SlideShare ist ein Scribd-Unternehmen logo

Massachusetts Eye and Ear Infirmary HIPAA Violation

D
data brackets

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the HIPAA Privacy and Security Rules. MEEI has also agreed to take corrective action to improve policies and procedures to safeguard the privacy and security of their patients’ protected health information and retain an independent monitor to report on MEEI’s compliance efforts. OCR’s investigation followed a breach report submitted by MEEI, as required by the HIPAA Breach Notification Rule, reporting the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects. The information contained on the laptop included patient prescriptions and clinical information. OCR’s investigation indicated that while MEEI’s management was aware of the Security Rule, MEEI failed to take necessary steps to comply with the requirements of the Rule, such as such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response.

TechnologieBusiness
1 von 17
Downloaden Sie, um offline zu lesen
RESOLUTION AGREEMENT I. Recitals 1. Parties. The Parties to this Resolution Agreement (“Agreement”) are the United States Department of Health and Human Services, Office for Civil Rights (“HHS”), and the Massachusetts Eye and Ear Infirmary (“MEEI”) and Massachusetts Eye and Ear Associates, Inc. (“MEEA”). MEEI and MEEA (hereinafter collectively referred to as “MEEI”), each of which is a nonprofit corporation organized under the laws of and operating in The Commonwealth of Massachusetts, are affiliated by common ownership or control as a single covered entity under the Privacy Rule, 45 C.F.R. § 164.105(b). HHS and MEEI shall together be referred to herein as the “Parties.” 2. Authority of HHS HHS enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”) and the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”). HHS has the authority to conduct investigations of complaints alleging violations of the Privacy and Security Rules by covered entities, and covered entities must cooperate with HHS’ investigation. 45 C.F.R. §160.306(c) and §160.310(b). 3. Factual Background and Covered Conduct On April 21, 2010, HHS received notification from MEEI regarding a breach of its unsecured electronic protected health information (ePHI). On October 5, 2010, HHS notified MEEI of its investigation regarding MEEI’s compliance with the Privacy, Security, and Breach Notification Rules. HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”): (1) MEEI did not demonstrate that it conducted a thorough analysis of the risk to the confidentiality of ePHI on an on-going basis as part of its security management process from the compliance date of the Security Rule to October 29, 2009. In particular, MEEI did not fully evaluate the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures. (2) MEEI’s security measures were not sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted 1
using portable devices to a reasonable and appropriate level from the compliance date of the Security Rule to May 17, 2010. (3) MEEI did not adequately adopt or implement policies and procedures to address security incident identification, reporting, and response from the compliance date of the Security Rule to March 8, 2010. (4) MEEI did not adequately adopt or implement policies and procedures to restrict access to authorized users for portable devices that access ePHI or to provide it with a reasonable means of knowing whether or what type of portable devices were being used to access its network from the compliance date of the Security Rule to March 8, 2010. (5) MEEI did not adequately adopt or implement policies and procedures governing the receipt and removal of portable devices into, out of, and within the facility from the compliance date of the Security Rule to May 17, 2010. MEEI had no reasonable means of tracking non-MEEI owned portable media devices containing its ePHI into and out of its facility, or the movement of these devices within the facility. (6) MEEI did not adequately adopt or implement technical policies and procedures to allow access to ePHI using portable devices only to authorized persons or software programs from the compliance date of the Security Rule to June 15, 2010. MEEI did not implement an equivalent, reasonable, and appropriate alternative measure to encryption that would have ensured confidentiality of its ePHI or document the rationale supporting the decision not to encrypt. 4. No Admission. This Agreement is not an admission, concession, or evidence of liability or wrongdoing by MEEI or of any fact or any violation of any law, rule, or regulation, including any violation of HIPAA or the Privacy Rule. This Agreement is made without trial or adjudication of any alleged issue of fact or law and without any finding of liability of any kind, and MEEI’s agreement to undertake any obligation under this Agreement shall not be construed as an admission of any kind. 5. No Concession. This Agreement is not a concession by HHS that MEEI is not in violation of the Privacy or Security Rules and that MEEI is not liable for civil money penalties. 6. Intention of Parties to Effect Resolution. This Agreement is intended to resolve OCR Complaint No. 10-111355, and any violations of the HIPAA Privacy and Security Rules related to the Covered Conduct specified in paragraph I.3.of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below. 2
II. Terms and Conditions 7. Payment. MEEI agrees to pay HHS the aggregate amount of $1,500,000 (the “Resolution Amount”). MEEI shall pay the first installment of $500,000 on October 15, 2012. MEEI shall pay the second installment of $500,000 on October 15, 2013. MEEI shall pay the third installment of $500,000 on October 15, 2014. Each of these payments shall be paid by electronic funds transfer pursuant to written instructions to be provided by HHS. 8. Failure to Pay Resolution Amount. The failure to make any installment payment of the Resolution Amount on the date set forth above in paragraph II.7. shall be deemed a breach of this Agreement. Upon a determination by HHS that MEEI failed to timely pay any payment, HHS may notify MEEI of MEEI’s breach and HHS’ intent to impose a Civil Monetary Penalty (“CMP”), pursuant to 45 C.F.R. Part 160, for violations of the HIPAA Privacy and Security Rules related to the Covered Conduct set forth in section I.3. of this Agreement (“Notice of Breach for Failure to Pay Resolution Amount and Intent to Impose CMP”). MEEI shall have 30 days from the date of its receipt of the Notice of Breach and Intent to Impose CMP to either: (a) make the requisite installment payment or (b) demonstrate to HHS’ satisfaction that MEEI made the requisite installment payment. If at the conclusion of the 30-day period, MEEI does not make the payment or otherwise demonstrate that it made the payment to HHS’ satisfaction, HHS may proceed with the imposition of a CMP against MEEI, pursuant to 45 C.F.R. Part 160, for any violations of the Privacy and Security Rules related to the Covered Conduct set forth in paragraph I.3. of this Agreement. HHS shall notify MEEI in writing of its determination to proceed with the imposition of a CMP. MEEI shall retain all of the rights and obligations specified under 45 C.F.R. Part 160, Subparts C through E, with respect to any determination by HHS that MEEI has violated the Privacy Rule or the Security Rule and with respect to the imposition of the CMP under this paragraph. 9. Corrective Action Plan. MEEI has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference. If MEEI breaches the CAP, and fails to cure the breach as set forth in the CAP, then MEEI will be in breach of this Agreement and HHS will not be subject to the terms and conditions in the Release set forth in paragraph 10 of this Agreement. 10. Release by HHS. In consideration of and conditioned upon MEEI’s performance of its obligations under this Agreement, HHS releases MEEI and its successors, transferees, assigns, subsidiaries, members, agents, directors, officers, affiliates and employees, from any actions it has or may have against MEEI under the Privacy and Security Rules arising out of or related to the Covered Conduct specified in paragraph I.3. of this Agreement. HHS does not release MEEI from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the 3
Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6. 11. Agreement by Released Party. MEEI shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. MEEI waives all procedural rights granted under section 1128A of the Social Security Act (42 U.S.C. § 1320a-7a), 45 C.F.R. Part 160, Subpart E; and HHS Claims Collection provisions, 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount. 12. Binding on Successors. This Agreement is binding on MEEI and its successors, heirs, transferees, and assigns. 13. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement. 14. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only, and by this instrument the Parties do not release any claims against any other person or entity. 15. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement must be set forth in writing and signed by both Parties. Neither MEEI nor HHS intend that this Agreement shall be used as any basis for the denial of any license, authorization, approval, or consent that MEEI may require under any law, rule, or regulation. 16. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) on the date that both Parties sign this Agreement and the CAP (“Effective Date”). 17. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a CMP must be imposed within six (6) years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, MEEI agrees that the time between the Effective Date of this Agreement and the date this Resolution Agreement may be terminated by reason of MEEI’s breach, plus one year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement. MEEI waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct specified in paragraph I.3. that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement. 4
18. Disclosure. HHS places no restriction on the publication of the Agreement. This Agreement and information related to this Agreement may be made public by either party. In addition, HHS may be required to disclose this Agreement and related material to any person upon request consistent with the applicable provisions of the Freedom of Information Act (FOIA), 5 U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5; provided, however, that HHS will use its best efforts to prevent the disclosure of information, documents, and any other item produced by MEEI to HHS as part of HHS’ review, to the extent such items constitute trade secrets and/or confidential commercial or financial information that is exempt from turnover in response to a FOIA request under 5 C.F.R. § 5.65, or any other applicable exemption under FOIA and its implementing regulations. 19. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement. 20. Authorizations. The individuals signing this Agreement on behalf of MEEI represent and warrant that they are authorized by MEEI to execute this Agreement. The individual signing this Agreement on behalf of HHS represents and warrants that he is signing this Agreement in his official capacity and that he is authorized to execute this Agreement. For Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. _____//s//_________________________ ___9/13/2012____ John Fernandez Date President and Chief Executive Officer Massachusetts Eye and Ear Infirmary ____//s//________________________ __9/13/2012____ Joan Miller, M.D. Date President Massachusetts Eye and Ear Associates, Inc. 5
For the United States Department of Health and Human Services ____//s//___________ ____9/13/2012________ Peter K. Chan Date Regional Manager, Region I Office for Civil Rights 6
Appendix A CORRECTIVE ACTION PLAN BETWEEN THE DEPARTMENT OF HEALTH AND HUMAN SERVICES AND MASSACHUSETTS EYE AND EAR INFIRMARY AND MASSACHUSETTS EYE AND EAR ASSOCIATES, INC. I. Preamble Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (hereinafter collectively referred to as “MEEI”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”). Contemporaneously with this CAP, MEEI is entering into a Resolution Agreement (“Agreement”) with HHS, and this CAP is incorporated by reference into the Agreement as Appendix A. MEEI enters into this CAP as part of the consideration for the release set forth in paragraph 10 of the Agreement. II. Contact Persons and Submissions A. Contact Persons MEEI has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports: Mr. Rick King Compliance and Privacy Officer Massachusetts Eye and Ear Infirmary 243 Charles Street Boston, MA 02114-3096 Rick_King@meei.harvard.edu Telephone: 617-391-5892 Facsimile: 617-391-5890 HHS has identified the following individual as its contact person with whom MEEI is to report information regarding the implementation of this CAP: Ms. Susan Rhodes, Deputy Regional Manager Office for Civil Rights, Region I Department of Health and Human Services A-1
JFK Federal Building, Room 1875 Boston, MA 02203 Susan.Rhodes@hhs.gov Telephone: 617-565-1347 Facsimile: 617-565-3809 MEEI and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above. B. Proof of Submissions. Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt. III. Effective Date and Term of CAP The Effective Date for this CAP shall be calculated in accordance with paragraph 16 of the Agreement (“Effective Date”). The period for compliance with the obligations assumed by MEEI under this CAP shall begin on the Effective Date of this CAP and end three (3) years from the date on which HHS approves the Monitor Plan, as provided in paragraph VI.F.2. (“Compliance Term”); except that after the Compliance Term ends, MEEI shall still be obligated to: (a) submit the Annual Report for the final Reporting Period, as set forth in section VII.B.; and (b) comply with the document retention requirement set forth in section VIII. IV. Time In computing any period of time prescribed or allowed by this CAP, the day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day that is not one of the aforementioned days. V. Definitions For the purposes of this CAP, the following terms shall be interpreted as follows: “Portable devices” shall mean portable and/or mobile devices and external hardware that contain electronic protected health information (ePHI), store ePHI, or are used to access ePHI. “Workstation” means an electronic computing device, including portable devices such as a laptop, or any other device that performs similar functions, and electronic media stored in its immediate environment. A-2
VI. Corrective Action Obligations MEEI agrees to the following: A. Policies and Procedures 1. MEEI shall review its existing written policies, and shall revise and develop, as may be necessary, written policies and procedures (“Policies and Procedures”) to address the Covered Conduct specified in paragraph I.3. of the Agreement to comply with the Federal standards that govern the privacy and security of individually identifiable health information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Policies and Procedures shall include, but not be limited to, the minimum content set forth in section VI.C. 2. Within 120 days of the Effective Date, MEEI shall provide such Policies and Procedures, consistent with paragraph 1 above, to HHS for review and approval. Within 60 days upon receiving notice from HHS specifying any required changes to such Policies and Procedures, MEEI shall revise such Policies and Procedures accordingly, and provide the revised Policies and Procedures to HHS for review and approval. HHS’ approval shall not be unreasonably withheld. 3. Within 30 days of HHS’ approval of the Policies and Procedures, MEEI shall finalize and officially adopt its Policies and Procedures in accordance with its applicable administrative procedures. 4. MEEI shall assess, update, and revise, as may be necessary, the Policies and Procedures at least annually and more frequently if appropriate. MEEI shall provide such revised Policies and Procedures to HHS for review and approval. Within 60 days upon receiving notice from HHS specifying any required changes to such revised Policies and Procedures, MEEI shall revise such Policies and Procedures accordingly, and provide the revised Policies and Procedures to HHS for review and approval. HHS’ approval shall not be unreasonably withheld. Within 30 days of HHS’ approval of any substantive revisions, MEEI shall finalize and officially adopt such revised Policies and Procedures. B. Distribution of Policies and Procedures 1. Within 60 days of HHS’ approval of the Policies and Procedures in section VI.A. or HHS’ approval of any revised Policies and Procedures pursuant to paragraph VI.A.4., MEEI shall distribute such Policies and Procedures to all members of the workforce who have access to ePHI. MEEI shall distribute the Policies and Procedures to new members of the workforce within 15 days of the workforce members beginning service. 2. No later than the end of the period described in section VI.B.1. relating to distribution of the Policies and Procedures to existing and new workforce members, MEEI shall require a signed written or electronic compliance certification from all members of the workforce who have access to ePHI acknowledging that the workforce member has read, understands, and shall abide by such Policies and Procedures. A-3
3. Following the relevant periods described in section VI.B.1. relating to distribution of Policies and Procedures to existing and new workforce members, MEEI shall not permit any workforce member to access or use ePHI, until that workforce member has signed or provided the written or electronic compliance certification as required by paragraph VI.B.2. C. Minimum Content of the Policies and Procedures The Policies and Procedures shall, at a minimum, include: 1. Administrative, physical and technical safeguards for all portable devices that contain or are used to access MEEI ePHI that appropriately and reasonably ensure that such ePHI may be protected from any intentional or unintentional uses or disclosures in violation of the Privacy and/or Security Rules; 2. Provisions for conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all MEEI ePHI, when it is created, received, maintained, used or transmitted using portable devices on or off-site; 3. Provisions for implementing security measures sufficient to reduce the risks and vulnerabilities identified by the risk analysis to a reasonable and appropriate level based on MEEI’s circumstances; 4. Provisions to identify the security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule for MEEI; 5. Procedures for identifying and responding to security incidents; mitigating, to the extent practicable, harmful effects of security incidents; and documenting the security incidents and their outcomes; 6. Procedures that specify the proper functions to be performed using workstations that access MEEI ePHI, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstations that can access ePHI; 7. Provisions to track the receipt and removal of hardware and electronic media, including portable devices, that contain MEEI ePHI into and out of MEEI’s facility(s), and the movement of these items within MEEI’s facility(s); 8. Mechanism(s) to encrypt and decrypt portable devices that contain MEEI ePHI to allow access only to those persons or software programs that have been granted access rights; 9. Instructions and procedures that address permissible and impermissible uses and disclosures of MEEI ePHI accessed by or stored on portable devices; A-4
10. Procedures for applying appropriate sanctions against workforce members who fail to comply with these Policies and Procedures required in section VI.A. D. Workforce Compliance with Policies and Procedures 1. Reportable Events. Upon receiving information that a workforce member may have failed to comply with the Policies and Procedures required in section VI.A., MEEI shall promptly investigate the matter. If MEEI, after review and investigation, determines that a member of its workforce has failed to comply with the Policies and Procedures, MEEI shall notify in writing the Monitor (described in section VI.F.) within 60 days. Such violations shall be known as “Reportable Events.” The report to the Monitor shall include the following: a. A complete description of the event, including the relevant facts, the person(s) involved, and the provision(s) of the Policies and Procedures implicated; and b. A description of the actions taken and any further steps MEEI plans to take to address the matter, to mitigate any harm, and to prevent it from recurring, including the application of appropriate sanctions against workforce members who failed to comply with the Policies and Procedures. E. Training 1. Within 120 days of HHS’ approval of the Policies and Procedures required in section VI.A. or HHS’ approval of any revised Policies and Procedures pursuant to paragraph VI.A.4., MEEI shall provide training on the Policies and Procedures to all workforce members who have access to and use ePHI. The training required by this section may be incorporated into MEEI’s Information Security Awareness Training Program. MEEI shall provide such training to new workforce members who have access to and use ePHI, within 30 days of beginning service. 2. MEEI shall require that each workforce member who is required to attend training certify, in writing or in electronic form, that he or she has received the required training. The training certification shall specify the date training was completed. All course materials shall be retained in compliance with section VIII. 3. MEEI shall review the training annually, and update the training to reflect any new changes in Federal law or HHS guidance, revisions to the Policies and Procedures, or any issue(s) discovered during audits or reviews. 4. Following the date on which training must be completed as set forth above, MEEI shall not permit any workforce member to use or access ePHI until that workforce member has provided the training certification required by paragraph VI.E.2. A-5
F. Monitoring 1. Designation of Independent Monitor. Within 90 days of the Effective Date, MEEI shall designate an individual or entity to monitor and to review MEEI’s compliance with this CAP (“Monitor”). The Monitor must certify in writing that it has expertise in compliance with the Security Rule and is able to perform the reviews described below in a professionally independent fashion taking into account any other business relationships or other engagements that may exist. Within the above-referenced time period, MEEI shall submit the name and qualifications of the designated individual or entity to HHS for HHS’ approval. If HHS does not approve the designated individual or entity for HHS’ approval, the process above requiring MEEI to submit the name and qualifications of a designated individual or entity for HHS’ approval shall be repeated until HHS has approved a Monitor. Upon receiving such approval, MEEI shall enter into an engagement with the Monitor for the reviews specified in section VI.F.3. 2. Monitor Plan. Within 90 days of being approved for service by HHS, the Monitor shall submit to HHS and MEEI a written plan for HHS’ approval, describing with adequate detail, the Monitor’s plan for fulfilling the duties set forth in section VI.F. of this CAP (“Monitor Plan”). HHS may submit comments and recommended changes to the Monitor Plan. Within 30 days of the Monitor’s receipt of HHS’ comments and recommended changes, the Monitor shall make such changes to the Monitor Plan as HHS may reasonably have requested and submit the revised Monitor Plan to HHS. HHS shall inform MEEI and the Monitor of its approval or disapproval of the revised Monitor Plan within a reasonable time. The Monitor shall begin implementation of the Monitor Plan immediately after HHS approves the Monitor Plan. The Monitor shall review the Monitor Plan at least annually and shall provide HHS and MEEI with a copy of any revisions to the Monitor Plan within 10 days of the Monitor making such revisions. HHS shall have a reasonable opportunity to comment and make recommendations regarding any revisions or modifications at any time while this CAP is in effect. The Monitor shall make such changes to the revisions as HHS may reasonably request. 3. Description of Monitor Reviews. The Monitor shall assess and make specific determinations about MEEI’s compliance with the obligations of this CAP (“Monitor Reviews”). As a part of the Monitor’s review, the Monitor shall: a. perform unannounced site visits to the various MEEI facilities and departments (as determined in the Monitor Plan) at least two (2) times a year to determine if workforce members are complying with MEEI Policies and Procedures; b. interview workforce members and business associates as needed; and c. investigate reports of noncompliance with this CAP and review reports A-6
of Reportable Events. MEEI shall provide the Monitor with convenient, timely access to any workforce members, policies, procedures, audit records, or other items or information that the Monitor deems necessary for its review and performance of the Monitor’s duties. 4. Monitor Reports and Response. Within 180 days of the date HHS approves the Monitor Plan, and once every six (6) month period thereafter, the Monitor shall prepare a semi-annual report based on the reviews it has performed and provide such report to HHS and MEEI (“Monitor Reports”). MEEI shall prepare a response to the report and provide such response to HHS and the Monitor. The Monitor shall immediately report any significant violations of this CAP to HHS and MEEI. Within 10 days of receiving the Monitor’s report of a significant violation MEEI shall prepare a response, including a plan(s) of correction, and provide such response to HHS and the Monitor. 5. Monitor Review Document Retention. The Monitor and MEEI shall maintain and make available to HHS for inspection and copying, upon request, all work papers, supporting documentation, correspondence, and draft reports (those exchanged between the Monitor and MEEI) related to the Monitor Reviews. 6. Monitor Removal/Termination. If MEEI intends to terminate any Monitor during the course of the engagement, MEEI shall notify HHS and provide a written explanation of its reasons prior to the termination, unless exigent circumstances require immediate termination. Within 30 days of terminating the previous Monitor, MEEI must designate and engage a new Monitor, subject to approval by HHS, in accordance with paragraph VI.F.1. In the event HHS has reason to believe that a Monitor does not possess the expertise, independence, or objectivity required by this CAP, or has failed to carry out its responsibilities as set forth in this CAP, HHS may, at its sole discretion, require MEEI to designate and engage a new Monitor in accordance with paragraph VI.F.1. Prior to requiring MEEI to engage a new Monitor, HHS shall notify MEEI of its intent to do so and provide a written explanation of the reasons such a step is necessary. MEEI shall propose a new Monitor without unreasonable delay and shall designate a new Monitor, subject to approval by HHS, in accordance with section VI.F.1. 7. Validation Review. In the event HHS has reason to believe that (a) a Monitor Review or Monitor Report fails to conform to the requirements of this CAP; or (b) the Monitor Report is inaccurate, HHS may, at its sole discretion, conduct its own review to determine whether the Monitor Reviews or Report complied with the requirements of this CAP and/or are inaccurate (“Validation Review”). Prior to initiating a Validation Review, HHS shall notify MEEI of its intent to do so and provide a written explanation of the reasons such a review is necessary. To resolve any concerns raised by HHS, MEEI may request a meeting with HHS (a) to discuss any Monitor Reviews or Monitor Reports; (b) to present any additional or relevant A-7
information to clarify the results or to correct the inaccuracy of the Monitor Report; and/or (c) to propose alternatives to the proposed Validation Review. MEEI shall provide any additional information as may be requested by HHS under this section in an expedited manner. HHS will attempt in good faith to resolve any concerns with MEEI prior to conducting a Validation Review. However, the final determination as to whether or not to proceed with a Validation Review shall be made at the sole discretion of HHS. 8. The use of a Monitor does not affect HHS’ authority to investigate complaints, conduct compliance reviews or audits of MEEI’s responsibilities under 45 C.F.R. Part 160, Subpart C. VII. Implementation Report and Annual Reports A. Implementation Report. Within 120 days after receiving HHS’ approval of the Policies and Procedures required by section VI.A., MEEI shall submit a written report to HHS and the Monitor summarizing the status of its implementation of the obligations of this CAP (“Implementation Report”). The Implementation Report shall include: 1. An attestation signed by an officer of MEEI attesting that the Policies and Procedures required by section VI.A., (a) have been adopted; (b) are being implemented; (c) have been distributed to all appropriate members of the workforce in accordance with paragraph VI.B.1.; and (d) that MEEI obtained all the compliance certifications in accordance with paragraph VI.B.2.; 2. A copy of all training materials used for the training required by this CAP, a description of the training, including a summary of the topics covered, the length of the session(s) and a schedule of when the training session(s) were held; 3. An attestation signed by an officer of MEEI attesting that all members of the workforce identified in paragraph VI.E.1. have completed the initial training required by this CAP and have executed the training certifications required by paragraph VI.E.2.; 4. A copy of any engagement letters with the Monitor; 5. A copy of the certification from the Monitor regarding its professional independence from MEEI, as required by paragraph VI.F.1.; 6. An attestation signed by an officer of MEEI listing all of MEEI’s locations, the name under which each location is doing business, the corresponding mailing address, phone number and fax number for each location, and attesting that each location has complied with the obligations of this CAP; and 7. An attestation signed by an officer of MEEI stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful. A-8
B. Annual Reports. The one-year period after the Effective Date and each subsequent one-year period during the course of the Compliance Term shall be known as a “Reporting Period.” Within 60 days after each corresponding Reporting Period, MEEI shall annually submit a report to HHS and the Monitor regarding MEEI’s compliance with this CAP for each Reporting Period (“Annual Report”). The Annual Report shall include: 1. A copy of the schedule, topic outline, and training materials for the training programs provided during the Reporting Period that is the subject of the Annual Report; 2. An attestation signed by an officer of MEEI attesting that MEEI obtains and maintains written or electronic training certifications from all persons who are required to attend training under this CAP; 3. An attestation signed by an officer of MEEI attesting that any revision(s) to the Policies and Procedures under paragraphVI.A.4. were finalized and adopted within 30 days of HHS’ approval of the revision(s), which shall include a statement affirming that MEEI distributed the revised Policies and Procedures to all appropriate members of the workforce within 60 days of HHS’ approval of the revision(s), and a statement affirming that MEEI obtained all of the compliance certifications required by paragraph VI.B.2.; 4. A summary description of all engagements between MEEI and the Monitor, including, but not limited to, any outside financial audits or compliance program engagements, if different from what was submitted as part of the Monitor approval process provided for in section VI.F.; and 5. A summary of Reportable Events identified during the Reporting Period and the status of any corrective and preventative action(s) relating to all such Reportable Events. VIII. Document Retention The office(s) responsible for implementation of the obligations of the CAP shall maintain, for the individuals holding the titles set forth herein, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date. MEEI shall make available for inspection and copying all non-privileged documents and records relating to compliance with this CAP. If MEEI asserts a claim of privilege with respect to any document that HHS requests MEEI to make available for inspection and copying under this section, within a reasonable time of such request, MEEI shall prepare a log identifying the document and the type of privilege asserted (e.g., attorney-client privilege, attorney work product, patient confidentiality, or other privilege). MEEI shall make the log available to the Monitor, who shall provide it to HHS promptly upon request. A-9
IX. Breach Provisions MEEI is expected to fully and timely comply with all provisions contained in this CAP. A. Timely Written Requests for Extensions. MEEI may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least 5 days prior to the date such an act is required or due to be performed. B. Notice of Breach and Intent to Impose CMP. The Parties agree that a breach of this CAP by MEEI that has not been cured in accordance with section IX.C. below constitutes a breach of the Agreement. Upon a determination by HHS that MEEI has breached this CAP, HHS may notify MEEI of (1) MEEI’s breach and (2) HHS’ intent to impose a civil monetary penalty (CMP), pursuant to 45 C.F.R. Part 160, for the Covered Conduct set forth in paragraph I.3. of the Agreement and for any other conduct that constitutes a violation of the HIPAA Privacy and Security Rules (“Notice of Breach and Intent to Impose CMP”). C. MEEI Response. MEEI shall have 30 days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’ satisfaction that: 1. MEEI is in compliance with the obligations of this CAP that HHS cited as the basis for the breach; 2. the alleged breach has been cured; or 3. the alleged breach cannot be cured within the 30-day period, but that: (a) MEEI has begun to take action to cure the breach; (b) MEEI is pursuing such action with due diligence; and (c) MEEI has provided to HHS a reasonable timetable for curing the breach. D. Imposition of CMP. If at the conclusion of the 30-day period, MEEI fails to meet the requirements of section IX.C. to HHS’ satisfaction, HHS may proceed with the imposition of the CMP against MEEI pursuant to 45 C.F.R. Part 160 for any violations of the Privacy and Security Rules related to the Covered Conduct set forth in paragraph I.3. of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Privacy or Security Rules. HHS shall notify MEEI in writing of its determination to proceed with the imposition of a CMP. MEEI shall retain all of the rights and obligations specified under 45 C.F.R. Part 160, Subparts C through E, with respect to any determination by HHS that MEEI has violated the Privacy Rule or the Security Rule and with respect to the imposition of the CMP under this paragraph. A-10
For Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. ____________________________ ____________ John Fernandez Date President and Chief Executive Officer Massachusetts Eye and Ear Infirmary ____________________________ ____________ Joan Miller, M.D. Date President Massachusetts Eye and Ear Associates, Inc. For the United States Department of Health and Human Services ____________________________ _____________ Peter K. Chan Date Regional Manager, Region I Office for Civil Rights A-11

Empfohlen

Week Of 2009 08 31
Week Of 2009 08 31Week Of 2009 08 31
Week Of 2009 08 31mbarreto13
 
Cyber Crime & Law by Neeraj Aarora - Advocate-on-Record, Supreme Court,CISSP,...
Cyber Crime & Law by Neeraj Aarora - Advocate-on-Record, Supreme Court,CISSP,...Cyber Crime & Law by Neeraj Aarora - Advocate-on-Record, Supreme Court,CISSP,...
Cyber Crime & Law by Neeraj Aarora - Advocate-on-Record, Supreme Court,CISSP,...OWASP Delhi
 
False claims act lawyer
False claims act lawyerFalse claims act lawyer
False claims act lawyerwarrenbensonlawfirm
 
HIPAA breach report submitted to Congress by DHHS OCR
HIPAA breach report submitted to Congress by DHHS OCRHIPAA breach report submitted to Congress by DHHS OCR
HIPAA breach report submitted to Congress by DHHS OCRDavid Sweigert
 
TADA ACT & POTA ACT
TADA ACT & POTA ACTTADA ACT & POTA ACT
TADA ACT & POTA ACTRounakLahiri
 
Basic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersBasic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersJDP Consulting
 
SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013- Mark - Fullbright
 
HONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution AgreementHONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution Agreementdata brackets
 

Empfohlen

Week Of 2009 08 31
Week Of 2009 08 31Week Of 2009 08 31
Week Of 2009 08 31mbarreto13
 
Cyber Crime & Law by Neeraj Aarora - Advocate-on-Record, Supreme Court,CISSP,...
Cyber Crime & Law by Neeraj Aarora - Advocate-on-Record, Supreme Court,CISSP,...Cyber Crime & Law by Neeraj Aarora - Advocate-on-Record, Supreme Court,CISSP,...
Cyber Crime & Law by Neeraj Aarora - Advocate-on-Record, Supreme Court,CISSP,...OWASP Delhi
 
False claims act lawyer
False claims act lawyerFalse claims act lawyer
False claims act lawyerwarrenbensonlawfirm
 
HIPAA breach report submitted to Congress by DHHS OCR
HIPAA breach report submitted to Congress by DHHS OCRHIPAA breach report submitted to Congress by DHHS OCR
HIPAA breach report submitted to Congress by DHHS OCRDavid Sweigert
 
TADA ACT & POTA ACT
TADA ACT & POTA ACTTADA ACT & POTA ACT
TADA ACT & POTA ACTRounakLahiri
 
Basic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersBasic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersJDP Consulting
 
SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013- Mark - Fullbright
 
HONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution AgreementHONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution Agreementdata brackets
 
Shubhlaxmi enterprises
Shubhlaxmi enterprisesShubhlaxmi enterprises
Shubhlaxmi enterprisessudhir saboo
 
Navigating the Digital Landscape: 2011
Navigating the Digital Landscape: 2011Navigating the Digital Landscape: 2011
Navigating the Digital Landscape: 2011Charlie Ray
 
Watervliet Arsenal Newsletter: Salvo 31 May 2013
Watervliet Arsenal Newsletter: Salvo 31 May 2013Watervliet Arsenal Newsletter: Salvo 31 May 2013
Watervliet Arsenal Newsletter: Salvo 31 May 2013U.S. Army Watervliet Arsenal
 
RBA NYS Economic Survival Guide
RBA NYS Economic Survival GuideRBA NYS Economic Survival Guide
RBA NYS Economic Survival GuideUnshackle Upstate
 
Stonefly
StoneflyStonefly
StoneflyFrancesco Marcucci
 
Main
MainMain
MainShivram Lakshminarayanan
 
DHHS OCR data breach resolution agreement
DHHS OCR data breach resolution agreementDHHS OCR data breach resolution agreement
DHHS OCR data breach resolution agreementDavid Sweigert
 
Adult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action PlanAdult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action Plandata brackets
 
Qca agreement
Qca agreementQca agreement
Qca agreementdata brackets
 
Oregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA FinesOregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA Finesdata brackets
 
HIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRHIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRDavid Sweigert
 
Privacy and Data Security: Minimizing Reputational and Legal Risks
Privacy and Data Security: Minimizing Reputational and Legal RisksPrivacy and Data Security: Minimizing Reputational and Legal Risks
Privacy and Data Security: Minimizing Reputational and Legal RisksTechWell
 
Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement data brackets
 
Catholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action PlanCatholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action PlanAlex Slaney
 
Group 5 Banking Laws Semi Finals.pptx
Group 5 Banking Laws Semi Finals.pptxGroup 5 Banking Laws Semi Finals.pptx
Group 5 Banking Laws Semi Finals.pptxStephenQuijano3
 
六合彩,香港六合彩 » SlideShare
六合彩,香港六合彩 » SlideShare六合彩,香港六合彩 » SlideShare
六合彩,香港六合彩 » SlideShareqsilytnc
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShareriguo
 
香港六合彩
香港六合彩香港六合彩
香港六合彩racbhe
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩eqhnwl
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShareyndadubf
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShareuoemnumu
 
香港六合彩
香港六合彩香港六合彩
香港六合彩mhffyol
 

Weitere ähnliche Inhalte

Andere mochten auch

Shubhlaxmi enterprises
Shubhlaxmi enterprisesShubhlaxmi enterprises
Shubhlaxmi enterprisessudhir saboo
 
Navigating the Digital Landscape: 2011
Navigating the Digital Landscape: 2011Navigating the Digital Landscape: 2011
Navigating the Digital Landscape: 2011Charlie Ray
 
RBA NYS Economic Survival Guide
RBA NYS Economic Survival GuideRBA NYS Economic Survival Guide
RBA NYS Economic Survival GuideUnshackle Upstate
 

Andere mochten auch (6)

Shubhlaxmi enterprises
Shubhlaxmi enterprisesShubhlaxmi enterprises
Shubhlaxmi enterprises
 
Navigating the Digital Landscape: 2011
Navigating the Digital Landscape: 2011Navigating the Digital Landscape: 2011
Navigating the Digital Landscape: 2011
 
Watervliet Arsenal Newsletter: Salvo 31 May 2013
Watervliet Arsenal Newsletter: Salvo 31 May 2013Watervliet Arsenal Newsletter: Salvo 31 May 2013
Watervliet Arsenal Newsletter: Salvo 31 May 2013
 
RBA NYS Economic Survival Guide
RBA NYS Economic Survival GuideRBA NYS Economic Survival Guide
RBA NYS Economic Survival Guide
 
Stonefly
StoneflyStonefly
Stonefly
 
Main
MainMain
Main
 

Ähnlich wie Massachusetts Eye and Ear Infirmary HIPAA Violation

DHHS OCR data breach resolution agreement
DHHS OCR data breach resolution agreementDHHS OCR data breach resolution agreement
DHHS OCR data breach resolution agreementDavid Sweigert
 
Adult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action PlanAdult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action Plandata brackets
 
Oregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA FinesOregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA Finesdata brackets
 
HIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRHIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRDavid Sweigert
 
Privacy and Data Security: Minimizing Reputational and Legal Risks
Privacy and Data Security: Minimizing Reputational and Legal RisksPrivacy and Data Security: Minimizing Reputational and Legal Risks
Privacy and Data Security: Minimizing Reputational and Legal RisksTechWell
 
Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement data brackets
 
Catholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action PlanCatholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action PlanAlex Slaney
 
Group 5 Banking Laws Semi Finals.pptx
Group 5 Banking Laws Semi Finals.pptxGroup 5 Banking Laws Semi Finals.pptx
Group 5 Banking Laws Semi Finals.pptxStephenQuijano3
 
六合彩,香港六合彩 » SlideShare
六合彩,香港六合彩 » SlideShare六合彩,香港六合彩 » SlideShare
六合彩,香港六合彩 » SlideShareqsilytnc
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShareriguo
 
香港六合彩
香港六合彩香港六合彩
香港六合彩racbhe
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩eqhnwl
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShareyndadubf
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShareuoemnumu
 
香港六合彩
香港六合彩香港六合彩
香港六合彩mhffyol
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016data brackets
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Alex Slaney
 
Acordo Comercial EUA e China
Acordo Comercial EUA e ChinaAcordo Comercial EUA e China
Acordo Comercial EUA e ChinaFábio Santos
 

Ähnlich wie Massachusetts Eye and Ear Infirmary HIPAA Violation (20)

DHHS OCR data breach resolution agreement
DHHS OCR data breach resolution agreementDHHS OCR data breach resolution agreement
DHHS OCR data breach resolution agreement
 
Adult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action PlanAdult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action Plan
 
Qca agreement
Qca agreementQca agreement
Qca agreement
 
Oregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA FinesOregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA Fines
 
HIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRHIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCR
 
Privacy and Data Security: Minimizing Reputational and Legal Risks
Privacy and Data Security: Minimizing Reputational and Legal RisksPrivacy and Data Security: Minimizing Reputational and Legal Risks
Privacy and Data Security: Minimizing Reputational and Legal Risks
 
Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement
 
Catholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action PlanCatholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action Plan
 
Group 5 Banking Laws Semi Finals.pptx
Group 5 Banking Laws Semi Finals.pptxGroup 5 Banking Laws Semi Finals.pptx
Group 5 Banking Laws Semi Finals.pptx
 
六合彩,香港六合彩 » SlideShare
六合彩,香港六合彩 » SlideShare六合彩,香港六合彩 » SlideShare
六合彩,香港六合彩 » SlideShare
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016
 
The Protection of Personal Information Act 4 of 2013
The Protection of Personal Information Act 4 of 2013The Protection of Personal Information Act 4 of 2013
The Protection of Personal Information Act 4 of 2013
 
Acordo Comercial EUA e China
Acordo Comercial EUA e ChinaAcordo Comercial EUA e China
Acordo Comercial EUA e China
 

Mehr von data brackets

Presence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCRPresence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCRdata brackets
 
NYP RA and Cap april 2016
NYP RA and Cap april 2016 NYP RA and Cap april 2016
NYP RA and Cap april 2016 data brackets
 
NYP RA and CAP april 2016
NYP RA and CAP april 2016 NYP RA and CAP april 2016
NYP RA and CAP april 2016 data brackets
 
HIPAA Violation Fines: North memorial Hospistal Settlement
HIPAA Violation Fines: North memorial Hospistal Settlement HIPAA Violation Fines: North memorial Hospistal Settlement
HIPAA Violation Fines: North memorial Hospistal Settlement data brackets
 
Prepayment Audit Suggested Documentation
Prepayment Audit Suggested DocumentationPrepayment Audit Suggested Documentation
Prepayment Audit Suggested Documentationdata brackets
 
Lincare HIPAA remediated decision by administrative judge
Lincare HIPAA remediated decision by administrative judgeLincare HIPAA remediated decision by administrative judge
Lincare HIPAA remediated decision by administrative judgedata brackets
 
Lincare HIPAA Notice of Proposed Determination remediated
Lincare HIPAA Notice of Proposed Determination remediatedLincare HIPAA Notice of Proposed Determination remediated
Lincare HIPAA Notice of Proposed Determination remediateddata brackets
 
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...data brackets
 
Office of Inspector General Study on OCR's HIPAA audit program
Office of Inspector General Study on OCR's HIPAA audit programOffice of Inspector General Study on OCR's HIPAA audit program
Office of Inspector General Study on OCR's HIPAA audit programdata brackets
 
Cancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement AgreementCancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement Agreementdata brackets
 
Parkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution AgreementParkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution Agreementdata brackets
 
HIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia UniverstiyHIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia Universtiydata brackets
 
Skagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHSSkagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHSdata brackets
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentdata brackets
 
OCR HHS HIPAA HITECH Audit Advisory Template
OCR HHS HIPAA HITECH Audit Advisory TemplateOCR HHS HIPAA HITECH Audit Advisory Template
OCR HHS HIPAA HITECH Audit Advisory Templatedata brackets
 
HIPAA HITECH Compliance Assurance Template
HIPAA HITECH Compliance Assurance TemplateHIPAA HITECH Compliance Assurance Template
HIPAA HITECH Compliance Assurance Templatedata brackets
 
Trends and Career Opportunities in Health IT
Trends and Career Opportunities in Health ITTrends and Career Opportunities in Health IT
Trends and Career Opportunities in Health ITdata brackets
 

Mehr von data brackets (20)

Presence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCRPresence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCR
 
NYP RA and Cap april 2016
NYP RA and Cap april 2016 NYP RA and Cap april 2016
NYP RA and Cap april 2016
 
NYP RA and CAP april 2016
NYP RA and CAP april 2016 NYP RA and CAP april 2016
NYP RA and CAP april 2016
 
HIPAA Violation Fines: North memorial Hospistal Settlement
HIPAA Violation Fines: North memorial Hospistal Settlement HIPAA Violation Fines: North memorial Hospistal Settlement
HIPAA Violation Fines: North memorial Hospistal Settlement
 
Prepayment Audit Suggested Documentation
Prepayment Audit Suggested DocumentationPrepayment Audit Suggested Documentation
Prepayment Audit Suggested Documentation
 
Lincare HIPAA remediated decision by administrative judge
Lincare HIPAA remediated decision by administrative judgeLincare HIPAA remediated decision by administrative judge
Lincare HIPAA remediated decision by administrative judge
 
Lincare HIPAA Notice of Proposed Determination remediated
Lincare HIPAA Notice of Proposed Determination remediatedLincare HIPAA Notice of Proposed Determination remediated
Lincare HIPAA Notice of Proposed Determination remediated
 
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
 
Office of Inspector General Study on OCR's HIPAA audit program
Office of Inspector General Study on OCR's HIPAA audit programOffice of Inspector General Study on OCR's HIPAA audit program
Office of Inspector General Study on OCR's HIPAA audit program
 
Cancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement AgreementCancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement Agreement
 
Parkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution AgreementParkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution Agreement
 
HIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia UniverstiyHIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia Universtiy
 
Concentra agreement
Concentra agreementConcentra agreement
Concentra agreement
 
Skagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHSSkagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHS
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
 
Affinity agreement
Affinity agreementAffinity agreement
Affinity agreement
 
Shasta agreement
Shasta agreementShasta agreement
Shasta agreement
 
OCR HHS HIPAA HITECH Audit Advisory Template
OCR HHS HIPAA HITECH Audit Advisory TemplateOCR HHS HIPAA HITECH Audit Advisory Template
OCR HHS HIPAA HITECH Audit Advisory Template
 
HIPAA HITECH Compliance Assurance Template
HIPAA HITECH Compliance Assurance TemplateHIPAA HITECH Compliance Assurance Template
HIPAA HITECH Compliance Assurance Template
 
Trends and Career Opportunities in Health IT
Trends and Career Opportunities in Health ITTrends and Career Opportunities in Health IT
Trends and Career Opportunities in Health IT
 

Kürzlich hochgeladen

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Massachusetts Eye and Ear Infirmary HIPAA Violation

  • 1. RESOLUTION AGREEMENT I. Recitals 1. Parties. The Parties to this Resolution Agreement (“Agreement”) are the United States Department of Health and Human Services, Office for Civil Rights (“HHS”), and the Massachusetts Eye and Ear Infirmary (“MEEI”) and Massachusetts Eye and Ear Associates, Inc. (“MEEA”). MEEI and MEEA (hereinafter collectively referred to as “MEEI”), each of which is a nonprofit corporation organized under the laws of and operating in The Commonwealth of Massachusetts, are affiliated by common ownership or control as a single covered entity under the Privacy Rule, 45 C.F.R. § 164.105(b). HHS and MEEI shall together be referred to herein as the “Parties.” 2. Authority of HHS HHS enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”) and the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”). HHS has the authority to conduct investigations of complaints alleging violations of the Privacy and Security Rules by covered entities, and covered entities must cooperate with HHS’ investigation. 45 C.F.R. §160.306(c) and §160.310(b). 3. Factual Background and Covered Conduct On April 21, 2010, HHS received notification from MEEI regarding a breach of its unsecured electronic protected health information (ePHI). On October 5, 2010, HHS notified MEEI of its investigation regarding MEEI’s compliance with the Privacy, Security, and Breach Notification Rules. HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”): (1) MEEI did not demonstrate that it conducted a thorough analysis of the risk to the confidentiality of ePHI on an on-going basis as part of its security management process from the compliance date of the Security Rule to October 29, 2009. In particular, MEEI did not fully evaluate the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures. (2) MEEI’s security measures were not sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted 1
  • 2. using portable devices to a reasonable and appropriate level from the compliance date of the Security Rule to May 17, 2010. (3) MEEI did not adequately adopt or implement policies and procedures to address security incident identification, reporting, and response from the compliance date of the Security Rule to March 8, 2010. (4) MEEI did not adequately adopt or implement policies and procedures to restrict access to authorized users for portable devices that access ePHI or to provide it with a reasonable means of knowing whether or what type of portable devices were being used to access its network from the compliance date of the Security Rule to March 8, 2010. (5) MEEI did not adequately adopt or implement policies and procedures governing the receipt and removal of portable devices into, out of, and within the facility from the compliance date of the Security Rule to May 17, 2010. MEEI had no reasonable means of tracking non-MEEI owned portable media devices containing its ePHI into and out of its facility, or the movement of these devices within the facility. (6) MEEI did not adequately adopt or implement technical policies and procedures to allow access to ePHI using portable devices only to authorized persons or software programs from the compliance date of the Security Rule to June 15, 2010. MEEI did not implement an equivalent, reasonable, and appropriate alternative measure to encryption that would have ensured confidentiality of its ePHI or document the rationale supporting the decision not to encrypt. 4. No Admission. This Agreement is not an admission, concession, or evidence of liability or wrongdoing by MEEI or of any fact or any violation of any law, rule, or regulation, including any violation of HIPAA or the Privacy Rule. This Agreement is made without trial or adjudication of any alleged issue of fact or law and without any finding of liability of any kind, and MEEI’s agreement to undertake any obligation under this Agreement shall not be construed as an admission of any kind. 5. No Concession. This Agreement is not a concession by HHS that MEEI is not in violation of the Privacy or Security Rules and that MEEI is not liable for civil money penalties. 6. Intention of Parties to Effect Resolution. This Agreement is intended to resolve OCR Complaint No. 10-111355, and any violations of the HIPAA Privacy and Security Rules related to the Covered Conduct specified in paragraph I.3.of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below. 2
  • 3. II. Terms and Conditions 7. Payment. MEEI agrees to pay HHS the aggregate amount of $1,500,000 (the “Resolution Amount”). MEEI shall pay the first installment of $500,000 on October 15, 2012. MEEI shall pay the second installment of $500,000 on October 15, 2013. MEEI shall pay the third installment of $500,000 on October 15, 2014. Each of these payments shall be paid by electronic funds transfer pursuant to written instructions to be provided by HHS. 8. Failure to Pay Resolution Amount. The failure to make any installment payment of the Resolution Amount on the date set forth above in paragraph II.7. shall be deemed a breach of this Agreement. Upon a determination by HHS that MEEI failed to timely pay any payment, HHS may notify MEEI of MEEI’s breach and HHS’ intent to impose a Civil Monetary Penalty (“CMP”), pursuant to 45 C.F.R. Part 160, for violations of the HIPAA Privacy and Security Rules related to the Covered Conduct set forth in section I.3. of this Agreement (“Notice of Breach for Failure to Pay Resolution Amount and Intent to Impose CMP”). MEEI shall have 30 days from the date of its receipt of the Notice of Breach and Intent to Impose CMP to either: (a) make the requisite installment payment or (b) demonstrate to HHS’ satisfaction that MEEI made the requisite installment payment. If at the conclusion of the 30-day period, MEEI does not make the payment or otherwise demonstrate that it made the payment to HHS’ satisfaction, HHS may proceed with the imposition of a CMP against MEEI, pursuant to 45 C.F.R. Part 160, for any violations of the Privacy and Security Rules related to the Covered Conduct set forth in paragraph I.3. of this Agreement. HHS shall notify MEEI in writing of its determination to proceed with the imposition of a CMP. MEEI shall retain all of the rights and obligations specified under 45 C.F.R. Part 160, Subparts C through E, with respect to any determination by HHS that MEEI has violated the Privacy Rule or the Security Rule and with respect to the imposition of the CMP under this paragraph. 9. Corrective Action Plan. MEEI has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference. If MEEI breaches the CAP, and fails to cure the breach as set forth in the CAP, then MEEI will be in breach of this Agreement and HHS will not be subject to the terms and conditions in the Release set forth in paragraph 10 of this Agreement. 10. Release by HHS. In consideration of and conditioned upon MEEI’s performance of its obligations under this Agreement, HHS releases MEEI and its successors, transferees, assigns, subsidiaries, members, agents, directors, officers, affiliates and employees, from any actions it has or may have against MEEI under the Privacy and Security Rules arising out of or related to the Covered Conduct specified in paragraph I.3. of this Agreement. HHS does not release MEEI from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the 3
  • 4. Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6. 11. Agreement by Released Party. MEEI shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. MEEI waives all procedural rights granted under section 1128A of the Social Security Act (42 U.S.C. § 1320a-7a), 45 C.F.R. Part 160, Subpart E; and HHS Claims Collection provisions, 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount. 12. Binding on Successors. This Agreement is binding on MEEI and its successors, heirs, transferees, and assigns. 13. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement. 14. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only, and by this instrument the Parties do not release any claims against any other person or entity. 15. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement must be set forth in writing and signed by both Parties. Neither MEEI nor HHS intend that this Agreement shall be used as any basis for the denial of any license, authorization, approval, or consent that MEEI may require under any law, rule, or regulation. 16. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) on the date that both Parties sign this Agreement and the CAP (“Effective Date”). 17. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a CMP must be imposed within six (6) years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, MEEI agrees that the time between the Effective Date of this Agreement and the date this Resolution Agreement may be terminated by reason of MEEI’s breach, plus one year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement. MEEI waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct specified in paragraph I.3. that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement. 4
  • 5. 18. Disclosure. HHS places no restriction on the publication of the Agreement. This Agreement and information related to this Agreement may be made public by either party. In addition, HHS may be required to disclose this Agreement and related material to any person upon request consistent with the applicable provisions of the Freedom of Information Act (FOIA), 5 U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5; provided, however, that HHS will use its best efforts to prevent the disclosure of information, documents, and any other item produced by MEEI to HHS as part of HHS’ review, to the extent such items constitute trade secrets and/or confidential commercial or financial information that is exempt from turnover in response to a FOIA request under 5 C.F.R. § 5.65, or any other applicable exemption under FOIA and its implementing regulations. 19. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement. 20. Authorizations. The individuals signing this Agreement on behalf of MEEI represent and warrant that they are authorized by MEEI to execute this Agreement. The individual signing this Agreement on behalf of HHS represents and warrants that he is signing this Agreement in his official capacity and that he is authorized to execute this Agreement. For Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. _____//s//_________________________ ___9/13/2012____ John Fernandez Date President and Chief Executive Officer Massachusetts Eye and Ear Infirmary ____//s//________________________ __9/13/2012____ Joan Miller, M.D. Date President Massachusetts Eye and Ear Associates, Inc. 5
  • 6. For the United States Department of Health and Human Services ____//s//___________ ____9/13/2012________ Peter K. Chan Date Regional Manager, Region I Office for Civil Rights 6
  • 7. Appendix A CORRECTIVE ACTION PLAN BETWEEN THE DEPARTMENT OF HEALTH AND HUMAN SERVICES AND MASSACHUSETTS EYE AND EAR INFIRMARY AND MASSACHUSETTS EYE AND EAR ASSOCIATES, INC. I. Preamble Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (hereinafter collectively referred to as “MEEI”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”). Contemporaneously with this CAP, MEEI is entering into a Resolution Agreement (“Agreement”) with HHS, and this CAP is incorporated by reference into the Agreement as Appendix A. MEEI enters into this CAP as part of the consideration for the release set forth in paragraph 10 of the Agreement. II. Contact Persons and Submissions A. Contact Persons MEEI has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports: Mr. Rick King Compliance and Privacy Officer Massachusetts Eye and Ear Infirmary 243 Charles Street Boston, MA 02114-3096 Rick_King@meei.harvard.edu Telephone: 617-391-5892 Facsimile: 617-391-5890 HHS has identified the following individual as its contact person with whom MEEI is to report information regarding the implementation of this CAP: Ms. Susan Rhodes, Deputy Regional Manager Office for Civil Rights, Region I Department of Health and Human Services A-1
  • 8. JFK Federal Building, Room 1875 Boston, MA 02203 Susan.Rhodes@hhs.gov Telephone: 617-565-1347 Facsimile: 617-565-3809 MEEI and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above. B. Proof of Submissions. Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt. III. Effective Date and Term of CAP The Effective Date for this CAP shall be calculated in accordance with paragraph 16 of the Agreement (“Effective Date”). The period for compliance with the obligations assumed by MEEI under this CAP shall begin on the Effective Date of this CAP and end three (3) years from the date on which HHS approves the Monitor Plan, as provided in paragraph VI.F.2. (“Compliance Term”); except that after the Compliance Term ends, MEEI shall still be obligated to: (a) submit the Annual Report for the final Reporting Period, as set forth in section VII.B.; and (b) comply with the document retention requirement set forth in section VIII. IV. Time In computing any period of time prescribed or allowed by this CAP, the day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day that is not one of the aforementioned days. V. Definitions For the purposes of this CAP, the following terms shall be interpreted as follows: “Portable devices” shall mean portable and/or mobile devices and external hardware that contain electronic protected health information (ePHI), store ePHI, or are used to access ePHI. “Workstation” means an electronic computing device, including portable devices such as a laptop, or any other device that performs similar functions, and electronic media stored in its immediate environment. A-2
  • 9. VI. Corrective Action Obligations MEEI agrees to the following: A. Policies and Procedures 1. MEEI shall review its existing written policies, and shall revise and develop, as may be necessary, written policies and procedures (“Policies and Procedures”) to address the Covered Conduct specified in paragraph I.3. of the Agreement to comply with the Federal standards that govern the privacy and security of individually identifiable health information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Policies and Procedures shall include, but not be limited to, the minimum content set forth in section VI.C. 2. Within 120 days of the Effective Date, MEEI shall provide such Policies and Procedures, consistent with paragraph 1 above, to HHS for review and approval. Within 60 days upon receiving notice from HHS specifying any required changes to such Policies and Procedures, MEEI shall revise such Policies and Procedures accordingly, and provide the revised Policies and Procedures to HHS for review and approval. HHS’ approval shall not be unreasonably withheld. 3. Within 30 days of HHS’ approval of the Policies and Procedures, MEEI shall finalize and officially adopt its Policies and Procedures in accordance with its applicable administrative procedures. 4. MEEI shall assess, update, and revise, as may be necessary, the Policies and Procedures at least annually and more frequently if appropriate. MEEI shall provide such revised Policies and Procedures to HHS for review and approval. Within 60 days upon receiving notice from HHS specifying any required changes to such revised Policies and Procedures, MEEI shall revise such Policies and Procedures accordingly, and provide the revised Policies and Procedures to HHS for review and approval. HHS’ approval shall not be unreasonably withheld. Within 30 days of HHS’ approval of any substantive revisions, MEEI shall finalize and officially adopt such revised Policies and Procedures. B. Distribution of Policies and Procedures 1. Within 60 days of HHS’ approval of the Policies and Procedures in section VI.A. or HHS’ approval of any revised Policies and Procedures pursuant to paragraph VI.A.4., MEEI shall distribute such Policies and Procedures to all members of the workforce who have access to ePHI. MEEI shall distribute the Policies and Procedures to new members of the workforce within 15 days of the workforce members beginning service. 2. No later than the end of the period described in section VI.B.1. relating to distribution of the Policies and Procedures to existing and new workforce members, MEEI shall require a signed written or electronic compliance certification from all members of the workforce who have access to ePHI acknowledging that the workforce member has read, understands, and shall abide by such Policies and Procedures. A-3
  • 10. 3. Following the relevant periods described in section VI.B.1. relating to distribution of Policies and Procedures to existing and new workforce members, MEEI shall not permit any workforce member to access or use ePHI, until that workforce member has signed or provided the written or electronic compliance certification as required by paragraph VI.B.2. C. Minimum Content of the Policies and Procedures The Policies and Procedures shall, at a minimum, include: 1. Administrative, physical and technical safeguards for all portable devices that contain or are used to access MEEI ePHI that appropriately and reasonably ensure that such ePHI may be protected from any intentional or unintentional uses or disclosures in violation of the Privacy and/or Security Rules; 2. Provisions for conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all MEEI ePHI, when it is created, received, maintained, used or transmitted using portable devices on or off-site; 3. Provisions for implementing security measures sufficient to reduce the risks and vulnerabilities identified by the risk analysis to a reasonable and appropriate level based on MEEI’s circumstances; 4. Provisions to identify the security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule for MEEI; 5. Procedures for identifying and responding to security incidents; mitigating, to the extent practicable, harmful effects of security incidents; and documenting the security incidents and their outcomes; 6. Procedures that specify the proper functions to be performed using workstations that access MEEI ePHI, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstations that can access ePHI; 7. Provisions to track the receipt and removal of hardware and electronic media, including portable devices, that contain MEEI ePHI into and out of MEEI’s facility(s), and the movement of these items within MEEI’s facility(s); 8. Mechanism(s) to encrypt and decrypt portable devices that contain MEEI ePHI to allow access only to those persons or software programs that have been granted access rights; 9. Instructions and procedures that address permissible and impermissible uses and disclosures of MEEI ePHI accessed by or stored on portable devices; A-4
  • 11. 10. Procedures for applying appropriate sanctions against workforce members who fail to comply with these Policies and Procedures required in section VI.A. D. Workforce Compliance with Policies and Procedures 1. Reportable Events. Upon receiving information that a workforce member may have failed to comply with the Policies and Procedures required in section VI.A., MEEI shall promptly investigate the matter. If MEEI, after review and investigation, determines that a member of its workforce has failed to comply with the Policies and Procedures, MEEI shall notify in writing the Monitor (described in section VI.F.) within 60 days. Such violations shall be known as “Reportable Events.” The report to the Monitor shall include the following: a. A complete description of the event, including the relevant facts, the person(s) involved, and the provision(s) of the Policies and Procedures implicated; and b. A description of the actions taken and any further steps MEEI plans to take to address the matter, to mitigate any harm, and to prevent it from recurring, including the application of appropriate sanctions against workforce members who failed to comply with the Policies and Procedures. E. Training 1. Within 120 days of HHS’ approval of the Policies and Procedures required in section VI.A. or HHS’ approval of any revised Policies and Procedures pursuant to paragraph VI.A.4., MEEI shall provide training on the Policies and Procedures to all workforce members who have access to and use ePHI. The training required by this section may be incorporated into MEEI’s Information Security Awareness Training Program. MEEI shall provide such training to new workforce members who have access to and use ePHI, within 30 days of beginning service. 2. MEEI shall require that each workforce member who is required to attend training certify, in writing or in electronic form, that he or she has received the required training. The training certification shall specify the date training was completed. All course materials shall be retained in compliance with section VIII. 3. MEEI shall review the training annually, and update the training to reflect any new changes in Federal law or HHS guidance, revisions to the Policies and Procedures, or any issue(s) discovered during audits or reviews. 4. Following the date on which training must be completed as set forth above, MEEI shall not permit any workforce member to use or access ePHI until that workforce member has provided the training certification required by paragraph VI.E.2. A-5
  • 12. F. Monitoring 1. Designation of Independent Monitor. Within 90 days of the Effective Date, MEEI shall designate an individual or entity to monitor and to review MEEI’s compliance with this CAP (“Monitor”). The Monitor must certify in writing that it has expertise in compliance with the Security Rule and is able to perform the reviews described below in a professionally independent fashion taking into account any other business relationships or other engagements that may exist. Within the above-referenced time period, MEEI shall submit the name and qualifications of the designated individual or entity to HHS for HHS’ approval. If HHS does not approve the designated individual or entity for HHS’ approval, the process above requiring MEEI to submit the name and qualifications of a designated individual or entity for HHS’ approval shall be repeated until HHS has approved a Monitor. Upon receiving such approval, MEEI shall enter into an engagement with the Monitor for the reviews specified in section VI.F.3. 2. Monitor Plan. Within 90 days of being approved for service by HHS, the Monitor shall submit to HHS and MEEI a written plan for HHS’ approval, describing with adequate detail, the Monitor’s plan for fulfilling the duties set forth in section VI.F. of this CAP (“Monitor Plan”). HHS may submit comments and recommended changes to the Monitor Plan. Within 30 days of the Monitor’s receipt of HHS’ comments and recommended changes, the Monitor shall make such changes to the Monitor Plan as HHS may reasonably have requested and submit the revised Monitor Plan to HHS. HHS shall inform MEEI and the Monitor of its approval or disapproval of the revised Monitor Plan within a reasonable time. The Monitor shall begin implementation of the Monitor Plan immediately after HHS approves the Monitor Plan. The Monitor shall review the Monitor Plan at least annually and shall provide HHS and MEEI with a copy of any revisions to the Monitor Plan within 10 days of the Monitor making such revisions. HHS shall have a reasonable opportunity to comment and make recommendations regarding any revisions or modifications at any time while this CAP is in effect. The Monitor shall make such changes to the revisions as HHS may reasonably request. 3. Description of Monitor Reviews. The Monitor shall assess and make specific determinations about MEEI’s compliance with the obligations of this CAP (“Monitor Reviews”). As a part of the Monitor’s review, the Monitor shall: a. perform unannounced site visits to the various MEEI facilities and departments (as determined in the Monitor Plan) at least two (2) times a year to determine if workforce members are complying with MEEI Policies and Procedures; b. interview workforce members and business associates as needed; and c. investigate reports of noncompliance with this CAP and review reports A-6
  • 13. of Reportable Events. MEEI shall provide the Monitor with convenient, timely access to any workforce members, policies, procedures, audit records, or other items or information that the Monitor deems necessary for its review and performance of the Monitor’s duties. 4. Monitor Reports and Response. Within 180 days of the date HHS approves the Monitor Plan, and once every six (6) month period thereafter, the Monitor shall prepare a semi-annual report based on the reviews it has performed and provide such report to HHS and MEEI (“Monitor Reports”). MEEI shall prepare a response to the report and provide such response to HHS and the Monitor. The Monitor shall immediately report any significant violations of this CAP to HHS and MEEI. Within 10 days of receiving the Monitor’s report of a significant violation MEEI shall prepare a response, including a plan(s) of correction, and provide such response to HHS and the Monitor. 5. Monitor Review Document Retention. The Monitor and MEEI shall maintain and make available to HHS for inspection and copying, upon request, all work papers, supporting documentation, correspondence, and draft reports (those exchanged between the Monitor and MEEI) related to the Monitor Reviews. 6. Monitor Removal/Termination. If MEEI intends to terminate any Monitor during the course of the engagement, MEEI shall notify HHS and provide a written explanation of its reasons prior to the termination, unless exigent circumstances require immediate termination. Within 30 days of terminating the previous Monitor, MEEI must designate and engage a new Monitor, subject to approval by HHS, in accordance with paragraph VI.F.1. In the event HHS has reason to believe that a Monitor does not possess the expertise, independence, or objectivity required by this CAP, or has failed to carry out its responsibilities as set forth in this CAP, HHS may, at its sole discretion, require MEEI to designate and engage a new Monitor in accordance with paragraph VI.F.1. Prior to requiring MEEI to engage a new Monitor, HHS shall notify MEEI of its intent to do so and provide a written explanation of the reasons such a step is necessary. MEEI shall propose a new Monitor without unreasonable delay and shall designate a new Monitor, subject to approval by HHS, in accordance with section VI.F.1. 7. Validation Review. In the event HHS has reason to believe that (a) a Monitor Review or Monitor Report fails to conform to the requirements of this CAP; or (b) the Monitor Report is inaccurate, HHS may, at its sole discretion, conduct its own review to determine whether the Monitor Reviews or Report complied with the requirements of this CAP and/or are inaccurate (“Validation Review”). Prior to initiating a Validation Review, HHS shall notify MEEI of its intent to do so and provide a written explanation of the reasons such a review is necessary. To resolve any concerns raised by HHS, MEEI may request a meeting with HHS (a) to discuss any Monitor Reviews or Monitor Reports; (b) to present any additional or relevant A-7
  • 14. information to clarify the results or to correct the inaccuracy of the Monitor Report; and/or (c) to propose alternatives to the proposed Validation Review. MEEI shall provide any additional information as may be requested by HHS under this section in an expedited manner. HHS will attempt in good faith to resolve any concerns with MEEI prior to conducting a Validation Review. However, the final determination as to whether or not to proceed with a Validation Review shall be made at the sole discretion of HHS. 8. The use of a Monitor does not affect HHS’ authority to investigate complaints, conduct compliance reviews or audits of MEEI’s responsibilities under 45 C.F.R. Part 160, Subpart C. VII. Implementation Report and Annual Reports A. Implementation Report. Within 120 days after receiving HHS’ approval of the Policies and Procedures required by section VI.A., MEEI shall submit a written report to HHS and the Monitor summarizing the status of its implementation of the obligations of this CAP (“Implementation Report”). The Implementation Report shall include: 1. An attestation signed by an officer of MEEI attesting that the Policies and Procedures required by section VI.A., (a) have been adopted; (b) are being implemented; (c) have been distributed to all appropriate members of the workforce in accordance with paragraph VI.B.1.; and (d) that MEEI obtained all the compliance certifications in accordance with paragraph VI.B.2.; 2. A copy of all training materials used for the training required by this CAP, a description of the training, including a summary of the topics covered, the length of the session(s) and a schedule of when the training session(s) were held; 3. An attestation signed by an officer of MEEI attesting that all members of the workforce identified in paragraph VI.E.1. have completed the initial training required by this CAP and have executed the training certifications required by paragraph VI.E.2.; 4. A copy of any engagement letters with the Monitor; 5. A copy of the certification from the Monitor regarding its professional independence from MEEI, as required by paragraph VI.F.1.; 6. An attestation signed by an officer of MEEI listing all of MEEI’s locations, the name under which each location is doing business, the corresponding mailing address, phone number and fax number for each location, and attesting that each location has complied with the obligations of this CAP; and 7. An attestation signed by an officer of MEEI stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful. A-8
  • 15. B. Annual Reports. The one-year period after the Effective Date and each subsequent one-year period during the course of the Compliance Term shall be known as a “Reporting Period.” Within 60 days after each corresponding Reporting Period, MEEI shall annually submit a report to HHS and the Monitor regarding MEEI’s compliance with this CAP for each Reporting Period (“Annual Report”). The Annual Report shall include: 1. A copy of the schedule, topic outline, and training materials for the training programs provided during the Reporting Period that is the subject of the Annual Report; 2. An attestation signed by an officer of MEEI attesting that MEEI obtains and maintains written or electronic training certifications from all persons who are required to attend training under this CAP; 3. An attestation signed by an officer of MEEI attesting that any revision(s) to the Policies and Procedures under paragraphVI.A.4. were finalized and adopted within 30 days of HHS’ approval of the revision(s), which shall include a statement affirming that MEEI distributed the revised Policies and Procedures to all appropriate members of the workforce within 60 days of HHS’ approval of the revision(s), and a statement affirming that MEEI obtained all of the compliance certifications required by paragraph VI.B.2.; 4. A summary description of all engagements between MEEI and the Monitor, including, but not limited to, any outside financial audits or compliance program engagements, if different from what was submitted as part of the Monitor approval process provided for in section VI.F.; and 5. A summary of Reportable Events identified during the Reporting Period and the status of any corrective and preventative action(s) relating to all such Reportable Events. VIII. Document Retention The office(s) responsible for implementation of the obligations of the CAP shall maintain, for the individuals holding the titles set forth herein, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date. MEEI shall make available for inspection and copying all non-privileged documents and records relating to compliance with this CAP. If MEEI asserts a claim of privilege with respect to any document that HHS requests MEEI to make available for inspection and copying under this section, within a reasonable time of such request, MEEI shall prepare a log identifying the document and the type of privilege asserted (e.g., attorney-client privilege, attorney work product, patient confidentiality, or other privilege). MEEI shall make the log available to the Monitor, who shall provide it to HHS promptly upon request. A-9
  • 16. IX. Breach Provisions MEEI is expected to fully and timely comply with all provisions contained in this CAP. A. Timely Written Requests for Extensions. MEEI may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least 5 days prior to the date such an act is required or due to be performed. B. Notice of Breach and Intent to Impose CMP. The Parties agree that a breach of this CAP by MEEI that has not been cured in accordance with section IX.C. below constitutes a breach of the Agreement. Upon a determination by HHS that MEEI has breached this CAP, HHS may notify MEEI of (1) MEEI’s breach and (2) HHS’ intent to impose a civil monetary penalty (CMP), pursuant to 45 C.F.R. Part 160, for the Covered Conduct set forth in paragraph I.3. of the Agreement and for any other conduct that constitutes a violation of the HIPAA Privacy and Security Rules (“Notice of Breach and Intent to Impose CMP”). C. MEEI Response. MEEI shall have 30 days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’ satisfaction that: 1. MEEI is in compliance with the obligations of this CAP that HHS cited as the basis for the breach; 2. the alleged breach has been cured; or 3. the alleged breach cannot be cured within the 30-day period, but that: (a) MEEI has begun to take action to cure the breach; (b) MEEI is pursuing such action with due diligence; and (c) MEEI has provided to HHS a reasonable timetable for curing the breach. D. Imposition of CMP. If at the conclusion of the 30-day period, MEEI fails to meet the requirements of section IX.C. to HHS’ satisfaction, HHS may proceed with the imposition of the CMP against MEEI pursuant to 45 C.F.R. Part 160 for any violations of the Privacy and Security Rules related to the Covered Conduct set forth in paragraph I.3. of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Privacy or Security Rules. HHS shall notify MEEI in writing of its determination to proceed with the imposition of a CMP. MEEI shall retain all of the rights and obligations specified under 45 C.F.R. Part 160, Subparts C through E, with respect to any determination by HHS that MEEI has violated the Privacy Rule or the Security Rule and with respect to the imposition of the CMP under this paragraph. A-10
  • 17. For Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. ____________________________ ____________ John Fernandez Date President and Chief Executive Officer Massachusetts Eye and Ear Infirmary ____________________________ ____________ Joan Miller, M.D. Date President Massachusetts Eye and Ear Associates, Inc. For the United States Department of Health and Human Services ____________________________ _____________ Peter K. Chan Date Regional Manager, Region I Office for Civil Rights A-11