Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the HIPAA Privacy and Security Rules. MEEI has also agreed to take corrective action to improve policies and procedures to safeguard the privacy and security of their patients’ protected health information and retain an independent monitor to report on MEEI’s compliance efforts. OCR’s investigation followed a breach report submitted by MEEI, as required by the HIPAA Breach Notification Rule, reporting the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects. The information contained on the laptop included patient prescriptions and clinical information. OCR’s investigation indicated that while MEEI’s management was aware of the Security Rule, MEEI failed to take necessary steps to comply with the requirements of the Rule, such as such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response.
The document summarizes new rules issued by the Department of Health and Human Services regarding breach notification requirements under HIPAA. Key points include:
1) The rules apply to unsecured protected health information and require covered entities like health plans and their business associates to provide notification if unsecured PHI is improperly used or disclosed.
2) Encryption and destruction are specified as methods to secure PHI to avoid a breach.
3) A breach is defined as an unauthorized disclosure of unsecured PHI that poses a significant risk of financial or reputational harm. Covered entities must assess risks to determine if a breach occurred.
Cyber Crime & Law by Neeraj Aarora - Advocate-on-Record, Supreme Court,CISSP,...OWASP Delhi
The document discusses various cybercrimes and provisions of the Information Technology Act, 2000. It summarizes DDoS attacks on Estonian websites using botnets, and sections 43, 66, and 72A which define cybercrimes and penalties for unauthorized access, identity theft, and disclosure of personal information by intermediaries. It also discusses sections 43A, 69A, and 79 regarding liability of body corporates for data breaches, government powers to block access to information, and liability of internet service providers.
Fraud in government-funded programs can occur anywhere – – Medicare fraud, defense contracting fraud, GSA Schedules and other types of government contracting fraud. When an individual sues on behalf of the United States to recover fraudulently obtained funds, this is known as qui tam whistleblower litigation.
HIPAA breach report submitted to Congress by DHHS OCRDavid Sweigert
This document is the annual report to Congress on breaches of unsecured protected health information for calendar years 2011 and 2012, as required by the HITECH Act. It provides an introduction and background on breach notification requirements, defines what constitutes a breach, outlines the notification process, and summarizes breach reports received by HHS during the reporting period. Key details include that HHS received 236 breach reports affecting over 11 million individuals in 2011, and 222 reports affecting over 3 million individuals in 2012. The most common causes of breaches were theft, loss, and unauthorized access/disclosure of protected health information.
The document summarizes two anti-terrorism laws passed in India: the Terrorist and Disruptive Activities (Prevention) Act (TADA) of 1985-1995, and the Prevention of Terrorism Act (POTA) of 2002. TADA defined terrorist activities and allowed detention without charges for up to one year, but was criticized for human rights violations and abuse. POTA strengthened anti-terrorism operations but was also allegedly abused to target political opponents. Both acts faced allegations of misuse and were ultimately repealed.
Philippine Data Privacy Law is in Republic Act No. 10173, otherwise known as the " Data Privacy Act of 2012".
In summary:
1) Processing of personal information is allowed – so long as it complies with the law.
2) As much as possible, consent should be obtained from the Data Subject for the processing of personal information.
3) The confidentiality, integrity, and availability of the personal information should be ensured.
4) Sensitive and personal information are prohibited – unless in exceptional cases.
5) Philippine Data Privacy Law has extraterritorial application and thus violations may be penalized even if done outside the Philippines.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
This resolution agreement resolves a complaint against Hospice of North Idaho (HONI) regarding violations of HIPAA privacy and security rules. Key points:
1) HONI agrees to pay HHS $50,000 for covered conduct including failure to conduct risk analyses of electronic PHI and implement security measures for portable devices.
2) HONI agrees to a corrective action plan to comply with HIPAA privacy and security rules for 2 years, including reporting any additional incidents of non-compliance.
3) In exchange, HHS agrees not to impose penalties for the covered conduct if HONI complies with the resolution agreement and corrective action plan. Breach of
The document summarizes new rules issued by the Department of Health and Human Services regarding breach notification requirements under HIPAA. Key points include:
1) The rules apply to unsecured protected health information and require covered entities like health plans and their business associates to provide notification if unsecured PHI is improperly used or disclosed.
2) Encryption and destruction are specified as methods to secure PHI to avoid a breach.
3) A breach is defined as an unauthorized disclosure of unsecured PHI that poses a significant risk of financial or reputational harm. Covered entities must assess risks to determine if a breach occurred.
Cyber Crime & Law by Neeraj Aarora - Advocate-on-Record, Supreme Court,CISSP,...OWASP Delhi
The document discusses various cybercrimes and provisions of the Information Technology Act, 2000. It summarizes DDoS attacks on Estonian websites using botnets, and sections 43, 66, and 72A which define cybercrimes and penalties for unauthorized access, identity theft, and disclosure of personal information by intermediaries. It also discusses sections 43A, 69A, and 79 regarding liability of body corporates for data breaches, government powers to block access to information, and liability of internet service providers.
Fraud in government-funded programs can occur anywhere – – Medicare fraud, defense contracting fraud, GSA Schedules and other types of government contracting fraud. When an individual sues on behalf of the United States to recover fraudulently obtained funds, this is known as qui tam whistleblower litigation.
HIPAA breach report submitted to Congress by DHHS OCRDavid Sweigert
This document is the annual report to Congress on breaches of unsecured protected health information for calendar years 2011 and 2012, as required by the HITECH Act. It provides an introduction and background on breach notification requirements, defines what constitutes a breach, outlines the notification process, and summarizes breach reports received by HHS during the reporting period. Key details include that HHS received 236 breach reports affecting over 11 million individuals in 2011, and 222 reports affecting over 3 million individuals in 2012. The most common causes of breaches were theft, loss, and unauthorized access/disclosure of protected health information.
The document summarizes two anti-terrorism laws passed in India: the Terrorist and Disruptive Activities (Prevention) Act (TADA) of 1985-1995, and the Prevention of Terrorism Act (POTA) of 2002. TADA defined terrorist activities and allowed detention without charges for up to one year, but was criticized for human rights violations and abuse. POTA strengthened anti-terrorism operations but was also allegedly abused to target political opponents. Both acts faced allegations of misuse and were ultimately repealed.
Philippine Data Privacy Law is in Republic Act No. 10173, otherwise known as the " Data Privacy Act of 2012".
In summary:
1) Processing of personal information is allowed – so long as it complies with the law.
2) As much as possible, consent should be obtained from the Data Subject for the processing of personal information.
3) The confidentiality, integrity, and availability of the personal information should be ensured.
4) Sensitive and personal information are prohibited – unless in exceptional cases.
5) Philippine Data Privacy Law has extraterritorial application and thus violations may be penalized even if done outside the Philippines.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
This resolution agreement resolves a complaint against Hospice of North Idaho (HONI) regarding violations of HIPAA privacy and security rules. Key points:
1) HONI agrees to pay HHS $50,000 for covered conduct including failure to conduct risk analyses of electronic PHI and implement security measures for portable devices.
2) HONI agrees to a corrective action plan to comply with HIPAA privacy and security rules for 2 years, including reporting any additional incidents of non-compliance.
3) In exchange, HHS agrees not to impose penalties for the covered conduct if HONI complies with the resolution agreement and corrective action plan. Breach of
Shubhlaxmi Enterprises is a manufacturer of corrugated boxes, stiffeners, and plates located in Kalpana Fabrics Compound, Ranipur Patiya, Shahwadi Road, opposite Hotel Cosy in Narol, Ahmedabad. The company manufactures corrugated boxes, stiffeners, and plates and can be contacted via mobile numbers 9227229150, 9898085732, or 8000813579 to speak with Mr Sudhir S Saboo or Mr Giridhar Saboo.
This document outlines 10 essential reforms needed to improve New York's financial situation. It discusses capping property tax increases and state spending, ending the double standard of higher pay for public employees, and trimming Medicaid costs. The state's Medicaid program is the most expensive in the nation at $47.6 billion annually despite serving fewer people than California or Florida. Immediate action is needed from state leaders to control costs and ease New York's heavy tax burden in order to stop the flow of jobs and residents to other states.
The document is a quiz with questions about various topics related to movies, music, and pop culture. It begins with an introduction saying it is a quiz dedicated to the Bhansalis. There are 30 multiple choice or fill in the blank style questions about things like movies directed by Gautham Vasudev Menon, Pink Floyd band members, characters from the Bourne series, and more. Humorous comments and clues are provided throughout.
The resolution agreement is between the Department of Health and Human Services (HHS) and Anchorage Community Mental Health Services (ACMHS) to resolve HHS's investigation into a data breach at ACMHS that affected over 2,700 individuals. Under the agreement, ACMHS agrees to pay HHS $150,000 and comply with a Corrective Action Plan to address security deficiencies. The agreement resolves alleged violations of HIPAA Privacy, Security, and Breach Notification rules but does not admit liability by ACMHS.
Adult & Pediatric Dermatology, P.C., of Concord, Mass., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. The practice will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program. Adult and Pediatric Dermatology is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).
The HHS Office for Civil Rights (OCR) opened an investigation of Adult and Pediatric Dermatology upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered. The investigation revealed that Adult and Pediatric Dermatology had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, Adult and Pediatric Dermatology did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.
In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring Adult and Pediatric Dermatology to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.
Download the Corrective Action Plan(CAP) here >>
Tips s to providers: Almost all of the HIPAA/HITECH violations identified in the last few years is due to insufficient security risk analysis conducted by the providers or business associates.
OCR received a breach notice in February 2012 from QCA Health Plan, Inc. of Arkansas reporting that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car. While QCA encrypted their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to a $250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI. QCA is also required to retrain its workforce and document its ongoing compliance efforts.
Oregon Health & Science University HIPAA Finesdata brackets
This resolution agreement is between the US Department of Health and Human Services (HHS) and Oregon Health & Science University (OHSU) to resolve HHS investigations of two data breaches at OHSU involving unsecured protected health information. OHSU agrees to pay HHS $2.7 million and comply with the terms of a corrective action plan, which requires OHSU to conduct a risk analysis, develop a risk management plan, implement encryption of mobile and network connected devices, and provide status updates to HHS. The agreement resolves alleged violations of HIPAA privacy and security rules related to the data breaches and ensures OHSU's ongoing compliance during a three year term.
HIPAA Security Rule consent agreement with OCRDavid Sweigert
This resolution agreement resolves a breach of protected health information involving Care New England Health System and its covered entities. It requires Care New England to pay $400,000, comply with a corrective action plan, and revise its privacy and security policies and procedures. The corrective action plan mandates training for staff, updating business associate agreements, and reporting security incidents. It aims to bring Care New England into compliance with HIPAA rules governing privacy, security, and breach notification.
Privacy and Data Security: Minimizing Reputational and Legal RisksTechWell
This document outlines an agenda for a conference on regulating privacy and software. It discusses:
- Federal laws and court cases that form the foundation of privacy regulation in the US.
- How various federal agencies like the FTC and HHS enforce privacy through cases against companies like HTC and penalties for violations.
- State privacy laws and enforcement by state attorneys general.
- Private enforcement through class action lawsuits and individual claims over data breaches and privacy violations.
- The costs of data breaches for companies.
- Approaches like "privacy by design" to incorporate privacy into the software development process.
Catholic Health Care Services Resolution Agreement data brackets
This resolution agreement between HHS and CHCS resolves HHS's investigation into CHCS regarding compliance with HIPAA rules. CHCS will pay HHS $650,000 and comply with a corrective action plan to address deficiencies in its risk analysis, security measures, and policies and procedures related to protecting electronic protected health information. The corrective action plan requires CHCS to conduct annual risk analyses, develop and distribute policies to its workforce, report any failures to comply with policies, and provide documentation to HHS. This agreement resolves the issues related to a breach of electronic protected health information at CHCS and its affiliated skilled nursing facilities.
Catholic Health Care Services Resolution Agreement and Corrective Action PlanAlex Slaney
Catholic Health Care Services of the Archdiocese of Philadelphia settlement, Resolution Agreement and Corrective Action Plan as a result of violating the HIPAA Security Rule for ePHI
This document discusses accountability and penalties related to data privacy laws. It outlines obligations for transferring personal information, and penalties for violations of data privacy laws, including fines ranging from 0.25-3% of annual gross income. It also discusses requirements for notifying the NPC and affected individuals of data breaches within 72 hours, and penalties for failure to notify or delays in notification.
Shubhlaxmi Enterprises is a manufacturer of corrugated boxes, stiffeners, and plates located in Kalpana Fabrics Compound, Ranipur Patiya, Shahwadi Road, opposite Hotel Cosy in Narol, Ahmedabad. The company manufactures corrugated boxes, stiffeners, and plates and can be contacted via mobile numbers 9227229150, 9898085732, or 8000813579 to speak with Mr Sudhir S Saboo or Mr Giridhar Saboo.
This document outlines 10 essential reforms needed to improve New York's financial situation. It discusses capping property tax increases and state spending, ending the double standard of higher pay for public employees, and trimming Medicaid costs. The state's Medicaid program is the most expensive in the nation at $47.6 billion annually despite serving fewer people than California or Florida. Immediate action is needed from state leaders to control costs and ease New York's heavy tax burden in order to stop the flow of jobs and residents to other states.
The document is a quiz with questions about various topics related to movies, music, and pop culture. It begins with an introduction saying it is a quiz dedicated to the Bhansalis. There are 30 multiple choice or fill in the blank style questions about things like movies directed by Gautham Vasudev Menon, Pink Floyd band members, characters from the Bourne series, and more. Humorous comments and clues are provided throughout.
The resolution agreement is between the Department of Health and Human Services (HHS) and Anchorage Community Mental Health Services (ACMHS) to resolve HHS's investigation into a data breach at ACMHS that affected over 2,700 individuals. Under the agreement, ACMHS agrees to pay HHS $150,000 and comply with a Corrective Action Plan to address security deficiencies. The agreement resolves alleged violations of HIPAA Privacy, Security, and Breach Notification rules but does not admit liability by ACMHS.
Adult & Pediatric Dermatology, P.C., of Concord, Mass., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. The practice will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program. Adult and Pediatric Dermatology is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).
The HHS Office for Civil Rights (OCR) opened an investigation of Adult and Pediatric Dermatology upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered. The investigation revealed that Adult and Pediatric Dermatology had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, Adult and Pediatric Dermatology did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.
In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring Adult and Pediatric Dermatology to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.
Download the Corrective Action Plan(CAP) here >>
Tips s to providers: Almost all of the HIPAA/HITECH violations identified in the last few years is due to insufficient security risk analysis conducted by the providers or business associates.
OCR received a breach notice in February 2012 from QCA Health Plan, Inc. of Arkansas reporting that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car. While QCA encrypted their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to a $250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI. QCA is also required to retrain its workforce and document its ongoing compliance efforts.
Oregon Health & Science University HIPAA Finesdata brackets
This resolution agreement is between the US Department of Health and Human Services (HHS) and Oregon Health & Science University (OHSU) to resolve HHS investigations of two data breaches at OHSU involving unsecured protected health information. OHSU agrees to pay HHS $2.7 million and comply with the terms of a corrective action plan, which requires OHSU to conduct a risk analysis, develop a risk management plan, implement encryption of mobile and network connected devices, and provide status updates to HHS. The agreement resolves alleged violations of HIPAA privacy and security rules related to the data breaches and ensures OHSU's ongoing compliance during a three year term.
HIPAA Security Rule consent agreement with OCRDavid Sweigert
This resolution agreement resolves a breach of protected health information involving Care New England Health System and its covered entities. It requires Care New England to pay $400,000, comply with a corrective action plan, and revise its privacy and security policies and procedures. The corrective action plan mandates training for staff, updating business associate agreements, and reporting security incidents. It aims to bring Care New England into compliance with HIPAA rules governing privacy, security, and breach notification.
Privacy and Data Security: Minimizing Reputational and Legal RisksTechWell
This document outlines an agenda for a conference on regulating privacy and software. It discusses:
- Federal laws and court cases that form the foundation of privacy regulation in the US.
- How various federal agencies like the FTC and HHS enforce privacy through cases against companies like HTC and penalties for violations.
- State privacy laws and enforcement by state attorneys general.
- Private enforcement through class action lawsuits and individual claims over data breaches and privacy violations.
- The costs of data breaches for companies.
- Approaches like "privacy by design" to incorporate privacy into the software development process.
Catholic Health Care Services Resolution Agreement data brackets
This resolution agreement between HHS and CHCS resolves HHS's investigation into CHCS regarding compliance with HIPAA rules. CHCS will pay HHS $650,000 and comply with a corrective action plan to address deficiencies in its risk analysis, security measures, and policies and procedures related to protecting electronic protected health information. The corrective action plan requires CHCS to conduct annual risk analyses, develop and distribute policies to its workforce, report any failures to comply with policies, and provide documentation to HHS. This agreement resolves the issues related to a breach of electronic protected health information at CHCS and its affiliated skilled nursing facilities.
Catholic Health Care Services Resolution Agreement and Corrective Action PlanAlex Slaney
Catholic Health Care Services of the Archdiocese of Philadelphia settlement, Resolution Agreement and Corrective Action Plan as a result of violating the HIPAA Security Rule for ePHI
This document discusses accountability and penalties related to data privacy laws. It outlines obligations for transferring personal information, and penalties for violations of data privacy laws, including fines ranging from 0.25-3% of annual gross income. It also discusses requirements for notifying the NPC and affected individuals of data breaches within 72 hours, and penalties for failure to notify or delays in notification.
Raleigh Orthopedic RA and CAP April 2016data brackets
Raleigh Orthopedics's Resolution Agreement and CAP resulting from Raleigh Orthopedic violating the Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules
Raleigh Orthopedic RA and CAP April 2016Alex Slaney
Resolution Agreement and CAP put in place after Raleigh Orthopedic violated The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule
The document discusses the Protection of Personal Information Act (POPI) of South Africa. It defines key terms like personal information, processing, and responsible party. It outlines 8 conditions for the lawful processing of personal information according to POPI, including accountability, processing limitation, and purpose specification. Non-compliance with POPI can result in penalties, so organizations must understand and comply with the Act when handling personal information.
This document outlines an economic and trade agreement between the United States and China. Key points include:
- The agreement recognizes the importance of intellectual property protection and enforcement.
- It establishes obligations for both countries to strengthen protection of trade secrets, pharmaceutical patents, and combat online piracy.
- China agrees to reform its laws to shift the burden of proof to defendants in trade secret cases, expedite takedowns of infringing online content, and revoke operating licenses of e-commerce platforms that fail to curb counterfeit goods.
- The US affirms its existing measures meet the standards in the agreement. Both countries pledge cooperation on intellectual property issues.
Similar to Massachusetts Eye and Ear Infirmary HIPAA Violation (20)
Presence Health Resolution Agreement with OCRdata brackets
This resolution agreement between the US Department of Health and Human Services (HHS) and Presence Health Network resolves HHS investigation number 14-176036 regarding Presence Health's violations of the HIPAA Breach Notification Rule. Presence Health failed to provide timely notification of a 2013 breach affecting 836 individuals to those individuals, media outlets, and HHS as required. The agreement requires Presence Health to pay $475,000 and comply with a corrective action plan, which involves revising policies and procedures around breach notification and applying sanctions to employees who fail to follow breach notification policies.
This resolution agreement between the U.S. Department of Health and Human Services (HHS) and New York Presbyterian Hospital (NYP) resolves allegations that NYP impermissibly disclosed patients' protected health information during filming of a television show at the hospital. Under the agreement, NYP will pay $2.2 million and comply with a corrective action plan to strengthen its privacy policies and procedures regarding disclosures to film crews. The agreement includes a release of claims by HHS related to the covered conduct and requires NYP to implement policies addressing uses and disclosures of protected health information, safeguards, authorizations, training, and internal reporting procedures.
This resolution agreement summarizes a settlement between the US Department of Health and Human Services (HHS) and New York Presbyterian Hospital (NYP) regarding an investigation into a potential violation of patient privacy rules. Key points:
- HHS investigated NYP for impermissibly disclosing patient health information to a film crew without authorization.
- NYP agrees to pay $2.2 million and comply with a corrective action plan to resolve the matter.
- The corrective action plan requires NYP to develop comprehensive privacy policies, train staff, investigate potential violations, and report certain incidents to HHS for the next two years.
HIPAA Violation Fines: North memorial Hospistal Settlement data brackets
This resolution agreement resolves a potential violation of HIPAA rules regarding the protection of patient health information. North Memorial Health Care paid $1,550,000 to settle claims that it improperly provided a business associate, Accretive Health, access to patient information without having a signed business associate agreement in place. As part of the settlement, North Memorial agreed to comply with corrective actions to improve its privacy and security practices.
This document provides suggested documentation for exclusions from various measures related to meaningful use of electronic health records. For each measure, it lists the suggested documentation to provide in order to claim an exclusion. This includes summary reports from certified EHR systems with required details like numerators, denominators, and time periods. It also lists statements or documentation that can demonstrate why a particular exclusion or exception applies in some cases. The documentation suggested aims to prove that exclusions are correctly applied and that meaningful use requirements or objectives are not applicable.
Lincare HIPAA remediated decision by administrative judgedata brackets
The Department of Health and Human Services investigated a complaint that a Lincare manager allowed her estranged husband unauthorized access to protected health information of Lincare patients. Following an investigation, the Office for Civil Rights determined that Lincare violated HIPAA by failing to implement policies to safeguard patient records and failing to protect 278 patients' information from unauthorized disclosure. OCR proposed a $239,800 civil money penalty against Lincare. Lincare appealed and OCR filed a motion for summary judgment, which Lincare opposed.
Lincare HIPAA Notice of Proposed Determination remediateddata brackets
This document from the Department of Health and Human Services notifies Lincare, Inc. that it intends to impose a civil monetary penalty of $239,800 for violations of the HIPAA Privacy Rule. It finds that a Lincare employee impermissibly disclosed protected health information of 278 patients to an unauthorized individual by leaving the PHI in her home and vehicle without safeguards. It also finds that Lincare's policies failed to adequately protect PHI removed from its facilities. Lincare is found liable for impermissible disclosure, failure to safeguard PHI, and inadequate policies regarding off-site PHI protection. Lincare's arguments do not establish affirmative defenses to the violations.
Office of Inspector General Study on OCR's HIPAA audit programdata brackets
Office of Inspector General: OCR should strengthen its oversight of covered entities' compliance with the HIPAA privacy standards.
OIG has recently completed a study of OCR's HIPAA audit program and published the following recommendations:
(1) OCR should fully implement a permanent audit program
(2) OCR should maintain complete documentation of corrective action
(3) OCR should develop an efficient method in its case-tracking system to search for and track covered entities
(4) OCR should develop a policy requiring OCR staff to check whether covered entities have been previously investigated
(5) OCR should continue to expand outreach and education efforts to covered entities. OCR concurred with all five recommendations and described its activities to address them.
OCR's chief Jocelyn Samuels has concurred with all the recommendations of OIG.
For the complete report please visit our slideshare page:
Cancer Care Group HIPAA Settlement Agreementdata brackets
Cancer Care has taken corrective action with regard to the specific requirements of the Privacy and Security Rules that are at the core of this enforcement action, as well as actions to come into compliance with the other provisions of the HIPAA Rules. The Resolution Agreement and Corrective Action Plan (CAP) can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cancercare.html
Parkview Health System, Inc. (Parkview) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Parkview will pay $800,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.
HIPAA Settlement New York Presbyterian and Columbia Universtiydata brackets
The resolution agreement summarizes a breach incident involving New York Presbyterian Hospital (NYP) impermissibly disclosing electronic protected health information (ePHI) of 6,800 patients to Google and other internet search engines. It outlines NYP's obligations to pay $3.3 million, implement a corrective action plan, and comply with HIPAA privacy and security rules going forward. The corrective action plan requires NYP to conduct a risk analysis, develop a risk management plan, review and revise access and device policies, implement security awareness training, and report to HHS for three years.
OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.
Skagit county- HIPAA violation settlement agreement with HHSdata brackets
Skagit County, Washington, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. Skagit County agreed to a $215,000 monetary settlement and to work closely with the Department of Health and Human Services (HHS) to correct deficiencies in its HIPAA compliance program. Skagit County is located in Northwest Washington, and is home to approximately 118,000 residents. The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care.
OCR opened an investigation of Skagit County upon receiving a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County. OCR's investigation revealed a broader exposure of protected health information involved in the incident, which included the ePHI of 1,581 individuals. Many of the accessible files involved sensitive information, including protected health information concerning the testing and treatment of infectious diseases. OCR's investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.
Skagit County continues to cooperate with OCR through a corrective action plan to ensure it has in place written policies and procedures, documentation requirements, training, and other measures to comply with the HIPAA Rules. This corrective action plan also requires Skagit County to provide regular status reports to OCR.
EHR meaningful use security risk assessment sample documentdata brackets
Under the HIPAA Privacy and Security Rule, business associates are required to perform active risk prevention and safeguarding of patient information that are very important to patient privacy. The HITECH act allows only minimum necessary to be disclosed when handling protected health information (PHI).
This security risk assessment exercise has been performed to support the requirements of the Department of Health and Human Services (HHS), Office for the Civil Rights (OCR) and other applicable state data privacy laws and regulations. Upon completion of this risk assessment, a detail risk management plan need to be developed based on the gaps identified from the risk analysis. The gaps identified and recommendations provided are based on the input provided by the staff, budget, scope and other practical considerations
This resolution agreement between HHS and Affinity Health Plan resolves an investigation into a breach of protected health information. Affinity will pay $1,215,780 and comply with a corrective action plan. The plan requires Affinity to retrieve photocopier hard drives containing PHI, conduct a security risk analysis, and update policies. If Affinity breaches the agreement or plan, HHS may impose civil money penalties. Both parties aim to resolve the issues without further legal action.
Resolution Agreement: On January 6, 2012, HHS notified SRMC of its initiation of a compliance review of its facility to determine whether there was a failure to comply with the requirements of the Privacy Rule. HHS’s compliance review was prompted by an article in the Los Angeles Times published on January 4, 2012. The article indicated that two of SRMC’s senior leaders met with the media to discuss the medical services provided to a patient (the Affected Party) without a valid written authorization.
The document summarizes key audit procedures for ensuring HIPAA compliance in healthcare organizations. It outlines requirements for conducting risk assessments, acquiring secure IT systems, reviewing system activity, implementing risk management programs, and assigning security responsibilities. Organizations must identify vulnerabilities, establish security policies and standards, approve procedures on a periodic basis, and clearly define the role of a Security Official responsible for HIPAA security.
This document summarizes the compliance of various IT systems and departments with the HIPAA Security Rule. It finds that while many required security measures are in place, such as access controls, risk analysis and assigned security responsibilities, some key areas need improvement. These include developing a sanction policy, conducting regular security awareness training, establishing clear security incident response procedures, testing contingency plans, and ensuring data encryption in all systems. The assessment provides action items to address each gap and fully meet the Security Rule standards.
Trends and Career Opportunities in Health ITdata brackets
According to the Bureau of Labor Statistics, healthcare and social services jobs are expected to grow 24 percent from 2008 through 2018, faster than the average for all occupations. Growth in the healthcare IT industry can be attributed to many factors: Long term care of a large aging population, the need for technology to provide greater accountability for two thirds of the population at risk for heart disease due to being overweight or obese, more emphasis on preventive care and the use of technology and data to increase the quality of patient care and overall accountability. Additionally, American Recovery and Reinvestment Act of 2009 (ARRA) bill included a section known as HITECH where entitlement funds are available (+/-$34 billion) to Medicare and Medicaid participating providers (hospitals, physicians and other providers) as an incentive to develop and improve their health information technology (HIT) capabilities, primarily in the area of electronic health records (EHRs).
The problem that many hospitals and other providers encounter in filling these jobs is the shortage of qualified, experienced health IT staff. While the federally funded training programs in 82 community colleges may help meet some of the demand, the majority of the available positions are not entry level, say consultants and CIOs.
This presentation will focus on these trends and career opportunities in health IT for professionals based on job roles, vendors technology and market transition.
Guest Speaker: Tommy Fowler, Healthcare Services at TEK Systems
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
A Comprehensive Guide to DeFi Development Services in 2024Intelisync
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3Data Hops
Free A4 downloadable and printable Cyber Security, Social Engineering Safety and security Training Posters . Promote security awareness in the home or workplace. Lock them Out From training providers datahops.com
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Massachusetts Eye and Ear Infirmary HIPAA Violation
1. RESOLUTION AGREEMENT
I. Recitals
1. Parties. The Parties to this Resolution Agreement (“Agreement”) are the
United States Department of Health and Human Services, Office for Civil Rights
(“HHS”), and the Massachusetts Eye and Ear Infirmary (“MEEI”) and Massachusetts
Eye and Ear Associates, Inc. (“MEEA”). MEEI and MEEA (hereinafter collectively
referred to as “MEEI”), each of which is a nonprofit corporation organized under the
laws of and operating in The Commonwealth of Massachusetts, are affiliated by
common ownership or control as a single covered entity under the Privacy Rule, 45
C.F.R. § 164.105(b). HHS and MEEI shall together be referred to herein as the
“Parties.”
2. Authority of HHS
HHS enforces the Federal standards that govern the privacy of individually
identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164,
the “Privacy Rule”) and the Federal standards that govern the security of electronic
individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C
of Part 164, the “Security Rule”). HHS has the authority to conduct investigations of
complaints alleging violations of the Privacy and Security Rules by covered entities,
and covered entities must cooperate with HHS’ investigation. 45 C.F.R. §160.306(c)
and §160.310(b).
3. Factual Background and Covered Conduct
On April 21, 2010, HHS received notification from MEEI regarding a breach
of its unsecured electronic protected health information (ePHI). On October 5, 2010,
HHS notified MEEI of its investigation regarding MEEI’s compliance with the
Privacy, Security, and Breach Notification Rules.
HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”):
(1) MEEI did not demonstrate that it conducted a thorough analysis of the
risk to the confidentiality of ePHI on an on-going basis as part of its
security management process from the compliance date of the Security
Rule to October 29, 2009. In particular, MEEI did not fully evaluate
the likelihood and impact of potential risks to the confidentiality of
ePHI maintained in and transmitted using portable devices, implement
appropriate security measures to address such potential risks,
document the chosen security measures and the rationale for adopting
those measures, and maintain on an on-going basis reasonable and
appropriate security measures.
(2) MEEI’s security measures were not sufficient to ensure the
confidentiality of ePHI that it created, maintained, and transmitted
1
2. using portable devices to a reasonable and appropriate level from the
compliance date of the Security Rule to May 17, 2010.
(3) MEEI did not adequately adopt or implement policies and procedures
to address security incident identification, reporting, and response
from the compliance date of the Security Rule to March 8, 2010.
(4) MEEI did not adequately adopt or implement policies and procedures
to restrict access to authorized users for portable devices that access
ePHI or to provide it with a reasonable means of knowing whether or
what type of portable devices were being used to access its network
from the compliance date of the Security Rule to March 8, 2010.
(5) MEEI did not adequately adopt or implement policies and procedures
governing the receipt and removal of portable devices into, out of, and
within the facility from the compliance date of the Security Rule to
May 17, 2010. MEEI had no reasonable means of tracking non-MEEI
owned portable media devices containing its ePHI into and out of its
facility, or the movement of these devices within the facility.
(6) MEEI did not adequately adopt or implement technical policies and
procedures to allow access to ePHI using portable devices only to
authorized persons or software programs from the compliance date of
the Security Rule to June 15, 2010. MEEI did not implement an
equivalent, reasonable, and appropriate alternative measure to
encryption that would have ensured confidentiality of its ePHI or
document the rationale supporting the decision not to encrypt.
4. No Admission. This Agreement is not an admission, concession, or
evidence of liability or wrongdoing by MEEI or of any fact or any violation of any
law, rule, or regulation, including any violation of HIPAA or the Privacy Rule. This
Agreement is made without trial or adjudication of any alleged issue of fact or law
and without any finding of liability of any kind, and MEEI’s agreement to undertake
any obligation under this Agreement shall not be construed as an admission of any
kind.
5. No Concession. This Agreement is not a concession by HHS that MEEI is
not in violation of the Privacy or Security Rules and that MEEI is not liable for civil
money penalties.
6. Intention of Parties to Effect Resolution. This Agreement is intended to
resolve OCR Complaint No. 10-111355, and any violations of the HIPAA Privacy
and Security Rules related to the Covered Conduct specified in paragraph I.3.of this
Agreement. In consideration of the Parties’ interest in avoiding the uncertainty,
burden and expense of further investigation and formal proceedings, the Parties agree
to resolve this matter according to the Terms and Conditions below.
2
3. II. Terms and Conditions
7. Payment. MEEI agrees to pay HHS the aggregate amount of $1,500,000 (the
“Resolution Amount”). MEEI shall pay the first installment of $500,000 on October 15,
2012. MEEI shall pay the second installment of $500,000 on October 15, 2013. MEEI
shall pay the third installment of $500,000 on October 15, 2014. Each of these payments
shall be paid by electronic funds transfer pursuant to written instructions to be provided
by HHS.
8. Failure to Pay Resolution Amount. The failure to make any installment
payment of the Resolution Amount on the date set forth above in paragraph II.7. shall be
deemed a breach of this Agreement. Upon a determination by HHS that MEEI failed to
timely pay any payment, HHS may notify MEEI of MEEI’s breach and HHS’ intent to
impose a Civil Monetary Penalty (“CMP”), pursuant to 45 C.F.R. Part 160, for violations
of the HIPAA Privacy and Security Rules related to the Covered Conduct set forth in
section I.3. of this Agreement (“Notice of Breach for Failure to Pay Resolution Amount
and Intent to Impose CMP”).
MEEI shall have 30 days from the date of its receipt of the Notice of Breach and Intent to
Impose CMP to either: (a) make the requisite installment payment or (b) demonstrate to
HHS’ satisfaction that MEEI made the requisite installment payment. If at the conclusion
of the 30-day period, MEEI does not make the payment or otherwise demonstrate that it
made the payment to HHS’ satisfaction, HHS may proceed with the imposition of a CMP
against MEEI, pursuant to 45 C.F.R. Part 160, for any violations of the Privacy and
Security Rules related to the Covered Conduct set forth in paragraph I.3. of this
Agreement. HHS shall notify MEEI in writing of its determination to proceed with the
imposition of a CMP. MEEI shall retain all of the rights and obligations specified under
45 C.F.R. Part 160, Subparts C through E, with respect to any determination by HHS that
MEEI has violated the Privacy Rule or the Security Rule and with respect to the
imposition of the CMP under this paragraph.
9. Corrective Action Plan. MEEI has entered into and agrees to comply with the
Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this
Agreement by reference. If MEEI breaches the CAP, and fails to cure the breach as set
forth in the CAP, then MEEI will be in breach of this Agreement and HHS will not be
subject to the terms and conditions in the Release set forth in paragraph 10 of this
Agreement.
10. Release by HHS. In consideration of and conditioned upon MEEI’s
performance of its obligations under this Agreement, HHS releases MEEI and its
successors, transferees, assigns, subsidiaries, members, agents, directors, officers,
affiliates and employees, from any actions it has or may have against MEEI under the
Privacy and Security Rules arising out of or related to the Covered Conduct specified in
paragraph I.3. of this Agreement. HHS does not release MEEI from, nor waive any
rights, obligations, or causes of action other than those arising out of or related to the
3
4. Covered Conduct and referred to in this paragraph. This release does not extend to
actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C.
§ 1320d-6.
11. Agreement by Released Party. MEEI shall not contest the validity of its
obligation to pay, nor the amount of, the Resolution Amount or any other obligations
agreed to under this Agreement. MEEI waives all procedural rights granted under section
1128A of the Social Security Act (42 U.S.C. § 1320a-7a), 45 C.F.R. Part 160, Subpart E;
and HHS Claims Collection provisions, 45 C.F.R. Part 30, including, but not limited to,
notice, hearing, and appeal with respect to the Resolution Amount.
12. Binding on Successors. This Agreement is binding on MEEI and its
successors, heirs, transferees, and assigns.
13. Costs. Each Party to this Agreement shall bear its own legal and other costs
incurred in connection with this matter, including the preparation and performance of this
Agreement.
14. No Additional Releases. This Agreement is intended to be for the benefit of
the Parties only, and by this instrument the Parties do not release any claims against any
other person or entity.
15. Effect of Agreement. This Agreement constitutes the complete agreement
between the Parties. All material representations, understandings, and promises of the
Parties are contained in this Agreement. Any modifications to this Agreement must be
set forth in writing and signed by both Parties. Neither MEEI nor HHS intend that this
Agreement shall be used as any basis for the denial of any license, authorization,
approval, or consent that MEEI may require under any law, rule, or regulation.
16. Execution of Agreement and Effective Date. The Agreement shall become
effective (i.e., final and binding) on the date that both Parties sign this Agreement and the
CAP (“Effective Date”).
17. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a
CMP must be imposed within six (6) years from the date of the occurrence of the
violation. To ensure that this six-year period does not expire during the term of this
Agreement, MEEI agrees that the time between the Effective Date of this Agreement and
the date this Resolution Agreement may be terminated by reason of MEEI’s breach, plus
one year thereafter, will not be included in calculating the six (6) year statute of
limitations applicable to the violations which are the subject of this Agreement. MEEI
waives and will not plead any statute of limitations, laches, or similar defenses to any
administrative action relating to the Covered Conduct specified in paragraph I.3. that is
filed by HHS within the time period set forth above, except to the extent that such
defenses would have been available had an administrative action been filed on the
Effective Date of this Agreement.
4
5. 18. Disclosure. HHS places no restriction on the publication of the Agreement.
This Agreement and information related to this Agreement may be made public by either
party. In addition, HHS may be required to disclose this Agreement and related material
to any person upon request consistent with the applicable provisions of the Freedom of
Information Act (FOIA), 5 U.S.C. § 552, and its implementing regulations, 45 C.F.R.
Part 5; provided, however, that HHS will use its best efforts to prevent the disclosure of
information, documents, and any other item produced by MEEI to HHS as part of HHS’
review, to the extent such items constitute trade secrets and/or confidential commercial or
financial information that is exempt from turnover in response to a FOIA request under 5
C.F.R. § 5.65, or any other applicable exemption under FOIA and its implementing
regulations.
19. Execution in Counterparts. This Agreement may be executed in counterparts,
each of which constitutes an original, and all of which shall constitute one and the same
agreement.
20. Authorizations. The individuals signing this Agreement on behalf of MEEI
represent and warrant that they are authorized by MEEI to execute this Agreement. The
individual signing this Agreement on behalf of HHS represents and warrants that he is
signing this Agreement in his official capacity and that he is authorized to execute this
Agreement.
For Massachusetts Eye and Ear Infirmary and
Massachusetts Eye and Ear Associates, Inc.
_____//s//_________________________ ___9/13/2012____
John Fernandez Date
President and Chief Executive Officer
Massachusetts Eye and Ear Infirmary
____//s//________________________ __9/13/2012____
Joan Miller, M.D. Date
President
Massachusetts Eye and Ear Associates, Inc.
5
6. For the United States Department of Health and Human Services
____//s//___________ ____9/13/2012________
Peter K. Chan Date
Regional Manager, Region I
Office for Civil Rights
6
7. Appendix A
CORRECTIVE ACTION PLAN
BETWEEN THE
DEPARTMENT OF HEALTH AND HUMAN SERVICES
AND
MASSACHUSETTS EYE AND EAR INFIRMARY
AND
MASSACHUSETTS EYE AND EAR ASSOCIATES, INC.
I. Preamble
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates,
Inc. (hereinafter collectively referred to as “MEEI”) hereby enters into this Corrective
Action Plan (“CAP”) with the United States Department of Health and Human Services,
Office for Civil Rights (“HHS”). Contemporaneously with this CAP, MEEI is entering
into a Resolution Agreement (“Agreement”) with HHS, and this CAP is incorporated by
reference into the Agreement as Appendix A. MEEI enters into this CAP as part of the
consideration for the release set forth in paragraph 10 of the Agreement.
II. Contact Persons and Submissions
A. Contact Persons
MEEI has identified the following individual as its authorized representative and
contact person regarding the implementation of this CAP and for receipt and submission
of notifications and reports:
Mr. Rick King
Compliance and Privacy Officer
Massachusetts Eye and Ear Infirmary
243 Charles Street
Boston, MA 02114-3096
Rick_King@meei.harvard.edu
Telephone: 617-391-5892
Facsimile: 617-391-5890
HHS has identified the following individual as its contact person with whom
MEEI is to report information regarding the implementation of this CAP:
Ms. Susan Rhodes, Deputy Regional Manager
Office for Civil Rights, Region I
Department of Health and Human Services
A-1
8. JFK Federal Building, Room 1875
Boston, MA 02203
Susan.Rhodes@hhs.gov
Telephone: 617-565-1347
Facsimile: 617-565-3809
MEEI and HHS agree to promptly notify each other of any changes in the contact
persons or the other information provided above.
B. Proof of Submissions. Unless otherwise specified, all notifications and
reports required by this CAP may be made by any means, including certified mail,
overnight mail, or hand delivery, provided that there is proof that such notification was
received. For purposes of this requirement, internal facsimile confirmation sheets do not
constitute proof of receipt.
III. Effective Date and Term of CAP
The Effective Date for this CAP shall be calculated in accordance with paragraph
16 of the Agreement (“Effective Date”). The period for compliance with the obligations
assumed by MEEI under this CAP shall begin on the Effective Date of this CAP and end
three (3) years from the date on which HHS approves the Monitor Plan, as provided in
paragraph VI.F.2. (“Compliance Term”); except that after the Compliance Term ends,
MEEI shall still be obligated to: (a) submit the Annual Report for the final Reporting
Period, as set forth in section VII.B.; and (b) comply with the document retention
requirement set forth in section VIII.
IV. Time
In computing any period of time prescribed or allowed by this CAP, the day of the
act, event, or default from which the designated period of time begins to run shall not be
included. The last day of the period so computed shall be included, unless it is a
Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the
next day that is not one of the aforementioned days.
V. Definitions
For the purposes of this CAP, the following terms shall be interpreted as follows:
“Portable devices” shall mean portable and/or mobile devices and external
hardware that contain electronic protected health information (ePHI), store ePHI, or are
used to access ePHI.
“Workstation” means an electronic computing device, including portable devices
such as a laptop, or any other device that performs similar functions, and electronic media
stored in its immediate environment.
A-2
9. VI. Corrective Action Obligations
MEEI agrees to the following:
A. Policies and Procedures
1. MEEI shall review its existing written policies, and shall revise and
develop, as may be necessary, written policies and procedures (“Policies and
Procedures”) to address the Covered Conduct specified in paragraph I.3. of the
Agreement to comply with the Federal standards that govern the privacy and security of
individually identifiable health information (45 C.F.R. Parts 160 and 164, Subparts A, C,
and E, the Privacy and Security Rules). Policies and Procedures shall include, but not be
limited to, the minimum content set forth in section VI.C.
2. Within 120 days of the Effective Date, MEEI shall provide such Policies
and Procedures, consistent with paragraph 1 above, to HHS for review and approval.
Within 60 days upon receiving notice from HHS specifying any required changes to such
Policies and Procedures, MEEI shall revise such Policies and Procedures accordingly,
and provide the revised Policies and Procedures to HHS for review and approval. HHS’
approval shall not be unreasonably withheld.
3. Within 30 days of HHS’ approval of the Policies and Procedures, MEEI
shall finalize and officially adopt its Policies and Procedures in accordance with its
applicable administrative procedures.
4. MEEI shall assess, update, and revise, as may be necessary, the Policies
and Procedures at least annually and more frequently if appropriate. MEEI shall provide
such revised Policies and Procedures to HHS for review and approval. Within 60 days
upon receiving notice from HHS specifying any required changes to such revised Policies
and Procedures, MEEI shall revise such Policies and Procedures accordingly, and provide
the revised Policies and Procedures to HHS for review and approval. HHS’ approval
shall not be unreasonably withheld. Within 30 days of HHS’ approval of any substantive
revisions, MEEI shall finalize and officially adopt such revised Policies and Procedures.
B. Distribution of Policies and Procedures
1. Within 60 days of HHS’ approval of the Policies and Procedures in
section VI.A. or HHS’ approval of any revised Policies and Procedures pursuant to
paragraph VI.A.4., MEEI shall distribute such Policies and Procedures to all members of
the workforce who have access to ePHI. MEEI shall distribute the Policies and
Procedures to new members of the workforce within 15 days of the workforce members
beginning service.
2. No later than the end of the period described in section VI.B.1. relating to
distribution of the Policies and Procedures to existing and new workforce members,
MEEI shall require a signed written or electronic compliance certification from all
members of the workforce who have access to ePHI acknowledging that the workforce
member has read, understands, and shall abide by such Policies and Procedures.
A-3
10. 3. Following the relevant periods described in section VI.B.1. relating to
distribution of Policies and Procedures to existing and new workforce members, MEEI
shall not permit any workforce member to access or use ePHI, until that workforce
member has signed or provided the written or electronic compliance certification as
required by paragraph VI.B.2.
C. Minimum Content of the Policies and Procedures
The Policies and Procedures shall, at a minimum, include:
1. Administrative, physical and technical safeguards for all portable devices
that contain or are used to access MEEI ePHI that appropriately and reasonably ensure
that such ePHI may be protected from any intentional or unintentional uses or disclosures
in violation of the Privacy and/or Security Rules;
2. Provisions for conducting an accurate and thorough assessment of the
potential risks and vulnerabilities to the confidentiality, integrity and availability of all
MEEI ePHI, when it is created, received, maintained, used or transmitted using portable
devices on or off-site;
3. Provisions for implementing security measures sufficient to reduce the
risks and vulnerabilities identified by the risk analysis to a reasonable and appropriate
level based on MEEI’s circumstances;
4. Provisions to identify the security official who is responsible for the
development and implementation of the policies and procedures required by the Security
Rule for MEEI;
5. Procedures for identifying and responding to security incidents;
mitigating, to the extent practicable, harmful effects of security incidents; and
documenting the security incidents and their outcomes;
6. Procedures that specify the proper functions to be performed using
workstations that access MEEI ePHI, the manner in which those functions are to be
performed, and the physical attributes of the surroundings of a specific workstation or
class of workstations that can access ePHI;
7. Provisions to track the receipt and removal of hardware and electronic
media, including portable devices, that contain MEEI ePHI into and out of MEEI’s
facility(s), and the movement of these items within MEEI’s facility(s);
8. Mechanism(s) to encrypt and decrypt portable devices that contain MEEI
ePHI to allow access only to those persons or software programs that have been granted
access rights;
9. Instructions and procedures that address permissible and impermissible
uses and disclosures of MEEI ePHI accessed by or stored on portable devices;
A-4
11. 10. Procedures for applying appropriate sanctions against workforce members
who fail to comply with these Policies and Procedures required in section VI.A.
D. Workforce Compliance with Policies and Procedures
1. Reportable Events. Upon receiving information that a workforce member
may have failed to comply with the Policies and Procedures required in section VI.A.,
MEEI shall promptly investigate the matter. If MEEI, after review and investigation,
determines that a member of its workforce has failed to comply with the Policies and
Procedures, MEEI shall notify in writing the Monitor (described in section VI.F.) within
60 days. Such violations shall be known as “Reportable Events.” The report to the
Monitor shall include the following:
a. A complete description of the event, including the relevant facts, the
person(s) involved, and the provision(s) of the Policies and Procedures
implicated; and
b. A description of the actions taken and any further steps MEEI plans to
take to address the matter, to mitigate any harm, and to prevent it from
recurring, including the application of appropriate sanctions against
workforce members who failed to comply with the Policies and
Procedures.
E. Training
1. Within 120 days of HHS’ approval of the Policies and Procedures required
in section VI.A. or HHS’ approval of any revised Policies and Procedures pursuant to
paragraph VI.A.4., MEEI shall provide training on the Policies and Procedures to all
workforce members who have access to and use ePHI. The training required by this
section may be incorporated into MEEI’s Information Security Awareness Training
Program. MEEI shall provide such training to new workforce members who have access
to and use ePHI, within 30 days of beginning service.
2. MEEI shall require that each workforce member who is required to attend
training certify, in writing or in electronic form, that he or she has received the required
training. The training certification shall specify the date training was completed. All
course materials shall be retained in compliance with section VIII.
3. MEEI shall review the training annually, and update the training to reflect
any new changes in Federal law or HHS guidance, revisions to the Policies and
Procedures, or any issue(s) discovered during audits or reviews.
4. Following the date on which training must be completed as set forth
above, MEEI shall not permit any workforce member to use or access ePHI until that
workforce member has provided the training certification required by paragraph VI.E.2.
A-5
12. F. Monitoring
1. Designation of Independent Monitor. Within 90 days of the Effective
Date, MEEI shall designate an individual or entity to monitor and to review MEEI’s
compliance with this CAP (“Monitor”). The Monitor must certify in writing that it has
expertise in compliance with the Security Rule and is able to perform the reviews
described below in a professionally independent fashion taking into account any other
business relationships or other engagements that may exist. Within the above-referenced
time period, MEEI shall submit the name and qualifications of the designated individual
or entity to HHS for HHS’ approval. If HHS does not approve the designated individual
or entity for HHS’ approval, the process above requiring MEEI to submit the name and
qualifications of a designated individual or entity for HHS’ approval shall be repeated
until HHS has approved a Monitor. Upon receiving such approval, MEEI shall enter into
an engagement with the Monitor for the reviews specified in section VI.F.3.
2. Monitor Plan. Within 90 days of being approved for service by HHS, the
Monitor shall submit to HHS and MEEI a written plan for HHS’ approval, describing
with adequate detail, the Monitor’s plan for fulfilling the duties set forth in section VI.F.
of this CAP (“Monitor Plan”). HHS may submit comments and recommended changes to
the Monitor Plan. Within 30 days of the Monitor’s receipt of HHS’ comments and
recommended changes, the Monitor shall make such changes to the Monitor Plan as HHS
may reasonably have requested and submit the revised Monitor Plan to HHS. HHS shall
inform MEEI and the Monitor of its approval or disapproval of the revised Monitor Plan
within a reasonable time.
The Monitor shall begin implementation of the Monitor Plan immediately after
HHS approves the Monitor Plan.
The Monitor shall review the Monitor Plan at least annually and shall provide
HHS and MEEI with a copy of any revisions to the Monitor Plan within 10 days of the
Monitor making such revisions. HHS shall have a reasonable opportunity to comment
and make recommendations regarding any revisions or modifications at any time while
this CAP is in effect. The Monitor shall make such changes to the revisions as HHS may
reasonably request.
3. Description of Monitor Reviews. The Monitor shall assess and make
specific determinations about MEEI’s compliance with the obligations of this CAP
(“Monitor Reviews”). As a part of the Monitor’s review, the Monitor shall:
a. perform unannounced site visits to the various MEEI facilities and
departments (as determined in the Monitor Plan) at least two (2) times a year to
determine if workforce members are complying with MEEI Policies and
Procedures;
b. interview workforce members and business associates as needed; and
c. investigate reports of noncompliance with this CAP and review reports
A-6
13. of Reportable Events.
MEEI shall provide the Monitor with convenient, timely access to any workforce
members, policies, procedures, audit records, or other items or information that the
Monitor deems necessary for its review and performance of the Monitor’s duties.
4. Monitor Reports and Response. Within 180 days of the date HHS
approves the Monitor Plan, and once every six (6) month period thereafter, the Monitor
shall prepare a semi-annual report based on the reviews it has performed and provide
such report to HHS and MEEI (“Monitor Reports”). MEEI shall prepare a response to
the report and provide such response to HHS and the Monitor. The Monitor shall
immediately report any significant violations of this CAP to HHS and MEEI. Within 10
days of receiving the Monitor’s report of a significant violation MEEI shall prepare a
response, including a plan(s) of correction, and provide such response to HHS and the
Monitor.
5. Monitor Review Document Retention. The Monitor and MEEI shall
maintain and make available to HHS for inspection and copying, upon request, all work
papers, supporting documentation, correspondence, and draft reports (those exchanged
between the Monitor and MEEI) related to the Monitor Reviews.
6. Monitor Removal/Termination. If MEEI intends to terminate any Monitor
during the course of the engagement, MEEI shall notify HHS and provide a written
explanation of its reasons prior to the termination, unless exigent circumstances require
immediate termination. Within 30 days of terminating the previous Monitor, MEEI must
designate and engage a new Monitor, subject to approval by HHS, in accordance with
paragraph VI.F.1.
In the event HHS has reason to believe that a Monitor does not possess the
expertise, independence, or objectivity required by this CAP, or has failed to carry out its
responsibilities as set forth in this CAP, HHS may, at its sole discretion, require MEEI to
designate and engage a new Monitor in accordance with paragraph VI.F.1. Prior to
requiring MEEI to engage a new Monitor, HHS shall notify MEEI of its intent to do so
and provide a written explanation of the reasons such a step is necessary. MEEI shall
propose a new Monitor without unreasonable delay and shall designate a new Monitor,
subject to approval by HHS, in accordance with section VI.F.1.
7. Validation Review. In the event HHS has reason to believe that (a) a
Monitor Review or Monitor Report fails to conform to the requirements of this CAP; or
(b) the Monitor Report is inaccurate, HHS may, at its sole discretion, conduct its own
review to determine whether the Monitor Reviews or Report complied with the
requirements of this CAP and/or are inaccurate (“Validation Review”).
Prior to initiating a Validation Review, HHS shall notify MEEI of its intent to do
so and provide a written explanation of the reasons such a review is necessary. To resolve
any concerns raised by HHS, MEEI may request a meeting with HHS (a) to discuss any
Monitor Reviews or Monitor Reports; (b) to present any additional or relevant
A-7
14. information to clarify the results or to correct the inaccuracy of the Monitor Report;
and/or (c) to propose alternatives to the proposed Validation Review. MEEI shall
provide any additional information as may be requested by HHS under this section in an
expedited manner. HHS will attempt in good faith to resolve any concerns with MEEI
prior to conducting a Validation Review. However, the final determination as to whether
or not to proceed with a Validation Review shall be made at the sole discretion of HHS.
8. The use of a Monitor does not affect HHS’ authority to investigate
complaints, conduct compliance reviews or audits of MEEI’s responsibilities under 45
C.F.R. Part 160, Subpart C.
VII. Implementation Report and Annual Reports
A. Implementation Report. Within 120 days after receiving HHS’ approval of
the Policies and Procedures required by section VI.A., MEEI shall submit a written report
to HHS and the Monitor summarizing the status of its implementation of the obligations
of this CAP (“Implementation Report”). The Implementation Report shall include:
1. An attestation signed by an officer of MEEI attesting that the Policies and
Procedures required by section VI.A., (a) have been adopted; (b) are being implemented;
(c) have been distributed to all appropriate members of the workforce in accordance with
paragraph VI.B.1.; and (d) that MEEI obtained all the compliance certifications in
accordance with paragraph VI.B.2.;
2. A copy of all training materials used for the training required by this CAP,
a description of the training, including a summary of the topics covered, the length of the
session(s) and a schedule of when the training session(s) were held;
3. An attestation signed by an officer of MEEI attesting that all members of
the workforce identified in paragraph VI.E.1. have completed the initial training required
by this CAP and have executed the training certifications required by paragraph VI.E.2.;
4. A copy of any engagement letters with the Monitor;
5. A copy of the certification from the Monitor regarding its professional
independence from MEEI, as required by paragraph VI.F.1.;
6. An attestation signed by an officer of MEEI listing all of MEEI’s
locations, the name under which each location is doing business, the corresponding
mailing address, phone number and fax number for each location, and attesting that each
location has complied with the obligations of this CAP; and
7. An attestation signed by an officer of MEEI stating that he or she has
reviewed the Implementation Report, has made a reasonable inquiry regarding its content
and believes that, upon such inquiry, the information is accurate and truthful.
A-8
15. B. Annual Reports. The one-year period after the Effective Date and each
subsequent one-year period during the course of the Compliance Term shall be known as
a “Reporting Period.” Within 60 days after each corresponding Reporting Period, MEEI
shall annually submit a report to HHS and the Monitor regarding MEEI’s compliance
with this CAP for each Reporting Period (“Annual Report”). The Annual Report shall
include:
1. A copy of the schedule, topic outline, and training materials for the
training programs provided during the Reporting Period that is the subject of the Annual
Report;
2. An attestation signed by an officer of MEEI attesting that MEEI obtains
and maintains written or electronic training certifications from all persons who are
required to attend training under this CAP;
3. An attestation signed by an officer of MEEI attesting that any revision(s)
to the Policies and Procedures under paragraphVI.A.4. were finalized and adopted within
30 days of HHS’ approval of the revision(s), which shall include a statement affirming
that MEEI distributed the revised Policies and Procedures to all appropriate members of
the workforce within 60 days of HHS’ approval of the revision(s), and a statement
affirming that MEEI obtained all of the compliance certifications required by paragraph
VI.B.2.;
4. A summary description of all engagements between MEEI and the
Monitor, including, but not limited to, any outside financial audits or compliance
program engagements, if different from what was submitted as part of the Monitor
approval process provided for in section VI.F.; and
5. A summary of Reportable Events identified during the Reporting Period
and the status of any corrective and preventative action(s) relating to all such Reportable
Events.
VIII. Document Retention
The office(s) responsible for implementation of the obligations of the CAP shall
maintain, for the individuals holding the titles set forth herein, all documents and records
relating to compliance with this CAP for six (6) years from the Effective Date. MEEI
shall make available for inspection and copying all non-privileged documents and records
relating to compliance with this CAP. If MEEI asserts a claim of privilege with respect
to any document that HHS requests MEEI to make available for inspection and copying
under this section, within a reasonable time of such request, MEEI shall prepare a log
identifying the document and the type of privilege asserted (e.g., attorney-client privilege,
attorney work product, patient confidentiality, or other privilege). MEEI shall make the
log available to the Monitor, who shall provide it to HHS promptly upon request.
A-9
16. IX. Breach Provisions
MEEI is expected to fully and timely comply with all provisions contained in this
CAP.
A. Timely Written Requests for Extensions. MEEI may, in advance of any due
date set forth in this CAP, submit a timely written request for an extension of time to
perform any act required by this CAP. A “timely written request” is defined as a request
in writing received by HHS at least 5 days prior to the date such an act is required or due
to be performed.
B. Notice of Breach and Intent to Impose CMP. The Parties agree that a breach
of this CAP by MEEI that has not been cured in accordance with section IX.C. below
constitutes a breach of the Agreement. Upon a determination by HHS that MEEI has
breached this CAP, HHS may notify MEEI of (1) MEEI’s breach and (2) HHS’ intent to
impose a civil monetary penalty (CMP), pursuant to 45 C.F.R. Part 160, for the Covered
Conduct set forth in paragraph I.3. of the Agreement and for any other conduct that
constitutes a violation of the HIPAA Privacy and Security Rules (“Notice of Breach and
Intent to Impose CMP”).
C. MEEI Response. MEEI shall have 30 days from the date of receipt of the
Notice of Breach and Intent to Impose CMP to demonstrate to HHS’ satisfaction that:
1. MEEI is in compliance with the obligations of this CAP that HHS cited as
the basis for the breach;
2. the alleged breach has been cured; or
3. the alleged breach cannot be cured within the 30-day period, but that: (a)
MEEI has begun to take action to cure the breach; (b) MEEI is pursuing such action with
due diligence; and (c) MEEI has provided to HHS a reasonable timetable for curing the
breach.
D. Imposition of CMP. If at the conclusion of the 30-day period, MEEI fails to
meet the requirements of section IX.C. to HHS’ satisfaction, HHS may proceed with the
imposition of the CMP against MEEI pursuant to 45 C.F.R. Part 160 for any violations of
the Privacy and Security Rules related to the Covered Conduct set forth in paragraph I.3.
of the Agreement and for any other act or failure to act that constitutes a violation of the
HIPAA Privacy or Security Rules. HHS shall notify MEEI in writing of its
determination to proceed with the imposition of a CMP. MEEI shall retain all of the
rights and obligations specified under 45 C.F.R. Part 160, Subparts C through E, with
respect to any determination by HHS that MEEI has violated the Privacy Rule or the
Security Rule and with respect to the imposition of the CMP under this paragraph.
A-10
17. For Massachusetts Eye and Ear Infirmary and
Massachusetts Eye and Ear Associates, Inc.
____________________________ ____________
John Fernandez Date
President and Chief Executive Officer
Massachusetts Eye and Ear Infirmary
____________________________ ____________
Joan Miller, M.D. Date
President
Massachusetts Eye and Ear Associates, Inc.
For the United States Department of Health and Human Services
____________________________ _____________
Peter K. Chan Date
Regional Manager, Region I
Office for Civil Rights
A-11