SlideShare a Scribd company logo

HIPAA Violation Fines: North memorial Hospistal Settlement

•
•
D
data brackets

Resolution Agreement

Healthcare
1 of 12
Download to read offline
RESOLUTION AGREEMENT I. Recitals 1. Parties. The Parties to this Resolution Agreement (“Agreement”) are: A. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b). B. North Memorial Health Care (“North Memorial”), which is a covered entity, as defined at 45 C.F.R. § 160.103, and therefore is required to comply with the HIPAA Rules. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities north, central, and west communities. HHS and North Memorial shall together be referred to herein as the “Parties.” 2. Factual Background and Covered Conduct. On September 27, 2011, North Memorial reported to the HHS Office for Civil Rights that, on July 25, 2011, an unencrypted laptop that contained the electronic protected health information of approximately 2,800 individuals (later amended to include an additional 6,697 individuals) who received care from North Memorial was stolen from an Accretive Health (“Accretive”) workforce member’s locked vehicle. In its report, North Memorial noted that Accretive was its business associate. HHS’ investigation indicated that the following conduct appears to have occurred (“Covered Conduct”): A. North Memorial provided Accretive, a business associate, with access to North Memorial’s protected health information (PHI) without obtaining satisfactory assurances from Accretive, in the form of a written business associate agreement, that Accretive would appropriately safeguard the PHI. North Memorial began providing Accretive with access to North Memorial’s PHI on March 21, 2011, and did not enter into a written business associate agreement with Accretive until October 14, 2011. See 45 C.F.R. § 164.308(b) and 45 C.F.R § 164.502(e). B. From March 21, 2011 to October 14, 2011, North Memorial impermissibly disclosed the PHI of at least 289,904 individuals to Accretive when North Memorial provided Accretive with access to PHI without obtaining Accretive’s
2 satisfactory assurances, in the form of a written business associate agreement, that Accretive would appropriately safeguard the PHI. See 45 C.F.R. § 164.502(a). C. North Memorial failed to conduct an accurate and thorough risk analysis that incorporated all of North Memorial’s information technology equipment, applications, and data systems using electronic PHI. See 45 C.F.R. § 164.308(a)(1)(ii)(A). 3. No Admission. This Agreement is not an admission of liability by North Memorial. 4. No Concession. This Agreement is not a concession by HHS that North Memorial is not in violation of the HIPAA Rules and that North Memorial is not liable for civil money penalties. 5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve HHS Transaction No. 13-150938 and any violations of the HIPAA Rules for the Covered Conduct specified in paragraph I.2 of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below. II. Terms and Conditions 6. Payment. North Memorial agrees to pay HHS the amount of $1,550,000 (“Resolution Amount”). North Memorial agrees to pay the Resolution Amount on the Effective Date of this Agreement as defined in paragraph II.14 by automated clearing house transaction pursuant to written instructions to be provided by HHS. 7. Corrective Action Plan. North Memorial has entered into and agrees to comply with the Corrective Action Plan (CAP), attached as Appendix A, which is incorporated into this Agreement by reference. If North Memorial breaches the CAP, and fails to cure the breach as set forth in the CAP, then North Memorial will be in breach of this Agreement, and HHS will not be subject to the release set forth in paragraph II.8 of this Agreement. 8. Release by HHS. In consideration of and conditioned upon North Memorial’s performance of its obligations under this Agreement, HHS releases North Memorial from any actions it may have against North Memorial under the HIPAA Rules for the Covered Conduct specified in paragraph I.2 of this Agreement. HHS does not release North Memorial from, nor waive any rights, obligations, or causes of action other than those for the Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
3 9. Agreement by Released Party. North Memorial shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. North Memorial waives all procedural rights granted under section 1128A of the Social Security Act (42 U.S.C. § 1320a-7a), 45 C.F.R. Part 160, Subpart E, and HHS Claims Collection provisions, 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount. 10. Binding on Successors. This Agreement is binding on North Memorial and its successors, heirs, transferees, and assigns. 11. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement. 12. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only, and by this instrument the Parties do not release any claims against any other person or entity. 13. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement must be in writing and signed by both Parties. 14. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) on the date of signing of this Agreement and the CAP by the last signatory (“Effective Date”). 15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty (“CMP”) must be imposed within six (6) years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, North Memorial agrees that the time between the Effective Date of this Agreement and the date this Agreement may be terminated by reason of North Memorial’s breach, plus one year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement. North Memorial waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct identified in paragraph I.2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement. 16. Disclosure. HHS places no restriction on the publication of the Agreement. In addition, HHS may be required to disclose this Agreement and related material to any person upon request consistent with the applicable provisions of the Freedom of Information Act, 5 U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5. 17. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement.
4 18. Authorizations. The individual(s) signing this Agreement on behalf of North Memorial represent and warrant that they are authorized by North Memorial to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement. For North Memorial Health Care /s/ J. Kevin Croston, M.D. Chief Executive Officer North Memorial Health Care Date For the United States Department of Health and Human Services /s/ Celeste H. Davis Regional Manager Office for Civil Rights, Midwest Region Date
Appendix A CORRECTIVE ACTION PLAN BETWEEN THE DEPARTMENT OF HEALTH AND HUMAN SERVICES, OFFICE FOR CIVIL RIGHTS AND NORTH MEMORIAL HEALTH CARE I. Preamble North Memorial Health Care (“North Memorial”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS” or “OCR”). Contemporaneously with this CAP, North Memorial is entering into a Resolution Agreement (“Agreement”) with HHS, and this CAP is incorporated by reference into the Agreement as Appendix A. North Memorial enters into this CAP as part of the consideration for the release in paragraph II.8 of the Agreement. II. Contact Persons and Submissions A. Contact Persons North Memorial has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports: Deb Contreras, RHIA Director, Health Information Management Privacy Officer North Memorial Health Care 3300 Oakdale Ave N Robbinsdale, MN 55422 Phone: 763-581-4437 Deb.Contreras@NorthMemorial.com HHS has identified the following individual as its contact person with whom North Memorial is to report information regarding the implementation of this CAP: Celeste H. Davis Regional Manager Office for Civil Rights, Midwest Region U.S. Department of Health and Human Services 233 N. Michigan Avenue; Suite 240 Chicago, Illinois 60601
2 Celeste.Davis@hhs.gov Telephone: 312-353-8101 Facsimile: 312-886-1807 North Memorial and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above. B. Proof of Submissions Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt. III. Effective Date and Term of CAP The Effective Date for this CAP shall be calculated in accordance with paragraph 14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by North Memorial under this CAP shall begin on the Effective Date of this CAP and end two (2) years from the date HHS approves the last of the policies and procedures, risk analysis, and risk management plan required under section V of this CAP, unless HHS has notified North Memorial under section VIII hereof of its determination that North Memorial has breached this CAP. In the event of such a notification by HHS under section VIII hereof, the Compliance Term shall not end until HHS notifies North Memorial that it has determined that the breach has been cured. After the Compliance Term ends, North Memorial shall still be obligated to submit the final Annual Report as required by section VI and comply with the document retention requirement in section VII of this CAP. IV. Time In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day that is not one of the aforementioned days. V. Corrective Action Obligations North Memorial agrees to the following: A. Develop Policies and Procedures Related to Business Associate Relationships 1. North Memorial shall develop policies and procedures that: (a) designate one or more individual(s) who are responsible for ensuring that North Memorial enters into a business associate agreement with each of its business associates, as defined by the HIPAA Rules, prior to North Memorial disclosing protected health information (PHI) to the business associate; (b) create a process for assessing North Memorial’s current and
3 future business relationships to determine whether each relationship is with a business associate, as defined by the HIPAA Rules, and requires North Memorial to enter into a business associate agreement; (c) create a process for negotiating and entering into business associate agreements with business associates prior to disclosing PHI to the business associates; (d) create a process for maintaining documentation of a business associate agreement for at least six (6) years beyond the date of when the business associate relationship is terminated; and (e) limit disclosures of PHI to business associates to the minimum necessary amount of PHI that is reasonably necessary for business associates to perform their duties. 2. Within ninety (90) calendar days of the Effective Date, North Memorial shall forward the policies and procedures required by section V.A.1 of this CAP to HHS for HHS’ review and approval. HHS will inform North Memorial in writing as to whether HHS approves or disapproves of the proposed policies and procedures within a reasonable time. If HHS disapproves of them, HHS shall provide North Memorial with comments and required revisions within a reasonable time. Upon receiving any required revisions to such policies and procedures from HHS, North Memorial shall have sixty (60) calendar days in which to revise the policies and procedures accordingly, and then submit the revised policies and procedures to HHS for review and approval. This process shall continue until HHS approves the policies and procedures. 3. Within sixty (60) calendar days of HHS’ approval of the policies and procedures required by section V.A.1 of this CAP, North Memorial shall finalize and officially adopt the policies and procedures, in accordance with its applicable administrative procedures. B. Modify Existing Risk Analysis Process 1. Within one hundred eighty (180) calendar days of the Effective Date, North Memorial shall complete an updated, comprehensive, and thorough risk analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, and applications controlled, administered, or owned by North Memorial, its workforce members, and affiliated staff that contains, stores, transmits, or receives electronic PHI (ePHI). North Memorial shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI, which will be incorporated in its risk analysis. The risk analysis shall be forwarded to HHS for its review and approval consistent with section V.C.2 of this CAP. C. Develop and Implement a Risk Management Plan 1. North Memorial shall develop an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in
4 the risk analysis and, if necessary, revise its policies and procedures accordingly. The risk management plan and any revised policies and procedures shall be forwarded to HHS for its review and approval consistent with section V.C.2 of this CAP. 2. Within ninety (90) calendar days of the completion of the risk analysis required by section V.B.1 of this CAP, North Memorial shall forward the risk analysis and the risk management plan and any revised policies and procedures required by section V.C.1 of this CAP to HHS for its review and approval. HHS will inform North Memorial in writing as to whether HHS approves or disapproves of the proposed risk analysis, risk management plan, or any policies and procedures within a reasonable time. If HHS disapproves of them, HHS shall provide North Memorial with comments and required revisions within a reasonable time. Upon receiving any required revisions to the risk analysis, risk management plan, or any policies and procedures from HHS, North Memorial shall have sixty (60) calendar days in which to revise the documents, and then submit the revised documents to HHS for review and approval. This process shall continue until HHS approves the risk analysis, risk management plan, and any policies and procedures. 3. Within sixty (60) calendar days of HHS’ approval of the risk management plan and any revised policies and procedures required by section V.C.1 of this CAP, North Memorial shall finalize and officially adopt the risk management plan and any revised policies and procedures, in accordance with its applicable administrative procedures. North Memorial shall immediately thereafter begin implementation of the risk management plan and shall distribute the plan and any revised policies and procedures to all workforce members who are involved in the plan’s implementation. D. Training 1. Within sixty (60) days of HHS’ approval of the policies and procedures required by section V.A.1 of this CAP regarding business associates, North Memorial shall forward its proposed training materials on the policies and procedures to HHS for its review and approval. 2. Within thirty (30) days of HHS’ approval of any revised policies and procedures required by section V.C.1 of this CAP regarding risk management, North Memorial shall forward its proposed training materials on the revised policies and procedures to HHS for its review and approval. 3. HHS will inform North Memorial in writing as to whether HHS approves or disapproves of the proposed training materials within a reasonable time. If HHS disapproves of them, HHS shall provide North Memorial with
5 comments and required revisions within a reasonable time. Upon receiving any required revisions to the training materials from HHS, North Memorial shall have sixty (60) calendar days in which to revise the training materials, and then submit the revised training materials to HHS for review and approval. 4. Within ninety (90) days of HHS’ approval of the training materials, North Memorial shall provide training to all appropriate workforce members, in accordance with North Memorial’s applicable administrative procedures for training. 5. After providing the training required by section V.D.4 of this CAP, North Memorial shall provide annual retraining on the training materials OCR approved under this CAP to all appropriate workforce members for the duration of the Compliance Term of this CAP. 6. Each workforce member who is required to receive training shall certify, in electronic or written form, that he or she received the training. The training certification shall specify the date on which the training was received. All training materials shall be retained in compliance with section VII of this CAP. VI. Reportable Events and Annual Reports A. Reportable Events 1. During the Compliance Term, North Memorial shall, upon receiving information that a workforce member may have failed to comply with any provision of the policies and procedures required by section V.A.1 or section V.C.1 of this CAP, promptly investigate the matter. If North Memorial determines that a workforce member has violated the policies and procedures required by section V.A.1 or section V.C.1 of this CAP, North Memorial shall notify HHS in writing within thirty (30) days. Such violations shall be known as “Reportable Events.” The report to HHS shall include the following: a. A complete description of the event, including relevant facts, the persons involved, and the implicated provision(s) of North Memorial’s policies and procedures; and b. A description of actions taken and any further steps North Memorial plans to take to address the matter, to mitigate the harm, and to prevent it from recurring, including the application of appropriate sanctions against workforce members who failed to comply with its policies and procedures.
6 2. If no Reportable Events occur during any one Reporting Period, as defined in section VI.B.1 of this CAP, North Memorial shall so inform HHS in its Annual Report for that Reporting Period. B. Annual Reports 1. The one-year period after HHS’ last approval of the policies and procedures, risk analysis, and risk management plan required under section V of this CAP, and each subsequent one-year period during the Compliance Term, as defined in section III of this CAP, shall each be known as a “Reporting Period.” North Memorial shall submit to HHS a report with respect to the status of and findings regarding North Memorial’s compliance with this CAP for each Reporting Period (“Annual Report”). North Memorial shall submit each Annual Report to HHS no later than thirty (30) days after the end of each corresponding Reporting Period. Each Annual Report shall include: a. An attestation signed by an officer of North Memorial attesting that the policies and procedures and risk management plan required by section V of this CAP: (a) have been adopted; (b) are being implemented; and (c) have been distributed to all appropriate workforce members; b. A copy of all training materials used for the training required by section V of this CAP, a description of the training, including a summary of the topics covered, the length of the training session(s) conducted and a schedule of when the training session(s) were held; c. A summary of Reportable Events (defined in section VI.A.1 of this CAP) identified during the Reporting Period and the status of any corrective or preventative action(s) taken by North Memorial relating to each Reportable Event; d. An attestation signed by an officer of North Memorial attesting that it has obtained and is maintaining written or electronic certifications from all workforce members that are required to receive training that they received the requisite training pursuant to the requirements set forth in this CAP; e. An attestation signed by an officer of North Memorial listing all of North Memorial’s locations, the name under which each location is doing business, the corresponding mailing address, phone number and fax number for each location, and attesting that each location has complied with the obligations of this CAP; and f. An attestation signed by an officer of North Memorial stating that he or she has reviewed the Annual Report, has made a reasonable
7 inquiry regarding its content, and believes that, upon such inquiry, the information is accurate and truthful. VII. Document Retention North Memorial shall maintain for inspection and copying, and shall provide to OCR upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date. VIII. Requests for Extensions and Breach Provisions North Memorial is expected to fully and timely comply with all provisions contained in this CAP. A. Timely Written Requests for Extensions. North Memorial may, in advance of any due date in this CAP, submit a timely written request for an extension of time to perform any act or file any notification or report required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least five (5) business days prior to the date by which any act is due to be performed. B. Notice of Breach and Intent to Impose CMP. The Parties agree that a breach of this CAP by North Memorial constitutes a breach of the Agreement. Upon a determination by HHS that North Memorial has breached this CAP, HHS may notify North Memorial of: (1) North Memorial’s breach and (2) HHS’ intent to impose a civil monetary penalty (CMP), pursuant to 45 C.F.R. Part 160, for the Covered Conduct in paragraph I.2 of the Agreement and for any other conduct that constitutes a violation of the HIPAA Rules (“Notice of Breach and Intent to Impose CMP”). C. North Memorial’s Response. North Memorial shall have thirty (30) days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’ satisfaction that: 1. North Memorial is in compliance with the obligations of this CAP that HHS cited as the basis for the breach; 2. The alleged breach has been cured; or 3. The alleged breach cannot be cured within the 30-day period, but that: (a) North Memorial has begun to take action to cure the breach; (b) North Memorial is pursuing such action with due diligence; and (c) North Memorial has provided to HHS a reasonable timetable for curing the breach. D. Imposition of CMP. If at the conclusion of the 30-day period, North Memorial fails to meet the requirements of section VIII.C of this CAP to HHS’ satisfaction, HHS may proceed with the imposition of a CMP against North Memorial pursuant to 45 C.F.R. Part 160 for any violations of the HIPAA Rules related to the Covered Conduct in paragraph I.2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules.
8 HHS shall notify North Memorial in writing of its determination to proceed with the imposition of a CMP. For North Memorial Health Care /s/ J. Kevin Croston, M.D. Chief Executive Officer North Memorial Health Care Date For the United States Department of Health and Human Services /s/ Celeste H. Davis Regional Manager Office for Civil Rights, Midwest Region Date

Recommended

NYP RA and CAP april 2016
NYP RA and CAP april 2016 NYP RA and CAP april 2016
NYP RA and CAP april 2016 data brackets
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Alex Slaney
 
Oregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA FinesOregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA Finesdata brackets
 
North memorial ra and cap march 2016 (508)
North memorial ra and cap march 2016 (508)North memorial ra and cap march 2016 (508)
North memorial ra and cap march 2016 (508)Alex Slaney
 
Affinity agreement
Affinity agreementAffinity agreement
Affinity agreementdata brackets
 
HIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRHIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRDavid Sweigert
 
Qca agreement
Qca agreementQca agreement
Qca agreementdata brackets
 
Catholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action PlanCatholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action PlanAlex Slaney
 

Recommended

NYP RA and CAP april 2016
NYP RA and CAP april 2016 NYP RA and CAP april 2016
NYP RA and CAP april 2016 data brackets
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Alex Slaney
 
Oregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA FinesOregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA Finesdata brackets
 
North memorial ra and cap march 2016 (508)
North memorial ra and cap march 2016 (508)North memorial ra and cap march 2016 (508)
North memorial ra and cap march 2016 (508)Alex Slaney
 
Affinity agreement
Affinity agreementAffinity agreement
Affinity agreementdata brackets
 
HIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRHIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRDavid Sweigert
 
Qca agreement
Qca agreementQca agreement
Qca agreementdata brackets
 
Catholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action PlanCatholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action PlanAlex Slaney
 
DHHS OCR data breach resolution agreement
DHHS OCR data breach resolution agreementDHHS OCR data breach resolution agreement
DHHS OCR data breach resolution agreementDavid Sweigert
 
Adult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action PlanAdult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action Plandata brackets
 
Parkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution AgreementParkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution Agreementdata brackets
 
Shasta agreement
Shasta agreementShasta agreement
Shasta agreementdata brackets
 
HIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia UniverstiyHIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia Universtiydata brackets
 
Cancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement AgreementCancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement Agreementdata brackets
 
Concentra agreement
Concentra agreementConcentra agreement
Concentra agreementdata brackets
 
HONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution AgreementHONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution Agreementdata brackets
 
Presence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCRPresence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCRdata brackets
 
Skagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHSSkagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHSdata brackets
 
Court_Acceptance_of_FCA_Stark_Theory_MB
Court_Acceptance_of_FCA_Stark_Theory_MBCourt_Acceptance_of_FCA_Stark_Theory_MB
Court_Acceptance_of_FCA_Stark_Theory_MBLaura Laemmle-Weidenfeld
 
Child abuse & perjury before the california state legislature.compressed
Child abuse & perjury before the california state legislature.compressedChild abuse & perjury before the california state legislature.compressed
Child abuse & perjury before the california state legislature.compressedJOSEPH PREZIOSO
 
Sharon Logan Settlement Agreement with Orange County Animal Care
Sharon Logan Settlement Agreement with Orange County Animal CareSharon Logan Settlement Agreement with Orange County Animal Care
Sharon Logan Settlement Agreement with Orange County Animal CareNo Kill Shelter Alliance
 
Carlisle Letter to Supreme Court
Carlisle Letter to Supreme CourtCarlisle Letter to Supreme Court
Carlisle Letter to Supreme CourtHonolulu Civil Beat
 
Latest ildmhfy2012mh blockgrant
Latest ildmhfy2012mh blockgrantLatest ildmhfy2012mh blockgrant
Latest ildmhfy2012mh blockgrantComprehensive Clinical Services, P.C.
 
Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement data brackets
 
NYP RA and Cap april 2016
NYP RA and Cap april 2016 NYP RA and Cap april 2016
NYP RA and Cap april 2016 data brackets
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016data brackets
 
First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...David Sweigert
 
Item # 10 Catto & Catto to HUB Insurance Broker Assignment
Item # 10 Catto & Catto to HUB Insurance Broker AssignmentItem # 10 Catto & Catto to HUB Insurance Broker Assignment
Item # 10 Catto & Catto to HUB Insurance Broker Assignmentahcitycouncil
 
Rokita Non-Disclosure Agreement
Rokita Non-Disclosure AgreementRokita Non-Disclosure Agreement
Rokita Non-Disclosure AgreementAbdul-Hakim Shabazz
 
17 stipulation to dismiss with prejudice and order
17 stipulation to dismiss with prejudice and order17 stipulation to dismiss with prejudice and order
17 stipulation to dismiss with prejudice and orderHonolulu Civil Beat
 

More Related Content

What's hot

DHHS OCR data breach resolution agreement
DHHS OCR data breach resolution agreementDHHS OCR data breach resolution agreement
DHHS OCR data breach resolution agreementDavid Sweigert
 
Adult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action PlanAdult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action Plandata brackets
 
Parkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution AgreementParkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution Agreementdata brackets
 
Shasta agreement
Shasta agreementShasta agreement
Shasta agreementdata brackets
 
HIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia UniverstiyHIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia Universtiydata brackets
 
Cancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement AgreementCancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement Agreementdata brackets
 
Concentra agreement
Concentra agreementConcentra agreement
Concentra agreementdata brackets
 
HONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution AgreementHONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution Agreementdata brackets
 
Presence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCRPresence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCRdata brackets
 
Skagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHSSkagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHSdata brackets
 
Court_Acceptance_of_FCA_Stark_Theory_MB
Court_Acceptance_of_FCA_Stark_Theory_MBCourt_Acceptance_of_FCA_Stark_Theory_MB
Court_Acceptance_of_FCA_Stark_Theory_MBLaura Laemmle-Weidenfeld
 
Child abuse & perjury before the california state legislature.compressed
Child abuse & perjury before the california state legislature.compressedChild abuse & perjury before the california state legislature.compressed
Child abuse & perjury before the california state legislature.compressedJOSEPH PREZIOSO
 
Sharon Logan Settlement Agreement with Orange County Animal Care
Sharon Logan Settlement Agreement with Orange County Animal CareSharon Logan Settlement Agreement with Orange County Animal Care
Sharon Logan Settlement Agreement with Orange County Animal CareNo Kill Shelter Alliance
 
Carlisle Letter to Supreme Court
Carlisle Letter to Supreme CourtCarlisle Letter to Supreme Court
Carlisle Letter to Supreme CourtHonolulu Civil Beat
 

What's hot (15)

DHHS OCR data breach resolution agreement
DHHS OCR data breach resolution agreementDHHS OCR data breach resolution agreement
DHHS OCR data breach resolution agreement
 
Adult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action PlanAdult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action Plan
 
Parkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution AgreementParkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution Agreement
 
Shasta agreement
Shasta agreementShasta agreement
Shasta agreement
 
HIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia UniverstiyHIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia Universtiy
 
Cancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement AgreementCancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement Agreement
 
Concentra agreement
Concentra agreementConcentra agreement
Concentra agreement
 
HONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution AgreementHONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution Agreement
 
Presence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCRPresence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCR
 
Skagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHSSkagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHS
 
Court_Acceptance_of_FCA_Stark_Theory_MB
Court_Acceptance_of_FCA_Stark_Theory_MBCourt_Acceptance_of_FCA_Stark_Theory_MB
Court_Acceptance_of_FCA_Stark_Theory_MB
 
Child abuse & perjury before the california state legislature.compressed
Child abuse & perjury before the california state legislature.compressedChild abuse & perjury before the california state legislature.compressed
Child abuse & perjury before the california state legislature.compressed
 
Sharon Logan Settlement Agreement with Orange County Animal Care
Sharon Logan Settlement Agreement with Orange County Animal CareSharon Logan Settlement Agreement with Orange County Animal Care
Sharon Logan Settlement Agreement with Orange County Animal Care
 
Carlisle Letter to Supreme Court
Carlisle Letter to Supreme CourtCarlisle Letter to Supreme Court
Carlisle Letter to Supreme Court
 
Latest ildmhfy2012mh blockgrant
Latest ildmhfy2012mh blockgrantLatest ildmhfy2012mh blockgrant
Latest ildmhfy2012mh blockgrant
 

Similar to HIPAA Violation Fines: North memorial Hospistal Settlement

Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement data brackets
 
NYP RA and Cap april 2016
NYP RA and Cap april 2016 NYP RA and Cap april 2016
NYP RA and Cap april 2016 data brackets
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016data brackets
 
First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...David Sweigert
 
Item # 10 Catto & Catto to HUB Insurance Broker Assignment
Item # 10 Catto & Catto to HUB Insurance Broker AssignmentItem # 10 Catto & Catto to HUB Insurance Broker Assignment
Item # 10 Catto & Catto to HUB Insurance Broker Assignmentahcitycouncil
 
Rokita Non-Disclosure Agreement
Rokita Non-Disclosure AgreementRokita Non-Disclosure Agreement
Rokita Non-Disclosure AgreementAbdul-Hakim Shabazz
 
17 stipulation to dismiss with prejudice and order
17 stipulation to dismiss with prejudice and order17 stipulation to dismiss with prejudice and order
17 stipulation to dismiss with prejudice and orderHonolulu Civil Beat
 
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docx
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docxFCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docx
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docxmydrynan
 
UB04 EXAMPLE JONES
UB04 EXAMPLE JONESUB04 EXAMPLE JONES
UB04 EXAMPLE JONESEbony Holden
 
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301Andrew Networks
 
The Latest Paradigm Shift in Health Care: Providers, Patients and Payers Play...
The Latest Paradigm Shift in Health Care: Providers, Patients and Payers Play...The Latest Paradigm Shift in Health Care: Providers, Patients and Payers Play...
The Latest Paradigm Shift in Health Care: Providers, Patients and Payers Play...Craig B. Garner
 
an_update_on_the_application_of_unfair_claims_settlement_practices
an_update_on_the_application_of_unfair_claims_settlement_practicesan_update_on_the_application_of_unfair_claims_settlement_practices
an_update_on_the_application_of_unfair_claims_settlement_practicesAntonio Trotta
 
Mediation Order New England Compounding Pharmacy
Mediation Order New England Compounding Pharmacy Mediation Order New England Compounding Pharmacy
Mediation Order New England Compounding Pharmacy mzamoralaw
 
FL Judgment
FL JudgmentFL Judgment
FL JudgmentBrian Lum
 
2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county
2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county
2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_countyrath4thekids
 

Similar to HIPAA Violation Fines: North memorial Hospistal Settlement (17)

Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement
 
NYP RA and Cap april 2016
NYP RA and Cap april 2016 NYP RA and Cap april 2016
NYP RA and Cap april 2016
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016
 
First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...
 
Item # 10 Catto & Catto to HUB Insurance Broker Assignment
Item # 10 Catto & Catto to HUB Insurance Broker AssignmentItem # 10 Catto & Catto to HUB Insurance Broker Assignment
Item # 10 Catto & Catto to HUB Insurance Broker Assignment
 
Rokita Non-Disclosure Agreement
Rokita Non-Disclosure AgreementRokita Non-Disclosure Agreement
Rokita Non-Disclosure Agreement
 
17 stipulation to dismiss with prejudice and order
17 stipulation to dismiss with prejudice and order17 stipulation to dismiss with prejudice and order
17 stipulation to dismiss with prejudice and order
 
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docx
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docxFCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docx
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docx
 
UB04 EXAMPLE JONES
UB04 EXAMPLE JONESUB04 EXAMPLE JONES
UB04 EXAMPLE JONES
 
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301
 
The Latest Paradigm Shift in Health Care: Providers, Patients and Payers Play...
The Latest Paradigm Shift in Health Care: Providers, Patients and Payers Play...The Latest Paradigm Shift in Health Care: Providers, Patients and Payers Play...
The Latest Paradigm Shift in Health Care: Providers, Patients and Payers Play...
 
an_update_on_the_application_of_unfair_claims_settlement_practices
an_update_on_the_application_of_unfair_claims_settlement_practicesan_update_on_the_application_of_unfair_claims_settlement_practices
an_update_on_the_application_of_unfair_claims_settlement_practices
 
Mediation Order New England Compounding Pharmacy
Mediation Order New England Compounding Pharmacy Mediation Order New England Compounding Pharmacy
Mediation Order New England Compounding Pharmacy
 
FL Judgment
FL JudgmentFL Judgment
FL Judgment
 
Coalition for parity
Coalition for parityCoalition for parity
Coalition for parity
 
Coalition for parity
Coalition for parityCoalition for parity
Coalition for parity
 
2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county
2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county
2013 mutual aid_city_of_mc_kinney_fire_department_and_collin_county
 

More from data brackets

Prepayment Audit Suggested Documentation
Prepayment Audit Suggested DocumentationPrepayment Audit Suggested Documentation
Prepayment Audit Suggested Documentationdata brackets
 
Lincare HIPAA remediated decision by administrative judge
Lincare HIPAA remediated decision by administrative judgeLincare HIPAA remediated decision by administrative judge
Lincare HIPAA remediated decision by administrative judgedata brackets
 
Lincare HIPAA Notice of Proposed Determination remediated
Lincare HIPAA Notice of Proposed Determination remediatedLincare HIPAA Notice of Proposed Determination remediated
Lincare HIPAA Notice of Proposed Determination remediateddata brackets
 
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...data brackets
 
Office of Inspector General Study on OCR's HIPAA audit program
Office of Inspector General Study on OCR's HIPAA audit programOffice of Inspector General Study on OCR's HIPAA audit program
Office of Inspector General Study on OCR's HIPAA audit programdata brackets
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentdata brackets
 
OCR HHS HIPAA HITECH Audit Advisory Template
OCR HHS HIPAA HITECH Audit Advisory TemplateOCR HHS HIPAA HITECH Audit Advisory Template
OCR HHS HIPAA HITECH Audit Advisory Templatedata brackets
 
HIPAA HITECH Compliance Assurance Template
HIPAA HITECH Compliance Assurance TemplateHIPAA HITECH Compliance Assurance Template
HIPAA HITECH Compliance Assurance Templatedata brackets
 
Trends and Career Opportunities in Health IT
Trends and Career Opportunities in Health ITTrends and Career Opportunities in Health IT
Trends and Career Opportunities in Health ITdata brackets
 
Massachusetts Eye and Ear Infirmary HIPAA Violation
Massachusetts Eye and Ear Infirmary HIPAA ViolationMassachusetts Eye and Ear Infirmary HIPAA Violation
Massachusetts Eye and Ear Infirmary HIPAA Violationdata brackets
 
Mobile devices and applications in healthcare: Security and Compliance Risks
Mobile devices and applications in healthcare: Security and Compliance RisksMobile devices and applications in healthcare: Security and Compliance Risks
Mobile devices and applications in healthcare: Security and Compliance Risksdata brackets
 
Business Associate Assurance: What Covered Entities Need to Know
Business Associate Assurance: What Covered Entities Need to KnowBusiness Associate Assurance: What Covered Entities Need to Know
Business Associate Assurance: What Covered Entities Need to Knowdata brackets
 
Social Media Compliance for Healthcare Professionals
Social Media Compliance for Healthcare ProfessionalsSocial Media Compliance for Healthcare Professionals
Social Media Compliance for Healthcare Professionalsdata brackets
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 

More from data brackets (14)

Prepayment Audit Suggested Documentation
Prepayment Audit Suggested DocumentationPrepayment Audit Suggested Documentation
Prepayment Audit Suggested Documentation
 
Lincare HIPAA remediated decision by administrative judge
Lincare HIPAA remediated decision by administrative judgeLincare HIPAA remediated decision by administrative judge
Lincare HIPAA remediated decision by administrative judge
 
Lincare HIPAA Notice of Proposed Determination remediated
Lincare HIPAA Notice of Proposed Determination remediatedLincare HIPAA Notice of Proposed Determination remediated
Lincare HIPAA Notice of Proposed Determination remediated
 
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
 
Office of Inspector General Study on OCR's HIPAA audit program
Office of Inspector General Study on OCR's HIPAA audit programOffice of Inspector General Study on OCR's HIPAA audit program
Office of Inspector General Study on OCR's HIPAA audit program
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
 
OCR HHS HIPAA HITECH Audit Advisory Template
OCR HHS HIPAA HITECH Audit Advisory TemplateOCR HHS HIPAA HITECH Audit Advisory Template
OCR HHS HIPAA HITECH Audit Advisory Template
 
HIPAA HITECH Compliance Assurance Template
HIPAA HITECH Compliance Assurance TemplateHIPAA HITECH Compliance Assurance Template
HIPAA HITECH Compliance Assurance Template
 
Trends and Career Opportunities in Health IT
Trends and Career Opportunities in Health ITTrends and Career Opportunities in Health IT
Trends and Career Opportunities in Health IT
 
Massachusetts Eye and Ear Infirmary HIPAA Violation
Massachusetts Eye and Ear Infirmary HIPAA ViolationMassachusetts Eye and Ear Infirmary HIPAA Violation
Massachusetts Eye and Ear Infirmary HIPAA Violation
 
Mobile devices and applications in healthcare: Security and Compliance Risks
Mobile devices and applications in healthcare: Security and Compliance RisksMobile devices and applications in healthcare: Security and Compliance Risks
Mobile devices and applications in healthcare: Security and Compliance Risks
 
Business Associate Assurance: What Covered Entities Need to Know
Business Associate Assurance: What Covered Entities Need to KnowBusiness Associate Assurance: What Covered Entities Need to Know
Business Associate Assurance: What Covered Entities Need to Know
 
Social Media Compliance for Healthcare Professionals
Social Media Compliance for Healthcare ProfessionalsSocial Media Compliance for Healthcare Professionals
Social Media Compliance for Healthcare Professionals
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
 

Recently uploaded

Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...
Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...
Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...Gfnyt
 
VIP Call Girls Sector 67 Gurgaon Just Call Me 9711199012
VIP Call Girls Sector 67 Gurgaon Just Call Me 9711199012VIP Call Girls Sector 67 Gurgaon Just Call Me 9711199012
VIP Call Girls Sector 67 Gurgaon Just Call Me 9711199012Call Girls Service Gurgaon
 
Udaipur Call Girls 📲 9999965857 Call Girl in Udaipur
Udaipur Call Girls 📲 9999965857 Call Girl in UdaipurUdaipur Call Girls 📲 9999965857 Call Girl in Udaipur
Udaipur Call Girls 📲 9999965857 Call Girl in Udaipurseemahedar019
 
Dehradun Call Girls Service ❤️🍑 8854095900 👄🫦Independent Escort Service Dehradun
Dehradun Call Girls Service ❤️🍑 8854095900 👄🫦Independent Escort Service DehradunDehradun Call Girls Service ❤️🍑 8854095900 👄🫦Independent Escort Service Dehradun
Dehradun Call Girls Service ❤️🍑 8854095900 👄🫦Independent Escort Service DehradunNiamh verma
 
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In Chandigarh
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In ChandigarhHot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In Chandigarh
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In ChandigarhVip call girls In Chandigarh
 
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...indiancallgirl4rent
 
Call Girl In Zirakpur ❤️♀️@ 9988299661 Zirakpur Call Girls Near Me ❤️♀️@ Sexy...
Call Girl In Zirakpur ❤️♀️@ 9988299661 Zirakpur Call Girls Near Me ❤️♀️@ Sexy...Call Girl In Zirakpur ❤️♀️@ 9988299661 Zirakpur Call Girls Near Me ❤️♀️@ Sexy...
Call Girl In Zirakpur ❤️♀️@ 9988299661 Zirakpur Call Girls Near Me ❤️♀️@ Sexy...Sheetaleventcompany
 
💚😋Kolkata Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Kolkata Escort Service Call Girls, ₹5000 To 25K With AC💚😋💚😋Kolkata Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Kolkata Escort Service Call Girls, ₹5000 To 25K With AC💚😋Sheetaleventcompany
 
Nepali Escort Girl * 9999965857 Naughty Call Girls Service in Faridabad
Nepali Escort Girl * 9999965857 Naughty Call Girls Service in FaridabadNepali Escort Girl * 9999965857 Naughty Call Girls Service in Faridabad
Nepali Escort Girl * 9999965857 Naughty Call Girls Service in Faridabadgragteena
 
Call Girls Hyderabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Hyderabad Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Hyderabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Hyderabad Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...Call Girls Noida
 
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591adityaroy0215
 
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Thane Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.ktanvi103
 
Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Book me...
Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Book me...Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Book me...
Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Book me...gragteena
 
Call Girls Chandigarh 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Call Girls Chandigarh 👙 7001035870 👙 Genuine WhatsApp Number for Real MeetCall Girls Chandigarh 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Call Girls Chandigarh 👙 7001035870 👙 Genuine WhatsApp Number for Real Meetpriyashah722354
 
Krishnagiri call girls Tamil aunty 7877702510
Krishnagiri call girls Tamil aunty 7877702510Krishnagiri call girls Tamil aunty 7877702510
Krishnagiri call girls Tamil aunty 7877702510Vipesco
 
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋Sheetaleventcompany
 
Vip Kolkata Call Girls Cossipore 👉 8250192130 ❣️💯 Available With Room 24×7
Vip Kolkata Call Girls Cossipore 👉 8250192130 ❣️💯 Available With Room 24×7Vip Kolkata Call Girls Cossipore 👉 8250192130 ❣️💯 Available With Room 24×7
Vip Kolkata Call Girls Cossipore 👉 8250192130 ❣️💯 Available With Room 24×7Miss joya
 

Recently uploaded (20)

Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...
Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...
Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...
 
VIP Call Girls Sector 67 Gurgaon Just Call Me 9711199012
VIP Call Girls Sector 67 Gurgaon Just Call Me 9711199012VIP Call Girls Sector 67 Gurgaon Just Call Me 9711199012
VIP Call Girls Sector 67 Gurgaon Just Call Me 9711199012
 
Udaipur Call Girls 📲 9999965857 Call Girl in Udaipur
Udaipur Call Girls 📲 9999965857 Call Girl in UdaipurUdaipur Call Girls 📲 9999965857 Call Girl in Udaipur
Udaipur Call Girls 📲 9999965857 Call Girl in Udaipur
 
Dehradun Call Girls Service ❤️🍑 8854095900 👄🫦Independent Escort Service Dehradun
Dehradun Call Girls Service ❤️🍑 8854095900 👄🫦Independent Escort Service DehradunDehradun Call Girls Service ❤️🍑 8854095900 👄🫦Independent Escort Service Dehradun
Dehradun Call Girls Service ❤️🍑 8854095900 👄🫦Independent Escort Service Dehradun
 
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In Chandigarh
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In ChandigarhHot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In Chandigarh
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In Chandigarh
 
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
 
Call Girl In Zirakpur ❤️♀️@ 9988299661 Zirakpur Call Girls Near Me ❤️♀️@ Sexy...
Call Girl In Zirakpur ❤️♀️@ 9988299661 Zirakpur Call Girls Near Me ❤️♀️@ Sexy...Call Girl In Zirakpur ❤️♀️@ 9988299661 Zirakpur Call Girls Near Me ❤️♀️@ Sexy...
Call Girl In Zirakpur ❤️♀️@ 9988299661 Zirakpur Call Girls Near Me ❤️♀️@ Sexy...
 
💚😋Kolkata Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Kolkata Escort Service Call Girls, ₹5000 To 25K With AC💚😋💚😋Kolkata Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Kolkata Escort Service Call Girls, ₹5000 To 25K With AC💚😋
 
Nepali Escort Girl * 9999965857 Naughty Call Girls Service in Faridabad
Nepali Escort Girl * 9999965857 Naughty Call Girls Service in FaridabadNepali Escort Girl * 9999965857 Naughty Call Girls Service in Faridabad
Nepali Escort Girl * 9999965857 Naughty Call Girls Service in Faridabad
 
Call Girls Hyderabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Hyderabad Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Hyderabad Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Hyderabad Just Call 9907093804 Top Class Call Girl Service Available
 
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
 
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
 
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Thane Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service Available
 
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
 
Model Call Girl in Subhash Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Subhash Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Subhash Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Subhash Nagar Delhi reach out to us at 🔝9953056974🔝
 
Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Book me...
Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Book me...Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Book me...
Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Book me...
 
Call Girls Chandigarh 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Call Girls Chandigarh 👙 7001035870 👙 Genuine WhatsApp Number for Real MeetCall Girls Chandigarh 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Call Girls Chandigarh 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
 
Krishnagiri call girls Tamil aunty 7877702510
Krishnagiri call girls Tamil aunty 7877702510Krishnagiri call girls Tamil aunty 7877702510
Krishnagiri call girls Tamil aunty 7877702510
 
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋
 
Vip Kolkata Call Girls Cossipore 👉 8250192130 ❣️💯 Available With Room 24×7
Vip Kolkata Call Girls Cossipore 👉 8250192130 ❣️💯 Available With Room 24×7Vip Kolkata Call Girls Cossipore 👉 8250192130 ❣️💯 Available With Room 24×7
Vip Kolkata Call Girls Cossipore 👉 8250192130 ❣️💯 Available With Room 24×7
 

HIPAA Violation Fines: North memorial Hospistal Settlement

  • 1. RESOLUTION AGREEMENT I. Recitals 1. Parties. The Parties to this Resolution Agreement (“Agreement”) are: A. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b). B. North Memorial Health Care (“North Memorial”), which is a covered entity, as defined at 45 C.F.R. § 160.103, and therefore is required to comply with the HIPAA Rules. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities north, central, and west communities. HHS and North Memorial shall together be referred to herein as the “Parties.” 2. Factual Background and Covered Conduct. On September 27, 2011, North Memorial reported to the HHS Office for Civil Rights that, on July 25, 2011, an unencrypted laptop that contained the electronic protected health information of approximately 2,800 individuals (later amended to include an additional 6,697 individuals) who received care from North Memorial was stolen from an Accretive Health (“Accretive”) workforce member’s locked vehicle. In its report, North Memorial noted that Accretive was its business associate. HHS’ investigation indicated that the following conduct appears to have occurred (“Covered Conduct”): A. North Memorial provided Accretive, a business associate, with access to North Memorial’s protected health information (PHI) without obtaining satisfactory assurances from Accretive, in the form of a written business associate agreement, that Accretive would appropriately safeguard the PHI. North Memorial began providing Accretive with access to North Memorial’s PHI on March 21, 2011, and did not enter into a written business associate agreement with Accretive until October 14, 2011. See 45 C.F.R. § 164.308(b) and 45 C.F.R § 164.502(e). B. From March 21, 2011 to October 14, 2011, North Memorial impermissibly disclosed the PHI of at least 289,904 individuals to Accretive when North Memorial provided Accretive with access to PHI without obtaining Accretive’s
  • 2. 2 satisfactory assurances, in the form of a written business associate agreement, that Accretive would appropriately safeguard the PHI. See 45 C.F.R. § 164.502(a). C. North Memorial failed to conduct an accurate and thorough risk analysis that incorporated all of North Memorial’s information technology equipment, applications, and data systems using electronic PHI. See 45 C.F.R. § 164.308(a)(1)(ii)(A). 3. No Admission. This Agreement is not an admission of liability by North Memorial. 4. No Concession. This Agreement is not a concession by HHS that North Memorial is not in violation of the HIPAA Rules and that North Memorial is not liable for civil money penalties. 5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve HHS Transaction No. 13-150938 and any violations of the HIPAA Rules for the Covered Conduct specified in paragraph I.2 of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below. II. Terms and Conditions 6. Payment. North Memorial agrees to pay HHS the amount of $1,550,000 (“Resolution Amount”). North Memorial agrees to pay the Resolution Amount on the Effective Date of this Agreement as defined in paragraph II.14 by automated clearing house transaction pursuant to written instructions to be provided by HHS. 7. Corrective Action Plan. North Memorial has entered into and agrees to comply with the Corrective Action Plan (CAP), attached as Appendix A, which is incorporated into this Agreement by reference. If North Memorial breaches the CAP, and fails to cure the breach as set forth in the CAP, then North Memorial will be in breach of this Agreement, and HHS will not be subject to the release set forth in paragraph II.8 of this Agreement. 8. Release by HHS. In consideration of and conditioned upon North Memorial’s performance of its obligations under this Agreement, HHS releases North Memorial from any actions it may have against North Memorial under the HIPAA Rules for the Covered Conduct specified in paragraph I.2 of this Agreement. HHS does not release North Memorial from, nor waive any rights, obligations, or causes of action other than those for the Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
  • 3. 3 9. Agreement by Released Party. North Memorial shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. North Memorial waives all procedural rights granted under section 1128A of the Social Security Act (42 U.S.C. § 1320a-7a), 45 C.F.R. Part 160, Subpart E, and HHS Claims Collection provisions, 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount. 10. Binding on Successors. This Agreement is binding on North Memorial and its successors, heirs, transferees, and assigns. 11. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement. 12. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only, and by this instrument the Parties do not release any claims against any other person or entity. 13. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement must be in writing and signed by both Parties. 14. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) on the date of signing of this Agreement and the CAP by the last signatory (“Effective Date”). 15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty (“CMP”) must be imposed within six (6) years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, North Memorial agrees that the time between the Effective Date of this Agreement and the date this Agreement may be terminated by reason of North Memorial’s breach, plus one year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement. North Memorial waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct identified in paragraph I.2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement. 16. Disclosure. HHS places no restriction on the publication of the Agreement. In addition, HHS may be required to disclose this Agreement and related material to any person upon request consistent with the applicable provisions of the Freedom of Information Act, 5 U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5. 17. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement.
  • 4. 4 18. Authorizations. The individual(s) signing this Agreement on behalf of North Memorial represent and warrant that they are authorized by North Memorial to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement. For North Memorial Health Care /s/ J. Kevin Croston, M.D. Chief Executive Officer North Memorial Health Care Date For the United States Department of Health and Human Services /s/ Celeste H. Davis Regional Manager Office for Civil Rights, Midwest Region Date
  • 5. Appendix A CORRECTIVE ACTION PLAN BETWEEN THE DEPARTMENT OF HEALTH AND HUMAN SERVICES, OFFICE FOR CIVIL RIGHTS AND NORTH MEMORIAL HEALTH CARE I. Preamble North Memorial Health Care (“North Memorial”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS” or “OCR”). Contemporaneously with this CAP, North Memorial is entering into a Resolution Agreement (“Agreement”) with HHS, and this CAP is incorporated by reference into the Agreement as Appendix A. North Memorial enters into this CAP as part of the consideration for the release in paragraph II.8 of the Agreement. II. Contact Persons and Submissions A. Contact Persons North Memorial has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports: Deb Contreras, RHIA Director, Health Information Management Privacy Officer North Memorial Health Care 3300 Oakdale Ave N Robbinsdale, MN 55422 Phone: 763-581-4437 Deb.Contreras@NorthMemorial.com HHS has identified the following individual as its contact person with whom North Memorial is to report information regarding the implementation of this CAP: Celeste H. Davis Regional Manager Office for Civil Rights, Midwest Region U.S. Department of Health and Human Services 233 N. Michigan Avenue; Suite 240 Chicago, Illinois 60601
  • 6. 2 Celeste.Davis@hhs.gov Telephone: 312-353-8101 Facsimile: 312-886-1807 North Memorial and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above. B. Proof of Submissions Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt. III. Effective Date and Term of CAP The Effective Date for this CAP shall be calculated in accordance with paragraph 14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by North Memorial under this CAP shall begin on the Effective Date of this CAP and end two (2) years from the date HHS approves the last of the policies and procedures, risk analysis, and risk management plan required under section V of this CAP, unless HHS has notified North Memorial under section VIII hereof of its determination that North Memorial has breached this CAP. In the event of such a notification by HHS under section VIII hereof, the Compliance Term shall not end until HHS notifies North Memorial that it has determined that the breach has been cured. After the Compliance Term ends, North Memorial shall still be obligated to submit the final Annual Report as required by section VI and comply with the document retention requirement in section VII of this CAP. IV. Time In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day that is not one of the aforementioned days. V. Corrective Action Obligations North Memorial agrees to the following: A. Develop Policies and Procedures Related to Business Associate Relationships 1. North Memorial shall develop policies and procedures that: (a) designate one or more individual(s) who are responsible for ensuring that North Memorial enters into a business associate agreement with each of its business associates, as defined by the HIPAA Rules, prior to North Memorial disclosing protected health information (PHI) to the business associate; (b) create a process for assessing North Memorial’s current and
  • 7. 3 future business relationships to determine whether each relationship is with a business associate, as defined by the HIPAA Rules, and requires North Memorial to enter into a business associate agreement; (c) create a process for negotiating and entering into business associate agreements with business associates prior to disclosing PHI to the business associates; (d) create a process for maintaining documentation of a business associate agreement for at least six (6) years beyond the date of when the business associate relationship is terminated; and (e) limit disclosures of PHI to business associates to the minimum necessary amount of PHI that is reasonably necessary for business associates to perform their duties. 2. Within ninety (90) calendar days of the Effective Date, North Memorial shall forward the policies and procedures required by section V.A.1 of this CAP to HHS for HHS’ review and approval. HHS will inform North Memorial in writing as to whether HHS approves or disapproves of the proposed policies and procedures within a reasonable time. If HHS disapproves of them, HHS shall provide North Memorial with comments and required revisions within a reasonable time. Upon receiving any required revisions to such policies and procedures from HHS, North Memorial shall have sixty (60) calendar days in which to revise the policies and procedures accordingly, and then submit the revised policies and procedures to HHS for review and approval. This process shall continue until HHS approves the policies and procedures. 3. Within sixty (60) calendar days of HHS’ approval of the policies and procedures required by section V.A.1 of this CAP, North Memorial shall finalize and officially adopt the policies and procedures, in accordance with its applicable administrative procedures. B. Modify Existing Risk Analysis Process 1. Within one hundred eighty (180) calendar days of the Effective Date, North Memorial shall complete an updated, comprehensive, and thorough risk analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, and applications controlled, administered, or owned by North Memorial, its workforce members, and affiliated staff that contains, stores, transmits, or receives electronic PHI (ePHI). North Memorial shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI, which will be incorporated in its risk analysis. The risk analysis shall be forwarded to HHS for its review and approval consistent with section V.C.2 of this CAP. C. Develop and Implement a Risk Management Plan 1. North Memorial shall develop an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in
  • 8. 4 the risk analysis and, if necessary, revise its policies and procedures accordingly. The risk management plan and any revised policies and procedures shall be forwarded to HHS for its review and approval consistent with section V.C.2 of this CAP. 2. Within ninety (90) calendar days of the completion of the risk analysis required by section V.B.1 of this CAP, North Memorial shall forward the risk analysis and the risk management plan and any revised policies and procedures required by section V.C.1 of this CAP to HHS for its review and approval. HHS will inform North Memorial in writing as to whether HHS approves or disapproves of the proposed risk analysis, risk management plan, or any policies and procedures within a reasonable time. If HHS disapproves of them, HHS shall provide North Memorial with comments and required revisions within a reasonable time. Upon receiving any required revisions to the risk analysis, risk management plan, or any policies and procedures from HHS, North Memorial shall have sixty (60) calendar days in which to revise the documents, and then submit the revised documents to HHS for review and approval. This process shall continue until HHS approves the risk analysis, risk management plan, and any policies and procedures. 3. Within sixty (60) calendar days of HHS’ approval of the risk management plan and any revised policies and procedures required by section V.C.1 of this CAP, North Memorial shall finalize and officially adopt the risk management plan and any revised policies and procedures, in accordance with its applicable administrative procedures. North Memorial shall immediately thereafter begin implementation of the risk management plan and shall distribute the plan and any revised policies and procedures to all workforce members who are involved in the plan’s implementation. D. Training 1. Within sixty (60) days of HHS’ approval of the policies and procedures required by section V.A.1 of this CAP regarding business associates, North Memorial shall forward its proposed training materials on the policies and procedures to HHS for its review and approval. 2. Within thirty (30) days of HHS’ approval of any revised policies and procedures required by section V.C.1 of this CAP regarding risk management, North Memorial shall forward its proposed training materials on the revised policies and procedures to HHS for its review and approval. 3. HHS will inform North Memorial in writing as to whether HHS approves or disapproves of the proposed training materials within a reasonable time. If HHS disapproves of them, HHS shall provide North Memorial with
  • 9. 5 comments and required revisions within a reasonable time. Upon receiving any required revisions to the training materials from HHS, North Memorial shall have sixty (60) calendar days in which to revise the training materials, and then submit the revised training materials to HHS for review and approval. 4. Within ninety (90) days of HHS’ approval of the training materials, North Memorial shall provide training to all appropriate workforce members, in accordance with North Memorial’s applicable administrative procedures for training. 5. After providing the training required by section V.D.4 of this CAP, North Memorial shall provide annual retraining on the training materials OCR approved under this CAP to all appropriate workforce members for the duration of the Compliance Term of this CAP. 6. Each workforce member who is required to receive training shall certify, in electronic or written form, that he or she received the training. The training certification shall specify the date on which the training was received. All training materials shall be retained in compliance with section VII of this CAP. VI. Reportable Events and Annual Reports A. Reportable Events 1. During the Compliance Term, North Memorial shall, upon receiving information that a workforce member may have failed to comply with any provision of the policies and procedures required by section V.A.1 or section V.C.1 of this CAP, promptly investigate the matter. If North Memorial determines that a workforce member has violated the policies and procedures required by section V.A.1 or section V.C.1 of this CAP, North Memorial shall notify HHS in writing within thirty (30) days. Such violations shall be known as “Reportable Events.” The report to HHS shall include the following: a. A complete description of the event, including relevant facts, the persons involved, and the implicated provision(s) of North Memorial’s policies and procedures; and b. A description of actions taken and any further steps North Memorial plans to take to address the matter, to mitigate the harm, and to prevent it from recurring, including the application of appropriate sanctions against workforce members who failed to comply with its policies and procedures.
  • 10. 6 2. If no Reportable Events occur during any one Reporting Period, as defined in section VI.B.1 of this CAP, North Memorial shall so inform HHS in its Annual Report for that Reporting Period. B. Annual Reports 1. The one-year period after HHS’ last approval of the policies and procedures, risk analysis, and risk management plan required under section V of this CAP, and each subsequent one-year period during the Compliance Term, as defined in section III of this CAP, shall each be known as a “Reporting Period.” North Memorial shall submit to HHS a report with respect to the status of and findings regarding North Memorial’s compliance with this CAP for each Reporting Period (“Annual Report”). North Memorial shall submit each Annual Report to HHS no later than thirty (30) days after the end of each corresponding Reporting Period. Each Annual Report shall include: a. An attestation signed by an officer of North Memorial attesting that the policies and procedures and risk management plan required by section V of this CAP: (a) have been adopted; (b) are being implemented; and (c) have been distributed to all appropriate workforce members; b. A copy of all training materials used for the training required by section V of this CAP, a description of the training, including a summary of the topics covered, the length of the training session(s) conducted and a schedule of when the training session(s) were held; c. A summary of Reportable Events (defined in section VI.A.1 of this CAP) identified during the Reporting Period and the status of any corrective or preventative action(s) taken by North Memorial relating to each Reportable Event; d. An attestation signed by an officer of North Memorial attesting that it has obtained and is maintaining written or electronic certifications from all workforce members that are required to receive training that they received the requisite training pursuant to the requirements set forth in this CAP; e. An attestation signed by an officer of North Memorial listing all of North Memorial’s locations, the name under which each location is doing business, the corresponding mailing address, phone number and fax number for each location, and attesting that each location has complied with the obligations of this CAP; and f. An attestation signed by an officer of North Memorial stating that he or she has reviewed the Annual Report, has made a reasonable
  • 11. 7 inquiry regarding its content, and believes that, upon such inquiry, the information is accurate and truthful. VII. Document Retention North Memorial shall maintain for inspection and copying, and shall provide to OCR upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date. VIII. Requests for Extensions and Breach Provisions North Memorial is expected to fully and timely comply with all provisions contained in this CAP. A. Timely Written Requests for Extensions. North Memorial may, in advance of any due date in this CAP, submit a timely written request for an extension of time to perform any act or file any notification or report required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least five (5) business days prior to the date by which any act is due to be performed. B. Notice of Breach and Intent to Impose CMP. The Parties agree that a breach of this CAP by North Memorial constitutes a breach of the Agreement. Upon a determination by HHS that North Memorial has breached this CAP, HHS may notify North Memorial of: (1) North Memorial’s breach and (2) HHS’ intent to impose a civil monetary penalty (CMP), pursuant to 45 C.F.R. Part 160, for the Covered Conduct in paragraph I.2 of the Agreement and for any other conduct that constitutes a violation of the HIPAA Rules (“Notice of Breach and Intent to Impose CMP”). C. North Memorial’s Response. North Memorial shall have thirty (30) days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’ satisfaction that: 1. North Memorial is in compliance with the obligations of this CAP that HHS cited as the basis for the breach; 2. The alleged breach has been cured; or 3. The alleged breach cannot be cured within the 30-day period, but that: (a) North Memorial has begun to take action to cure the breach; (b) North Memorial is pursuing such action with due diligence; and (c) North Memorial has provided to HHS a reasonable timetable for curing the breach. D. Imposition of CMP. If at the conclusion of the 30-day period, North Memorial fails to meet the requirements of section VIII.C of this CAP to HHS’ satisfaction, HHS may proceed with the imposition of a CMP against North Memorial pursuant to 45 C.F.R. Part 160 for any violations of the HIPAA Rules related to the Covered Conduct in paragraph I.2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules.
  • 12. 8 HHS shall notify North Memorial in writing of its determination to proceed with the imposition of a CMP. For North Memorial Health Care /s/ J. Kevin Croston, M.D. Chief Executive Officer North Memorial Health Care Date For the United States Department of Health and Human Services /s/ Celeste H. Davis Regional Manager Office for Civil Rights, Midwest Region Date