAlex Slaney
 
Qca agreement
Qca agreementQca agreement
Qca agreementdata brackets
 
North memorial ra and cap march 2016 (508)
North memorial ra and cap march 2016 (508)North memorial ra and cap march 2016 (508)
North memorial ra and cap march 2016 (508)Alex Slaney
 
Shasta agreement
Shasta agreementShasta agreement
Shasta agreementdata brackets
 
HIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRHIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRDavid Sweigert
 
Affinity agreement
Affinity agreementAffinity agreement
Affinity agreementdata brackets
 
Cancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement AgreementCancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement Agreementdata brackets
 
Concentra agreement
Concentra agreementConcentra agreement
Concentra agreementdata brackets
 
NYP RA and CAP april 2016
NYP RA and CAP april 2016 NYP RA and CAP april 2016
NYP RA and CAP april 2016 data brackets
 
Presence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCRPresence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCRdata brackets
 
Parkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution AgreementParkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution Agreementdata brackets
 
HONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution AgreementHONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution Agreementdata brackets
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Alex Slaney
 
Skagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHSSkagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHSdata brackets
 
Michele Isaak - Insolvent Estates
Michele Isaak - Insolvent EstatesMichele Isaak - Insolvent Estates
Michele Isaak - Insolvent EstatesEstate Planning Council of Abbotsford
 
Oakland Housing Authority Legal Services Contract For General Counsel This
Oakland Housing Authority Legal Services Contract For General Counsel ThisOakland Housing Authority Legal Services Contract For General Counsel This
Oakland Housing Authority Legal Services Contract For General Counsel Thislegal3
 
Cancellation of removal in immigration court
Cancellation of removal in immigration courtCancellation of removal in immigration court
Cancellation of removal in immigration courtUmesh Heendeniya
 
2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county
2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county
2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_countyrath4thekids
 
an_update_on_the_application_of_unfair_claims_settlement_practices
an_update_on_the_application_of_unfair_claims_settlement_practicesan_update_on_the_application_of_unfair_claims_settlement_practices
an_update_on_the_application_of_unfair_claims_settlement_practicesAntonio Trotta
 
Understanding New York No Fault
Understanding New York No FaultUnderstanding New York No Fault
Understanding New York No Faultmccormick
 
Item # 10 Catto & Catto to HUB Insurance Broker Assignment
Item # 10 Catto & Catto to HUB Insurance Broker AssignmentItem # 10 Catto & Catto to HUB Insurance Broker Assignment
Item # 10 Catto & Catto to HUB Insurance Broker Assignmentahcitycouncil
 
Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement data brackets
 
HIPAA Violation Fines: North memorial Hospistal Settlement
HIPAA Violation Fines: North memorial Hospistal Settlement HIPAA Violation Fines: North memorial Hospistal Settlement
HIPAA Violation Fines: North memorial Hospistal Settlement data brackets
 
North memorial resolution agreement
North memorial resolution agreementNorth memorial resolution agreement
North memorial resolution agreementAlex Slaney
 
NYP RA and Cap april 2016
NYP RA and Cap april 2016 NYP RA and Cap april 2016
NYP RA and Cap april 2016 data brackets
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016data brackets
 
First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...David Sweigert
 
HIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia UniverstiyHIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia Universtiydata brackets
 

More Related Content

What's hot

Cancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement AgreementCancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement Agreementdata brackets
 
Concentra agreement
Concentra agreementConcentra agreement
Concentra agreementdata brackets
 
NYP RA and CAP april 2016
NYP RA and CAP april 2016 NYP RA and CAP april 2016
NYP RA and CAP april 2016 data brackets
 
Presence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCRPresence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCRdata brackets
 
Parkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution AgreementParkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution Agreementdata brackets
 
HONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution AgreementHONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution Agreementdata brackets
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Alex Slaney
 
Skagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHSSkagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHSdata brackets
 
Oakland Housing Authority Legal Services Contract For General Counsel This
Oakland Housing Authority Legal Services Contract For General Counsel ThisOakland Housing Authority Legal Services Contract For General Counsel This
Oakland Housing Authority Legal Services Contract For General Counsel Thislegal3
 
Cancellation of removal in immigration court
Cancellation of removal in immigration courtCancellation of removal in immigration court
Cancellation of removal in immigration courtUmesh Heendeniya
 
2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county
2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county
2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_countyrath4thekids
 
an_update_on_the_application_of_unfair_claims_settlement_practices
an_update_on_the_application_of_unfair_claims_settlement_practicesan_update_on_the_application_of_unfair_claims_settlement_practices
an_update_on_the_application_of_unfair_claims_settlement_practicesAntonio Trotta
 
Understanding New York No Fault
Understanding New York No FaultUnderstanding New York No Fault
Understanding New York No Faultmccormick
 
Item # 10 Catto & Catto to HUB Insurance Broker Assignment
Item # 10 Catto & Catto to HUB Insurance Broker AssignmentItem # 10 Catto & Catto to HUB Insurance Broker Assignment
Item # 10 Catto & Catto to HUB Insurance Broker Assignmentahcitycouncil
 

What's hot (15)

Cancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement AgreementCancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement Agreement
 
Concentra agreement
Concentra agreementConcentra agreement
Concentra agreement
 
NYP RA and CAP april 2016
NYP RA and CAP april 2016 NYP RA and CAP april 2016
NYP RA and CAP april 2016
 
Presence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCRPresence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCR
 
Parkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution AgreementParkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution Agreement
 
HONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution AgreementHONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution Agreement
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016
 
Skagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHSSkagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHS
 
Michele Isaak - Insolvent Estates
Michele Isaak - Insolvent EstatesMichele Isaak - Insolvent Estates
Michele Isaak - Insolvent Estates
 
Oakland Housing Authority Legal Services Contract For General Counsel This
Oakland Housing Authority Legal Services Contract For General Counsel ThisOakland Housing Authority Legal Services Contract For General Counsel This
Oakland Housing Authority Legal Services Contract For General Counsel This
 
Cancellation of removal in immigration court
Cancellation of removal in immigration courtCancellation of removal in immigration court
Cancellation of removal in immigration court
 
2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county
2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county
2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county
 
an_update_on_the_application_of_unfair_claims_settlement_practices
an_update_on_the_application_of_unfair_claims_settlement_practicesan_update_on_the_application_of_unfair_claims_settlement_practices
an_update_on_the_application_of_unfair_claims_settlement_practices
 
Understanding New York No Fault
Understanding New York No FaultUnderstanding New York No Fault
Understanding New York No Fault
 
Item # 10 Catto & Catto to HUB Insurance Broker Assignment
Item # 10 Catto & Catto to HUB Insurance Broker AssignmentItem # 10 Catto & Catto to HUB Insurance Broker Assignment
Item # 10 Catto & Catto to HUB Insurance Broker Assignment
 

Similar to DHHS OCR data breach resolution agreement

Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement data brackets
 
HIPAA Violation Fines: North memorial Hospistal Settlement
HIPAA Violation Fines: North memorial Hospistal Settlement HIPAA Violation Fines: North memorial Hospistal Settlement
HIPAA Violation Fines: North memorial Hospistal Settlement data brackets
 
North memorial resolution agreement
North memorial resolution agreementNorth memorial resolution agreement
North memorial resolution agreementAlex Slaney
 
NYP RA and Cap april 2016
NYP RA and Cap april 2016 NYP RA and Cap april 2016
NYP RA and Cap april 2016 data brackets
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016data brackets
 
First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...David Sweigert
 
HIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia UniverstiyHIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia Universtiydata brackets
 
Massachusetts Eye and Ear Infirmary HIPAA Violation
Massachusetts Eye and Ear Infirmary HIPAA ViolationMassachusetts Eye and Ear Infirmary HIPAA Violation
Massachusetts Eye and Ear Infirmary HIPAA Violationdata brackets
 
Bussiness associate agreementba 100213173228-phpapp02
Bussiness associate agreementba 100213173228-phpapp02Bussiness associate agreementba 100213173228-phpapp02
Bussiness associate agreementba 100213173228-phpapp02Donald M. Kaesser
 
Mediation Order New England Compounding Pharmacy
Mediation Order New England Compounding Pharmacy Mediation Order New England Compounding Pharmacy
Mediation Order New England Compounding Pharmacy mzamoralaw
 
Rokita Non-Disclosure Agreement
Rokita Non-Disclosure AgreementRokita Non-Disclosure Agreement
Rokita Non-Disclosure AgreementAbdul-Hakim Shabazz
 
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301Andrew Networks
 
Sample Business Associate Agreement
Sample Business Associate AgreementSample Business Associate Agreement
Sample Business Associate AgreementJorge M. Abril, P.A.
 
Privacy update 04.29.2010
Privacy update 04.29.2010Privacy update 04.29.2010
Privacy update 04.29.2010stevemeltzer
 
IIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private InformationIIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private InformationJason Hoeppner
 
17 stipulation to dismiss with prejudice and order
17 stipulation to dismiss with prejudice and order17 stipulation to dismiss with prejudice and order
17 stipulation to dismiss with prejudice and orderHonolulu Civil Beat
 
Unfair claims-settlement-practices-act
Unfair claims-settlement-practices-actUnfair claims-settlement-practices-act
Unfair claims-settlement-practices-actLira Venture Capital
 
HIPAA Privacy Officers: Who Goes to Jail ?
HIPAA Privacy Officers: Who Goes to Jail ?HIPAA Privacy Officers: Who Goes to Jail ?
HIPAA Privacy Officers: Who Goes to Jail ?David Sweigert
 
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docx
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docxFCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docx
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docxmydrynan
 
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424Andrew Networks
 

Similar to DHHS OCR data breach resolution agreement (20)

Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement
 
HIPAA Violation Fines: North memorial Hospistal Settlement
HIPAA Violation Fines: North memorial Hospistal Settlement HIPAA Violation Fines: North memorial Hospistal Settlement
HIPAA Violation Fines: North memorial Hospistal Settlement
 
North memorial resolution agreement
North memorial resolution agreementNorth memorial resolution agreement
North memorial resolution agreement
 
NYP RA and Cap april 2016
NYP RA and Cap april 2016 NYP RA and Cap april 2016
NYP RA and Cap april 2016
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016
 
First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...
 
HIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia UniverstiyHIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia Universtiy
 
Massachusetts Eye and Ear Infirmary HIPAA Violation
Massachusetts Eye and Ear Infirmary HIPAA ViolationMassachusetts Eye and Ear Infirmary HIPAA Violation
Massachusetts Eye and Ear Infirmary HIPAA Violation
 
Bussiness associate agreementba 100213173228-phpapp02
Bussiness associate agreementba 100213173228-phpapp02Bussiness associate agreementba 100213173228-phpapp02
Bussiness associate agreementba 100213173228-phpapp02
 
Mediation Order New England Compounding Pharmacy
Mediation Order New England Compounding Pharmacy Mediation Order New England Compounding Pharmacy
Mediation Order New England Compounding Pharmacy
 
Rokita Non-Disclosure Agreement
Rokita Non-Disclosure AgreementRokita Non-Disclosure Agreement
Rokita Non-Disclosure Agreement
 
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301
 
Sample Business Associate Agreement
Sample Business Associate AgreementSample Business Associate Agreement
Sample Business Associate Agreement
 
Privacy update 04.29.2010
Privacy update 04.29.2010Privacy update 04.29.2010
Privacy update 04.29.2010
 
IIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private InformationIIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private Information
 
17 stipulation to dismiss with prejudice and order
17 stipulation to dismiss with prejudice and order17 stipulation to dismiss with prejudice and order
17 stipulation to dismiss with prejudice and order
 
Unfair claims-settlement-practices-act
Unfair claims-settlement-practices-actUnfair claims-settlement-practices-act
Unfair claims-settlement-practices-act
 
HIPAA Privacy Officers: Who Goes to Jail ?
HIPAA Privacy Officers: Who Goes to Jail ?HIPAA Privacy Officers: Who Goes to Jail ?
HIPAA Privacy Officers: Who Goes to Jail ?
 
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docx
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docxFCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docx
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docx
 
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424
 

More from David Sweigert

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)David Sweigert
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting David Sweigert
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisDavid Sweigert
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterDavid Sweigert
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner David Sweigert
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017David Sweigert
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9David Sweigert
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityDavid Sweigert
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)David Sweigert
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsDavid Sweigert
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartDavid Sweigert
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...David Sweigert
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentCyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentDavid Sweigert
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentDavid Sweigert
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTDavid Sweigert
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackDavid Sweigert
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTDavid Sweigert
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionNational Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionDavid Sweigert
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanDavid Sweigert
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSCyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSDavid Sweigert
 

More from David Sweigert (20)

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark Analysis
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month poster
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber Security
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking Threats
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector Chart
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentCyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public Comment
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public Comment
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFT
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public Feedback
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionNational Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd edition
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness Plan
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSCyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHS
 

Recently uploaded

Call Girls Dilsukhnagar 7001305949 all area service COD available Any Time
Call Girls Dilsukhnagar 7001305949 all area service COD available Any TimeCall Girls Dilsukhnagar 7001305949 all area service COD available Any Time
Call Girls Dilsukhnagar 7001305949 all area service COD available Any Timedelhimodelshub1
 
Gurgaon Sector 90 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 90 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...Gurgaon Sector 90 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 90 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...ggsonu500
 
VIP Call Girls Hyderabad Megha 9907093804 Independent Escort Service Hyderabad
VIP Call Girls Hyderabad Megha 9907093804 Independent Escort Service HyderabadVIP Call Girls Hyderabad Megha 9907093804 Independent Escort Service Hyderabad
VIP Call Girls Hyderabad Megha 9907093804 Independent Escort Service Hyderabaddelhimodelshub1
 
Call Girls in Mohali Surbhi ❤️🍑 9907093804 👄🫦 Independent Escort Service Mohali
Call Girls in Mohali Surbhi ❤️🍑 9907093804 👄🫦 Independent Escort Service MohaliCall Girls in Mohali Surbhi ❤️🍑 9907093804 👄🫦 Independent Escort Service Mohali
Call Girls in Mohali Surbhi ❤️🍑 9907093804 👄🫦 Independent Escort Service MohaliHigh Profile Call Girls Chandigarh Aarushi
 
Hi,Fi Call Girl In Marathahalli - 7001305949 with real photos and phone numbers
Hi,Fi Call Girl In Marathahalli - 7001305949 with real photos and phone numbersHi,Fi Call Girl In Marathahalli - 7001305949 with real photos and phone numbers
Hi,Fi Call Girl In Marathahalli - 7001305949 with real photos and phone numbersnarwatsonia7
 
Call Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any TimeCall Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any Timedelhimodelshub1
 
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...delhimodelshub1
 
Russian Escorts Aishbagh Road * 9548273370 Naughty Call Girls Service in Lucknow
Russian Escorts Aishbagh Road * 9548273370 Naughty Call Girls Service in LucknowRussian Escorts Aishbagh Road * 9548273370 Naughty Call Girls Service in Lucknow
Russian Escorts Aishbagh Road * 9548273370 Naughty Call Girls Service in Lucknowgragteena
 
hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...
hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...
hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...delhimodelshub1
 
Call Girls Kukatpally 7001305949 all area service COD available Any Time
Call Girls Kukatpally 7001305949 all area service COD available Any TimeCall Girls Kukatpally 7001305949 all area service COD available Any Time
Call Girls Kukatpally 7001305949 all area service COD available Any Timedelhimodelshub1
 
Low Rate Call Girls In Bommanahalli Just Call 7001305949
Low Rate Call Girls In Bommanahalli Just Call 7001305949Low Rate Call Girls In Bommanahalli Just Call 7001305949
Low Rate Call Girls In Bommanahalli Just Call 7001305949ps5894268
 
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...narwatsonia7
 
Call Girls Secunderabad 7001305949 all area service COD available Any Time
Call Girls Secunderabad 7001305949 all area service COD available Any TimeCall Girls Secunderabad 7001305949 all area service COD available Any Time
Call Girls Secunderabad 7001305949 all area service COD available Any Timedelhimodelshub1
 
Book Call Girls in Hosur - 7001305949 | 24x7 Service Available Near Me
Book Call Girls in Hosur - 7001305949 | 24x7 Service Available Near MeBook Call Girls in Hosur - 7001305949 | 24x7 Service Available Near Me
Book Call Girls in Hosur - 7001305949 | 24x7 Service Available Near Menarwatsonia7
 
Kukatpally Call Girls Services 9907093804 High Class Babes Here Call Now
Kukatpally Call Girls Services 9907093804 High Class Babes Here Call NowKukatpally Call Girls Services 9907093804 High Class Babes Here Call Now
Kukatpally Call Girls Services 9907093804 High Class Babes Here Call NowHyderabad Call Girls Services
 
Call Girl Service ITPL - [ Cash on Delivery ] Contact 7001305949 Escorts Service
Call Girl Service ITPL - [ Cash on Delivery ] Contact 7001305949 Escorts ServiceCall Girl Service ITPL - [ Cash on Delivery ] Contact 7001305949 Escorts Service
Call Girl Service ITPL - [ Cash on Delivery ] Contact 7001305949 Escorts Servicenarwatsonia7
 

Recently uploaded (20)

College Call Girls Dehradun Kavya 🔝 7001305949 🔝 📍 Independent Escort Service...
College Call Girls Dehradun Kavya 🔝 7001305949 🔝 📍 Independent Escort Service...College Call Girls Dehradun Kavya 🔝 7001305949 🔝 📍 Independent Escort Service...
College Call Girls Dehradun Kavya 🔝 7001305949 🔝 📍 Independent Escort Service...
 
Call Girls Dilsukhnagar 7001305949 all area service COD available Any Time
Call Girls Dilsukhnagar 7001305949 all area service COD available Any TimeCall Girls Dilsukhnagar 7001305949 all area service COD available Any Time
Call Girls Dilsukhnagar 7001305949 all area service COD available Any Time
 
Gurgaon Sector 90 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 90 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...Gurgaon Sector 90 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 90 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
 
VIP Call Girls Hyderabad Megha 9907093804 Independent Escort Service Hyderabad
VIP Call Girls Hyderabad Megha 9907093804 Independent Escort Service HyderabadVIP Call Girls Hyderabad Megha 9907093804 Independent Escort Service Hyderabad
VIP Call Girls Hyderabad Megha 9907093804 Independent Escort Service Hyderabad
 
Call Girls in Mohali Surbhi ❤️🍑 9907093804 👄🫦 Independent Escort Service Mohali
Call Girls in Mohali Surbhi ❤️🍑 9907093804 👄🫦 Independent Escort Service MohaliCall Girls in Mohali Surbhi ❤️🍑 9907093804 👄🫦 Independent Escort Service Mohali
Call Girls in Mohali Surbhi ❤️🍑 9907093804 👄🫦 Independent Escort Service Mohali
 
Model Call Girl in Subhash Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Subhash Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Subhash Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Subhash Nagar Delhi reach out to us at 🔝9953056974🔝
 
Hi,Fi Call Girl In Marathahalli - 7001305949 with real photos and phone numbers
Hi,Fi Call Girl In Marathahalli - 7001305949 with real photos and phone numbersHi,Fi Call Girl In Marathahalli - 7001305949 with real photos and phone numbers
Hi,Fi Call Girl In Marathahalli - 7001305949 with real photos and phone numbers
 
Call Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any TimeCall Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any Time
 
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
 
Russian Escorts Aishbagh Road * 9548273370 Naughty Call Girls Service in Lucknow
Russian Escorts Aishbagh Road * 9548273370 Naughty Call Girls Service in LucknowRussian Escorts Aishbagh Road * 9548273370 Naughty Call Girls Service in Lucknow
Russian Escorts Aishbagh Road * 9548273370 Naughty Call Girls Service in Lucknow
 
hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...
hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...
hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...
 
Call Girls Kukatpally 7001305949 all area service COD available Any Time
Call Girls Kukatpally 7001305949 all area service COD available Any TimeCall Girls Kukatpally 7001305949 all area service COD available Any Time
Call Girls Kukatpally 7001305949 all area service COD available Any Time
 
VIP Call Girls Lucknow Isha 🔝 9719455033 🔝 🎶 Independent Escort Service Lucknow
VIP Call Girls Lucknow Isha 🔝 9719455033 🔝 🎶 Independent Escort Service LucknowVIP Call Girls Lucknow Isha 🔝 9719455033 🔝 🎶 Independent Escort Service Lucknow
VIP Call Girls Lucknow Isha 🔝 9719455033 🔝 🎶 Independent Escort Service Lucknow
 
Low Rate Call Girls In Bommanahalli Just Call 7001305949
Low Rate Call Girls In Bommanahalli Just Call 7001305949Low Rate Call Girls In Bommanahalli Just Call 7001305949
Low Rate Call Girls In Bommanahalli Just Call 7001305949
 
Call Girl Lucknow Gauri 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
Call Girl Lucknow Gauri 🔝 8923113531 🔝 🎶 Independent Escort Service LucknowCall Girl Lucknow Gauri 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
Call Girl Lucknow Gauri 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
 
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...
 
Call Girls Secunderabad 7001305949 all area service COD available Any Time
Call Girls Secunderabad 7001305949 all area service COD available Any TimeCall Girls Secunderabad 7001305949 all area service COD available Any Time
Call Girls Secunderabad 7001305949 all area service COD available Any Time
 
Book Call Girls in Hosur - 7001305949 | 24x7 Service Available Near Me
Book Call Girls in Hosur - 7001305949 | 24x7 Service Available Near MeBook Call Girls in Hosur - 7001305949 | 24x7 Service Available Near Me
Book Call Girls in Hosur - 7001305949 | 24x7 Service Available Near Me
 
Kukatpally Call Girls Services 9907093804 High Class Babes Here Call Now
Kukatpally Call Girls Services 9907093804 High Class Babes Here Call NowKukatpally Call Girls Services 9907093804 High Class Babes Here Call Now
Kukatpally Call Girls Services 9907093804 High Class Babes Here Call Now
 
Call Girl Service ITPL - [ Cash on Delivery ] Contact 7001305949 Escorts Service
Call Girl Service ITPL - [ Cash on Delivery ] Contact 7001305949 Escorts ServiceCall Girl Service ITPL - [ Cash on Delivery ] Contact 7001305949 Escorts Service
Call Girl Service ITPL - [ Cash on Delivery ] Contact 7001305949 Escorts Service
 

DHHS OCR data breach resolution agreement

  • 1. 1 RESOLUTION AGREEMENT I. Recitals 1. Parties. The Parties to this Resolution Agreement (“Agreement”) are: A. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b). B. Anchorage Community Mental Health Services, Inc. (“ACMHS”), which is a covered entity, as defined at 45 C.F.R. § 160.103, and therefore is required to comply with the HIPAA Rules. ACMHS is a nonprofit, community, mental-health care provider that provides care, including care for the uninsured and underinsured, to the Anchorage community and surrounding areas. HHS and ACMHS shall together be referred to herein as the “Parties.” 2. Factual Background and Covered Conduct. On March 2, 2012, the HHS Office for Civil Rights (OCR) received notification from ACMHS regarding a breach of unsecured electronic protected health information (e-PHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. On June 1, 2012, OCR notified ACMHS of OCR’s investigation regarding ACMHS’s compliance with the Privacy, Security, and Breach Notification Rules. OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”): A. From April 21, 2005, the compliance date of the Security Rule, until March 12, 2012, ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by ACMHS (See 45 C.F.R. § 164.308(a)(1)(ii)(A)); B. From April 21, 2005, the compliance date of the Security Rule, until March 12, 2012, ACMHS failed to implement policies and procedures requiring implementation of security measures sufficient to reduce risks and
  • 2. 2 vulnerabilities to its e-PHI to a reasonable and appropriate level (See 45 C.F.R. § 164.308(a)(1)(ii)(B)); and C. From January 1, 2008, until March 29, 2012, ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network (See 45 C.F.R. § 164.312(e)) by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches. 3. No Admission. This Agreement is not an admission of liability by ACMHS. 4. No Concession. This Agreement is not a concession by HHS that ACMHS is not in violation of the Privacy Rule, the Security Rule, or the Breach Notification Rule and that ACMHS is not liable for civil money penalties. 5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve OCR Transaction Number: 12-139936 and any violations of the HIPAA Privacy, Security, and Breach Notification Rules related to the Covered Conduct specified in paragraph I.2. of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below. II. Terms and Conditions 6. Payment. HHS has agreed to accept, and ACMHS has agreed to pay HHS, the amount of $150,000 (“Resolution Amount”). ACMHS agrees to pay the Resolution Amount on the Effective Date of this Agreement as defined in paragraph II.14 by automated clearinghouse transaction pursuant to written instructions to be provided by HHS. 7. Corrective Action Plan. ACMHS has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference. If ACMHS breaches the CAP, and fails to cure the breach as set forth in the CAP, then ACMHS will be in breach of this Agreement and HHS will not be subject to the terms and conditions in the Release set forth in Paragraph 8 of this Agreement. 8. Release by HHS. In consideration of and conditioned upon ACMHS’ performance of its obligations under this Agreement, HHS releases ACMHS from any actions it has or may have against ACMHS under the Privacy, Security, and Breach Notification Rules arising out of or related to the Covered Conduct specified in paragraph I.2. of this Agreement. HHS does not release ACMHS from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
  • 3. 3 9. Agreement by Released Party. ACMHS shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. ACMHS waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a-7a); 45 C.F.R. Part 160, Subpart E; and HHS Claims Collection provisions, 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount. 10. Binding on Successors. This Agreement is binding on ACMHS and its successors, heirs, transferees, and assigns. 11. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement. 12. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only, and by this instrument the Parties do not release any claims against or by any other person or entity. 13. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement must be set forth in writing and signed by both Parties. 14. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (“Effective Date”). 15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty (“CMP”) must be imposed within six years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, ACMHS agrees that the time between the Effective Date of this Agreement and the date this Resolution Agreement may be terminated by reason of ACMHS’s breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement. ACMHS waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct specified in paragraph I.2. that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement. 16. Disclosure. HHS places no restriction on the publication of the Agreement. In addition, HHS may be required to disclose material related to this Agreement to any person upon request consistent with the applicable provisions of the Freedom of Information Act, 5 U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5. 17. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement.
  • 4. 4 18. Authorizations. The individual(s) signing this Agreement on behalf of ACMHS represent and warrant that they are authorized by ACMHS to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement. For Anchorage Community Mental Health Services, Inc. /s/ 12/02/2014 ____________________________ ____________ Jerry Jenkins Date Chief Executive Officer Anchorage Community Mental Health Services, Inc. For the United States Department of Health and Human Services /s/ 12/02/2014 ____________________________ _____________ Linda Yuu Connor Date Regional Manager, Region X Office for Civil Rights
  • 5. 5 Appendix A CORRECTIVE ACTION PLAN BETWEEN THE U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES AND ANCHORAGE COMMUNITY MENTAL HEALTH SERVICES, INC. I. Preamble Anchorage Community Mental Health Services, Inc. (hereinafter referred to as “ACMHS”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”). Contemporaneously with this CAP, ACMHS is entering into a Resolution Agreement (“Agreement”) with HHS, and this CAP is incorporated by reference into the Agreement as Appendix A. ACMHS enters into this CAP as part of the consideration for the release set forth in paragraph 8 of the Agreement. II. Contact Persons and Submissions A. Contact Persons. ACMHS has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports: Jerry Jenkins, Chief Executive Officer Anchorage Community Mental Health Services, Inc. 4020 Folker Street Anchorage, AK 99508 Telephone: 907-563-1000 Facsimile: 907-563-2045 HHS has identified the following individual as its contact person with whom ACMHS is to report information regarding the implementation of this CAP: Linda Yuu Connor, Regional Manager Office for Civil Rights, Region X Department of Health and Human Services 701 Fifth Avenue, Suite 1600, MS-11 Seattle, WA 98104
  • 6. 6 Telephone: 206-615-2290 Facsimile: 206-615-2297 ACMHS and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above. B. Proof of Submissions. Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt. III. Effective Date and Term of CAP The Effective Date for this CAP shall be calculated in accordance with paragraph 14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by ACMHS under this CAP shall begin on the Effective Date of this CAP and end two (2) years from the Effective Date unless HHS has notified ACMHS under section VIII hereof of its determination that ACMHS has breached this CAP. In the event of such a notification by HHS under section VIII hereof, the Compliance Term shall not end until HHS notifies ACMHS that it has determined that the breach has been cured. After the Compliance Term ends, ACMHS shall still be obligated to submit the final Annual Report as required by section VI and comply with the document retention requirement in section VII. IV. Time In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day that is not one of the aforementioned days. V. Corrective Action Obligations ACMHS agrees to the following: A. Revision and Distribution of Policies and Procedures. 1. ACMHS shall provide an updated version of its Security Rule Policies and Procedures, which were submitted to OCR on May 20, 2013, to HHS within sixty (60) days of the Effective Date for review and approval. Upon receiving any recommended changes to such policies and procedures from HHS, ACMHS shall have thirty (30) days to revise such policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval.
  • 7. 7 3. ACMHS shall officially adopt the revised Security Rule Policies and Procedures within thirty (30) days of receipt of HHS’ approval. 4. ACMHS shall distribute its revised Security Rule Policies and Procedures to all members of the workforce who use or disclose e-PHI concomitantly with general security awareness training as required by section V.B.3 and to new members of the workforce who will use or disclose e-PHI within thirty (30) days of their beginning of service. 5. ACMHS shall require, at the time of distribution of its Security Rule Policies and Procedures, and shall maintain for its files, a signed written or electronic initial compliance certification from all members of the workforce, stating that the workforce members have read, understand, and shall abide by the Security Rule Policies and Procedures. B. Training. 1. ACMHS shall provide HHS with general security awareness training materials for all workforce members who use or disclose e-PHI within sixty (60) days of the Effective Date for review and approval. 2. Upon receiving notice from HHS specifying any required changes, ACMHS shall make the required changes and provide revised general security awareness training materials to HHS within thirty (30) days for review and approval. 3. Upon receiving approval from HHS, ACMHS shall provide general security awareness training for each workforce member who uses or discloses e-PHI within sixty (60) days of HHS approval and at least every twelve (12) months thereafter. ACMHS shall also provide such training to each new member of the workforce who uses or discloses e-PHI within thirty (30) days of their beginning of service. 4. Each workforce member who is required to attend training shall certify, in electronic or written form, that he or she received the training. The training certification shall specify the date training was received. All course materials shall be retained in compliance with section VII. 5. ACMHS shall review the training at least annually, and, where appropriate, update the training to reflect any changes in Federal law or HHS guidance, any issues discovered during audits or reviews, or any other relevant developments. C. Security Management Process. ACMHS shall annually, as required by ACMHS’ “IT Risk Management” policy and procedure, conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by ACMHS and document the security measures ACMHS implemented or is implementing to
  • 8. 8 sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level. D. Reportable Events. 1. During the Compliance Term, ACMHS shall, upon receiving information that a workforce member may have failed to comply with its Security Rule Policies and Procedures, promptly investigate the matter. If ACMHS determines, after review and investigation, that a member of its workforce has failed to comply with its Security Rule Policies and Procedures, ACMHS shall notify HHS in writing within thirty (30) days. Such violations shall be known as “Reportable Events.” The report to HHS shall include the following: a. A complete description of the event, including the relevant facts, the persons involved, and the provision(s) of ACMHS’s Security Rule Policies and Procedures implicated; and b. A description of the actions taken and any further steps ACMHS plans to take to address the matter, to mitigate any harm, and to prevent it from recurring, including the application of appropriate sanctions against workforce members who failed to comply with its Security Rule Policies and Procedures . 2. If no Reportable Events occur within the Compliance Term, ACMHS shall so inform OCR in its Annual Reports. VI. Annual Reports The one-year period beginning on the Effective Date and each subsequent one- year period during the course of the period of compliance obligations shall be referred to as “the Reporting Periods.” ACMHS shall submit to HHS Annual Reports with respect to the status of and findings regarding ACMHS’s compliance with this CAP for each Reporting Period. ACMHS shall submit each Annual Report to HHS no later than twenty (20) days after the end of each corresponding Reporting Period. The Annual Report shall include the following items: 1. An attestation signed by an owner or officer of ACMHS attesting that the Security Rule Policies and Procedures have been distributed to all members of the workforce who use or disclose e-PHI and that ACMHS has obtained all of the compliance certifications required by section V.A.2; 2. An attestation signed by an owner or officer of ACMHS attesting that all members of the workforce have completed general security awareness training as required by this CAP and have executed the training certifications required by section V.B.4;
  • 9. 9 3. Either a copy of the general security awareness training materials used for the training required by this CAP if revised pursuant to section V.B.5. or an attestation signed by an owner or officer of ACMHS attesting that he or she has reviewed the general security awareness training materials and no revisions were made; 4. An attestation signed by an owner or officer of ACMHS attesting that all information system resources are currently supported and updated with available patches; 5. An updated risk analysis and updated risk management plan pursuant to section V.C.; 6. A summary of Reportable Events (defined in section V.D.1.) identified during the Reporting Period and the status of any corrective and preventative action relating to all such Reportable Events; 7. An attestation signed by an owner or officer of ACMHS attesting that ACMHS has complied with the obligations of this CAP; and 8. An attestation signed by an owner or officer of ACMHS attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful. VII. Document Retention ACMHS shall maintain for inspection and copying, and shall provide to OCR upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date. VIII. Breach Provisions ACMHS is expected to fully and timely comply with all provisions contained in this CAP. A. Timely Written Requests for Extensions. ACMHS may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least five (5) days prior to the date such an act is required or due to be performed. B. Notice of Breach of this CAP and Intent to Impose Civil Money Penalty. The Parties agree that a breach of this CAP by ACMHS constitutes a breach of the Agreement. Upon a determination by HHS that ACMHS has breached this CAP, HHS may notify ACMHS of (1) ACMHS’ breach; and (2) HHS’ intent to impose a civil money penalty (“CMP”), pursuant to 45 C.F.R. Part 160, or other remedies for the Covered Conduct set forth in paragraph I.2. of the Agreement and for any other conduct
  • 10. 10 that constitutes a violation of the HIPAA Privacy, Security, or Breach Notification Rules (“Notice of Breach and Intent to Impose CMP”). C. ACMHS Response. ACMHS shall have thirty (30) days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’ satisfaction that: 1. ACMHS is in compliance with the obligations of this CAP that HHS cited as the basis for the breach; 2. the alleged breach has been cured; or 3. the alleged breach cannot be cured within the 30-day period, but that: (a) ACMHS has begun to take action to cure the breach; (b) ACMHS is pursuing such action with due diligence; and (c) ACMHS has provided to HHS a reasonable timetable for curing the breach. D. Imposition of CMP. If at the conclusion of the 30-day period, ACMHS fails to meet the requirements of section VIII.C. of this CAP to HHS’ satisfaction, HHS may proceed with the imposition of the CMP against ACMHS pursuant to 45 C.F.R. Part 160 for any violations of the Privacy, Security, and Breach Notification Rules related to the Covered Conduct set forth in paragraph I.2. of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Privacy, Security, or Breach Notification Rules. HHS shall notify ACMHS in writing of its determination to proceed with the imposition of a CMP. For Anchorage Community Mental Health Services, Inc. /s/ 12/02/2014 ____________________________ _____________ Jerry Jenkins Date Chief Executive Officer Anchorage Community Mental Health Services, Inc. For the United States Department of Health and Human Services /s/ 12/02/2014 ____________________________ _____________ Linda Yuu Connor Date Regional Manager, Region X Office for Civil Rights