SlideShare una empresa de Scribd logo

Affinity agreement

D
data brackets

This resolution agreement between HHS and Affinity Health Plan resolves an investigation into a breach of protected health information. Affinity will pay $1,215,780 and comply with a corrective action plan. The plan requires Affinity to retrieve photocopier hard drives containing PHI, conduct a security risk analysis, and update policies. If Affinity breaches the agreement or plan, HHS may impose civil money penalties. Both parties aim to resolve the issues without further legal action.

TecnologíaNoticias y política
1 de 8
Descargar para leer sin conexión
RESOLUTION AGREEMENT I. Recitals 1. Parties. The Parties to this Resolution Agreement (“Agreement’) are the United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and Affinity Health Plan, Inc.(“the covered entity”). HHS and the Covered Entity shall together be referred to herein as the “Parties.” A. Authority of HHS HHS enforces the Federal standards that govern the privacy of protected health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the security of electronic protected health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the notification in case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of Part 164, the “Breach Notification Rule”. HHS has the authority to conduct the investigations of complaints alleging violations of the Privacy and Security Rules by covered entities, and a covered entity must cooperate with HHS’ investigation. 45 C.F.R. §160.306(c) and §160.310(b). Affinity Health Plan (AHP) is a covered entity, as defined at 45 C.F.R. §160.103, and therefore is required to comply with the Privacy and Security Rules. 2. Factual Background and Covered Conduct On April 15, 2010, the HHS Office for Civil Rights (OCR) received notification from AHP regarding a breach of its unsecured electronic protected health information (EPHI). On May 19, 2010, OCR notified AHP of OCR’s investigation regarding AHP’s compliance with the Privacy, Security, and Breach Notification Rules. OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”): a. AHP impermissibly disclosed the EPHI of up to 344,579 individuals when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company. b. AHP failed to assess and identify the potential security risks and vulnerabilities of EPHI stored in the photocopier hard drives. c. AHP failed to implement its policies for the disposal of EPHI with respect to the aforementioned photocopier hard drives. 3. No Admission. This Agreement is not an admission of liability by AHP.
4. No Concession. This Agreement is not a concession by HHS that AHP is not in violation of the Privacy and Security Rules and that AHP is not liable for civil money penalties. 5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve the OCR Complaint No. 10-150600, and any violations of the HIPAA Privacy and Security Rules related to the Covered Conduct specified in paragraph 2 of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve these matters according to the terms and conditions below. II. Terms and Conditions 6. Payment. AHP agrees to pay HHS the amount of $1,215,780 (“Resolution Amount”). AHP agrees to pay the Resolution Amount by electronic funds transfer pursuant to written instructions to be provided by HHS. AHP agrees to make this payment on or before the date it signs this Agreement. 7. Corrective Action Plan. AHP has entered into and agrees to comply with the Corrective Action Plan (CAP), attached as Appendix A, which is incorporated into this Agreement by reference. If AHP breaches the CAP, then AHP will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph 8 of this Agreement. 8. Release by HHS. In consideration and conditioned upon AHP’s performance of its obligations under this Agreement, HHS releases AHP from any actions it has or may have against AHP under the Privacy and Security Rules arising out of or related to the Covered Conduct identified in paragraph 2. HHS does not release AHP from, nor waive any rights, obligations, or causes of action other than those specifically referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6. 9. Agreement by Released Parties. AHP shall not contest the validity of its obligations to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. AHP waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount. 10. Binding on Successors. This Agreement is binding on AHP and its successors, transferees, and assigns. 11. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
12. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only. By this instrument the Parties do not release any claims against any other person or entity. 13. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement shall be set forth in writing and signed by both Parties. 14. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) on the date that both Parties sign this Agreement and CAP (Effective Date). 15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty (CMP) must be imposed within six years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this agreement, AHP agrees that the time between the Effective Date of this Agreement and the date this Resolution Agreement may be terminated by reason of AHP’s breach, plus one-year thereafter, will not be included in calculating the six year statute of limitations applicable to the violations which are the subject of this Agreement. AHP waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct identified in paragraph 2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Resolution Agreement. 16. Disclosure. HHS places no restriction on the publication of the Agreement. This Agreement and information related to this Agreement may be made public by either party. In addition, HHS may be required to disclose this Agreement and related material to any person upon request consistent with the applicable provisions of the Freedom of Information Act, 5 U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5. 17. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement. 18. Authorizations. The individual(s) signing this Agreement on behalf of AHP represent and warrant that they are authorized to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represents and warrants that she is signing this Agreement in her official capacities and that she is authorized to execute this Agreement.
For Affinity Health Plan, Inc. _________/s/_________________ August 7, 2013__ Bertram L. Scott Date President and CEO For the United States Department of Health and Human Services _________/s/_______________ August 7, 2013__ Linda C. Colón Date Regional Manager, Region II Office for Civil Rights
Appendix A CORRECTIVE ACTION PLAN BETWEEN THE UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES AND AFFINITY HEALTH PLAN, INC. I. Preamble Affinity Health Plan, Inc. (AHP) hereby enters into this Corrective Action Plan (CAP) with the United States Department of Health and Human Services, Office for Civil Rights (HHS). Contemporaneously with this CAP, AHP is entering into a Resolution Agreement (Agreement) with HHS, and this CAP is incorporated by reference into the Resolution Agreement as Appendix A. AHP enters into this CAP as consideration for the release set forth in paragraph 8 of the Agreement. II. Contact Persons and Submissions A. Contact Persons AHP has identified the following individual as its contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports: Ms. Caron R. Cullen Senior Vice President and Compliance Officer Compliance & Regulatory Affairs Affinity Health Plan, Inc. 2500 Halsey Street Bronx, New York 10461 HHS has identified the following individual as its authorized representative and contact person with whom AHP is to report information regarding the implementation of this CAP: Linda C. Colón, Regional Manager, Region II Office for Civil Rights U.S. Department of Health and Human Services 26 Federal Plaza, Suite 3312 New York, New York 10278 Voice Phone (212) 264-4136 Fax: (212) 264-3039 Linda.Colon@HHS.gov
AHP and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above. B. Proof of Submissions. Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt. III. Effective Date and Term of CAP The Effective Date for this CAP shall be calculated in accordance with paragraph 14 of the Agreement (Effective Date). The period for compliance with the obligations assumed by AHP under this CAP shall begin on the Effective Date of this CAP and end in one hundred twenty (120) days from the Effective Date except that, after this period, AHP shall be obligated to comply with the document retention requirement set forth in section VI. IV. Time In computing any period of time prescribed or allowed by this CAP, the day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days. V. Corrective Action Obligations AHP agrees to the following: 1. Within five (5) days of the Effective date, AHP shall use its best efforts to retrieve all photocopier hard drives that were contained in photocopiers previously leased by AHP that remain in the possession of Canon Financial Services, and safeguard all EPHI contained therein from impermissible disclosure. If AHP cannot retrieve said hard drives, AHP shall provide OCR with documentation explaining its “best efforts” and the reason it was unable to retrieve said hard drives. If AHP retrieves said hard drives, AHP shall provide OCR written certification that it has completed the requirements specified in this paragraph. AHP’s compliance with this corrective action will be based on the Region’s review and approval of the documentation explaining why its efforts failed to retrieve the hard drives. 2. Within thirty (30) days of the Effective Date, AHP shall conduct a comprehensive risk analysis of the EPHI security risks and vulnerabilities that incorporates all electronic equipment and systems controlled, owned or
leased by AHP. AHP shall also, within this time period develop a plan, to address and mitigate any security risks and vulnerabilities found in this analysis and, if necessary, revise its present policies and procedures. The plan and any revised policies and procedures shall be forwarded to OCR for its review consistent with paragraph 3 below. 3. OCR shall review and recommend changes to the plan and any revised policies and procedures specified in paragraph 2. Upon receiving OCR’s recommended changes, AHP shall have thirty calendar days to provide a revised plan and any revised policies and procedures to OCR for review and approval. AHP shall implement the plan and distribute and train staff members on any revised policies and procedures within thirty (30) calendar days of OCR’s approval. VI. Document Retention AHP shall maintain for inspection and copying all documents and records relating to compliance with this CAP for six years from the Effective Date. VII. Breach Provisions AHP is expected to fully and timely comply with all provisions of its CAP obligations. A. Timely Written Requests for Extensions AHP may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act or file any notification or report required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least five (5) business days prior to the date such an act is required or due to be performed. B. Notice of Breach and Intent to Impose CMP. The Parties agree that a breach of this CAP by AHP constitutes a breach of the Agreement. Upon a determination by HHS that AHP has breached this CAP, HHS may notify AHP of: (a) AHP’s breach; and (b) HHS’ intent to impose a CMP pursuant to 45 C.F.R. Part 160 for the Covered Conduct set forth in paragraph 2 of the Agreement and for any other conduct that constitutes a violation of the HIPAA Privacy and Security Rules (Notice of Breach and Intent to Impose CMP). C. AHP’s Response. AHP shall have 30 days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’ satisfaction that:
1. AHP is in compliance with the obligations of the CAP cited by HHS as being the basis for the breach; 2. The alleged breach has been cured; or 3. The alleged breach cannot be cured within the 30-day period, but that: (i) AHP has begun to take action to cure the breach; (ii) AHP is pursuing such action with due diligence; and (iii) AHP has provided to HHS a reasonable timetable for curing the breach. D. Imposition of CMP. If at the conclusion of the 30-day period, AHP fails to meet the requirements of section VII.C to HHS’ satisfaction, HHS may proceed with the imposition of a CMP against AHP pursuant to 45 C.F.R. Part 160 for the Covered Conduct set forth in paragraph 2 of the Agreement and for any other conduct that constitutes a violation of the HIPAA Privacy and Security Rules. HHS shall notify AHP in writing of its determination to proceed with the imposition of a CMP. For Affinity Health Plan, Inc. _________/s/___________________ August 7, 2013__ Bertram L. Scott Date President and CEO For the United States Department of Health and Human Services _________/s/___________________ August 7, 2013___ Linda C. Colón Date Regional Manager, Region II Office for Civil Rights

Recomendados

NYP RA and CAP april 2016
NYP RA and CAP april 2016 NYP RA and CAP april 2016
NYP RA and CAP april 2016
data brackets
 
Qca agreement
Qca agreementQca agreement
Qca agreement
data brackets
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016
Alex Slaney
 
Cancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement AgreementCancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement Agreement
data brackets
 
HIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRHIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCR
David Sweigert
 
Oregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA FinesOregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA Fines
data brackets
 
Adult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action PlanAdult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action Plan
data brackets
 
Concentra agreement
Concentra agreementConcentra agreement
Concentra agreement
data brackets
 

Recomendados

NYP RA and CAP april 2016
NYP RA and CAP april 2016 NYP RA and CAP april 2016
NYP RA and CAP april 2016
data brackets
 
Qca agreement
Qca agreementQca agreement
Qca agreement
data brackets
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016
Alex Slaney
 
Cancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement AgreementCancer Care Group HIPAA Settlement Agreement
Cancer Care Group HIPAA Settlement Agreement
data brackets
 
HIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCRHIPAA Security Rule consent agreement with OCR
HIPAA Security Rule consent agreement with OCR
David Sweigert
 
Oregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA FinesOregon Health & Science University HIPAA Fines
Oregon Health & Science University HIPAA Fines
data brackets
 
Adult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action PlanAdult & Pediatric Dermatology, Corrective Action Plan
Adult & Pediatric Dermatology, Corrective Action Plan
data brackets
 
Concentra agreement
Concentra agreementConcentra agreement
Concentra agreement
data brackets
 
DHHS OCR data breach resolution agreement
DHHS OCR data breach resolution agreementDHHS OCR data breach resolution agreement
DHHS OCR data breach resolution agreement
David Sweigert
 
HIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia UniverstiyHIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia Universtiy
data brackets
 
Catholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action PlanCatholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action Plan
Alex Slaney
 
North memorial ra and cap march 2016 (508)
North memorial ra and cap march 2016 (508)North memorial ra and cap march 2016 (508)
North memorial ra and cap march 2016 (508)
Alex Slaney
 
Parkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution AgreementParkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution Agreement
data brackets
 
Shasta agreement
Shasta agreementShasta agreement
Shasta agreement
data brackets
 
Presence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCRPresence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCR
data brackets
 
Skagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHSSkagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHS
data brackets
 
HONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution AgreementHONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution Agreement
data brackets
 
Sharon Logan Settlement Agreement with Orange County Animal Care
Sharon Logan Settlement Agreement with Orange County Animal CareSharon Logan Settlement Agreement with Orange County Animal Care
Sharon Logan Settlement Agreement with Orange County Animal Care
No Kill Shelter Alliance
 
Bluewater Confidentiality Agreement
Bluewater Confidentiality AgreementBluewater Confidentiality Agreement
Bluewater Confidentiality Agreement
Terry5
 
Taylor AND MISHRA contract air recovery heating and ac llc - and ajay mish...
Taylor AND MISHRA contract air recovery heating and ac llc - and ajay mish...Taylor AND MISHRA contract air recovery heating and ac llc - and ajay mish...
Taylor AND MISHRA contract air recovery heating and ac llc - and ajay mish...
ALINA MATSENKO AND AJAY MISHRA ALINA AND AJAY
 
Bill No. 28-0087 Uniform Probate Code
Bill No. 28-0087 Uniform Probate CodeBill No. 28-0087 Uniform Probate Code
Bill No. 28-0087 Uniform Probate Code
guestd06442
 
NYP RA and Cap april 2016
NYP RA and Cap april 2016 NYP RA and Cap april 2016
NYP RA and Cap april 2016
data brackets
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016
data brackets
 
Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement
data brackets
 
HIPAA Violation Fines: North memorial Hospistal Settlement
HIPAA Violation Fines: North memorial Hospistal Settlement HIPAA Violation Fines: North memorial Hospistal Settlement
HIPAA Violation Fines: North memorial Hospistal Settlement
data brackets
 
North memorial resolution agreement
North memorial resolution agreementNorth memorial resolution agreement
North memorial resolution agreement
Alex Slaney
 
First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...
David Sweigert
 
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301
Andrew Networks
 
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424
Andrew Networks
 
Rokita Non-Disclosure Agreement
Rokita Non-Disclosure AgreementRokita Non-Disclosure Agreement
Rokita Non-Disclosure Agreement
Abdul-Hakim Shabazz
 

Más contenido relacionado

La actualidad más candente

HIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia UniverstiyHIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia Universtiy
data brackets
 
Presence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCRPresence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCR
data brackets
 
Skagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHSSkagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHS
data brackets
 
HONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution AgreementHONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution Agreement
data brackets
 

La actualidad más candente (13)

DHHS OCR data breach resolution agreement
DHHS OCR data breach resolution agreementDHHS OCR data breach resolution agreement
DHHS OCR data breach resolution agreement
 
HIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia UniverstiyHIPAA Settlement New York Presbyterian and Columbia Universtiy
HIPAA Settlement New York Presbyterian and Columbia Universtiy
 
Catholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action PlanCatholic Health Care Services Resolution Agreement and Corrective Action Plan
Catholic Health Care Services Resolution Agreement and Corrective Action Plan
 
North memorial ra and cap march 2016 (508)
North memorial ra and cap march 2016 (508)North memorial ra and cap march 2016 (508)
North memorial ra and cap march 2016 (508)
 
Parkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution AgreementParkview HIPAA Settlement - Resolution Agreement
Parkview HIPAA Settlement - Resolution Agreement
 
Shasta agreement
Shasta agreementShasta agreement
Shasta agreement
 
Presence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCRPresence Health Resolution Agreement with OCR
Presence Health Resolution Agreement with OCR
 
Skagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHSSkagit county- HIPAA violation settlement agreement with HHS
Skagit county- HIPAA violation settlement agreement with HHS
 
HONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution AgreementHONI HIPAA Breach Resolution Agreement
HONI HIPAA Breach Resolution Agreement
 
Sharon Logan Settlement Agreement with Orange County Animal Care
Sharon Logan Settlement Agreement with Orange County Animal CareSharon Logan Settlement Agreement with Orange County Animal Care
Sharon Logan Settlement Agreement with Orange County Animal Care
 
Bluewater Confidentiality Agreement
Bluewater Confidentiality AgreementBluewater Confidentiality Agreement
Bluewater Confidentiality Agreement
 
Taylor AND MISHRA contract air recovery heating and ac llc - and ajay mish...
Taylor AND MISHRA contract air recovery heating and ac llc - and ajay mish...Taylor AND MISHRA contract air recovery heating and ac llc - and ajay mish...
Taylor AND MISHRA contract air recovery heating and ac llc - and ajay mish...
 
Bill No. 28-0087 Uniform Probate Code
Bill No. 28-0087 Uniform Probate CodeBill No. 28-0087 Uniform Probate Code
Bill No. 28-0087 Uniform Probate Code
 

Similar a Affinity agreement

First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...
David Sweigert
 
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424
Andrew Networks
 
Mediation Order New England Compounding Pharmacy
Mediation Order New England Compounding Pharmacy Mediation Order New England Compounding Pharmacy
Mediation Order New England Compounding Pharmacy
mzamoralaw
 
17 stipulation to dismiss with prejudice and order
17 stipulation to dismiss with prejudice and order17 stipulation to dismiss with prejudice and order
17 stipulation to dismiss with prejudice and order
Honolulu Civil Beat
 
Heart2Heartdfw Caring Hearts Home Care
Heart2Heartdfw Caring Hearts Home CareHeart2Heartdfw Caring Hearts Home Care
Heart2Heartdfw Caring Hearts Home Care
Heart2Heartdfw
 
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docx
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docxFCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docx
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docx
mydrynan
 

Similar a Affinity agreement (20)

NYP RA and Cap april 2016
NYP RA and Cap april 2016 NYP RA and Cap april 2016
NYP RA and Cap april 2016
 
Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016Raleigh Orthopedic RA and CAP April 2016
Raleigh Orthopedic RA and CAP April 2016
 
Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement Catholic Health Care Services Resolution Agreement
Catholic Health Care Services Resolution Agreement
 
HIPAA Violation Fines: North memorial Hospistal Settlement
HIPAA Violation Fines: North memorial Hospistal Settlement HIPAA Violation Fines: North memorial Hospistal Settlement
HIPAA Violation Fines: North memorial Hospistal Settlement
 
North memorial resolution agreement
North memorial resolution agreementNorth memorial resolution agreement
North memorial resolution agreement
 
First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...First HIPAA enforcement action for lack of timely breach notification settles...
First HIPAA enforcement action for lack of timely breach notification settles...
 
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220301
 
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424
FILLABLE Bilateral TEMPLATE PARXTC Strategic Alliance Coalition MoU v20220424
 
Rokita Non-Disclosure Agreement
Rokita Non-Disclosure AgreementRokita Non-Disclosure Agreement
Rokita Non-Disclosure Agreement
 
Mediation Order New England Compounding Pharmacy
Mediation Order New England Compounding Pharmacy Mediation Order New England Compounding Pharmacy
Mediation Order New England Compounding Pharmacy
 
Item # 10 Catto & Catto to HUB Insurance Broker Assignment
Item # 10 Catto & Catto to HUB Insurance Broker AssignmentItem # 10 Catto & Catto to HUB Insurance Broker Assignment
Item # 10 Catto & Catto to HUB Insurance Broker Assignment
 
Sharon logan settlement agreement
Sharon logan settlement agreementSharon logan settlement agreement
Sharon logan settlement agreement
 
17 stipulation to dismiss with prejudice and order
17 stipulation to dismiss with prejudice and order17 stipulation to dismiss with prejudice and order
17 stipulation to dismiss with prejudice and order
 
NON DISCLOSURE AGREEMENT
NON DISCLOSURE AGREEMENTNON DISCLOSURE AGREEMENT
NON DISCLOSURE AGREEMENT
 
Mutual nda innoppl 2015
Mutual nda innoppl 2015Mutual nda innoppl 2015
Mutual nda innoppl 2015
 
Heart2Heartdfw Caring Hearts Home Care
Heart2Heartdfw Caring Hearts Home CareHeart2Heartdfw Caring Hearts Home Care
Heart2Heartdfw Caring Hearts Home Care
 
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docx
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docxFCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docx
FCS 3450 HOMEWORK #41.Thomas Franklin arrived at the following t.docx
 
Non competition agreement
Non competition agreementNon competition agreement
Non competition agreement
 
Mutual nda innoppl 2014
Mutual nda innoppl 2014Mutual nda innoppl 2014
Mutual nda innoppl 2014
 
Acordo odebrecht-doj-merged
Acordo odebrecht-doj-mergedAcordo odebrecht-doj-merged
Acordo odebrecht-doj-merged
 

Más de data brackets

Office of Inspector General Study on OCR's HIPAA audit program
Office of Inspector General Study on OCR's HIPAA audit programOffice of Inspector General Study on OCR's HIPAA audit program
Office of Inspector General Study on OCR's HIPAA audit program
data brackets
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
data brackets
 
Trends and Career Opportunities in Health IT
Trends and Career Opportunities in Health ITTrends and Career Opportunities in Health IT
Trends and Career Opportunities in Health IT
data brackets
 
Massachusetts Eye and Ear Infirmary HIPAA Violation
Massachusetts Eye and Ear Infirmary HIPAA ViolationMassachusetts Eye and Ear Infirmary HIPAA Violation
Massachusetts Eye and Ear Infirmary HIPAA Violation
data brackets
 
Business Associate Assurance: What Covered Entities Need to Know
Business Associate Assurance: What Covered Entities Need to KnowBusiness Associate Assurance: What Covered Entities Need to Know
Business Associate Assurance: What Covered Entities Need to Know
data brackets
 
Social Media Compliance for Healthcare Professionals
Social Media Compliance for Healthcare ProfessionalsSocial Media Compliance for Healthcare Professionals
Social Media Compliance for Healthcare Professionals
data brackets
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
 

Más de data brackets (14)

Prepayment Audit Suggested Documentation
Prepayment Audit Suggested DocumentationPrepayment Audit Suggested Documentation
Prepayment Audit Suggested Documentation
 
Lincare HIPAA remediated decision by administrative judge
Lincare HIPAA remediated decision by administrative judgeLincare HIPAA remediated decision by administrative judge
Lincare HIPAA remediated decision by administrative judge
 
Lincare HIPAA Notice of Proposed Determination remediated
Lincare HIPAA Notice of Proposed Determination remediatedLincare HIPAA Notice of Proposed Determination remediated
Lincare HIPAA Notice of Proposed Determination remediated
 
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
 
Office of Inspector General Study on OCR's HIPAA audit program
Office of Inspector General Study on OCR's HIPAA audit programOffice of Inspector General Study on OCR's HIPAA audit program
Office of Inspector General Study on OCR's HIPAA audit program
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
 
OCR HHS HIPAA HITECH Audit Advisory Template
OCR HHS HIPAA HITECH Audit Advisory TemplateOCR HHS HIPAA HITECH Audit Advisory Template
OCR HHS HIPAA HITECH Audit Advisory Template
 
HIPAA HITECH Compliance Assurance Template
HIPAA HITECH Compliance Assurance TemplateHIPAA HITECH Compliance Assurance Template
HIPAA HITECH Compliance Assurance Template
 
Trends and Career Opportunities in Health IT
Trends and Career Opportunities in Health ITTrends and Career Opportunities in Health IT
Trends and Career Opportunities in Health IT
 
Massachusetts Eye and Ear Infirmary HIPAA Violation
Massachusetts Eye and Ear Infirmary HIPAA ViolationMassachusetts Eye and Ear Infirmary HIPAA Violation
Massachusetts Eye and Ear Infirmary HIPAA Violation
 
Mobile devices and applications in healthcare: Security and Compliance Risks
Mobile devices and applications in healthcare: Security and Compliance RisksMobile devices and applications in healthcare: Security and Compliance Risks
Mobile devices and applications in healthcare: Security and Compliance Risks
 
Business Associate Assurance: What Covered Entities Need to Know
Business Associate Assurance: What Covered Entities Need to KnowBusiness Associate Assurance: What Covered Entities Need to Know
Business Associate Assurance: What Covered Entities Need to Know
 
Social Media Compliance for Healthcare Professionals
Social Media Compliance for Healthcare ProfessionalsSocial Media Compliance for Healthcare Professionals
Social Media Compliance for Healthcare Professionals
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
 

Último

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Último (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Affinity agreement

  • 1. RESOLUTION AGREEMENT I. Recitals 1. Parties. The Parties to this Resolution Agreement (“Agreement’) are the United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and Affinity Health Plan, Inc.(“the covered entity”). HHS and the Covered Entity shall together be referred to herein as the “Parties.” A. Authority of HHS HHS enforces the Federal standards that govern the privacy of protected health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the security of electronic protected health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the notification in case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of Part 164, the “Breach Notification Rule”. HHS has the authority to conduct the investigations of complaints alleging violations of the Privacy and Security Rules by covered entities, and a covered entity must cooperate with HHS’ investigation. 45 C.F.R. §160.306(c) and §160.310(b). Affinity Health Plan (AHP) is a covered entity, as defined at 45 C.F.R. §160.103, and therefore is required to comply with the Privacy and Security Rules. 2. Factual Background and Covered Conduct On April 15, 2010, the HHS Office for Civil Rights (OCR) received notification from AHP regarding a breach of its unsecured electronic protected health information (EPHI). On May 19, 2010, OCR notified AHP of OCR’s investigation regarding AHP’s compliance with the Privacy, Security, and Breach Notification Rules. OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”): a. AHP impermissibly disclosed the EPHI of up to 344,579 individuals when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company. b. AHP failed to assess and identify the potential security risks and vulnerabilities of EPHI stored in the photocopier hard drives. c. AHP failed to implement its policies for the disposal of EPHI with respect to the aforementioned photocopier hard drives. 3. No Admission. This Agreement is not an admission of liability by AHP.
  • 2. 4. No Concession. This Agreement is not a concession by HHS that AHP is not in violation of the Privacy and Security Rules and that AHP is not liable for civil money penalties. 5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve the OCR Complaint No. 10-150600, and any violations of the HIPAA Privacy and Security Rules related to the Covered Conduct specified in paragraph 2 of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve these matters according to the terms and conditions below. II. Terms and Conditions 6. Payment. AHP agrees to pay HHS the amount of $1,215,780 (“Resolution Amount”). AHP agrees to pay the Resolution Amount by electronic funds transfer pursuant to written instructions to be provided by HHS. AHP agrees to make this payment on or before the date it signs this Agreement. 7. Corrective Action Plan. AHP has entered into and agrees to comply with the Corrective Action Plan (CAP), attached as Appendix A, which is incorporated into this Agreement by reference. If AHP breaches the CAP, then AHP will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph 8 of this Agreement. 8. Release by HHS. In consideration and conditioned upon AHP’s performance of its obligations under this Agreement, HHS releases AHP from any actions it has or may have against AHP under the Privacy and Security Rules arising out of or related to the Covered Conduct identified in paragraph 2. HHS does not release AHP from, nor waive any rights, obligations, or causes of action other than those specifically referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6. 9. Agreement by Released Parties. AHP shall not contest the validity of its obligations to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. AHP waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount. 10. Binding on Successors. This Agreement is binding on AHP and its successors, transferees, and assigns. 11. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
  • 3. 12. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only. By this instrument the Parties do not release any claims against any other person or entity. 13. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement shall be set forth in writing and signed by both Parties. 14. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) on the date that both Parties sign this Agreement and CAP (Effective Date). 15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty (CMP) must be imposed within six years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this agreement, AHP agrees that the time between the Effective Date of this Agreement and the date this Resolution Agreement may be terminated by reason of AHP’s breach, plus one-year thereafter, will not be included in calculating the six year statute of limitations applicable to the violations which are the subject of this Agreement. AHP waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct identified in paragraph 2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Resolution Agreement. 16. Disclosure. HHS places no restriction on the publication of the Agreement. This Agreement and information related to this Agreement may be made public by either party. In addition, HHS may be required to disclose this Agreement and related material to any person upon request consistent with the applicable provisions of the Freedom of Information Act, 5 U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5. 17. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement. 18. Authorizations. The individual(s) signing this Agreement on behalf of AHP represent and warrant that they are authorized to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represents and warrants that she is signing this Agreement in her official capacities and that she is authorized to execute this Agreement.
  • 4. For Affinity Health Plan, Inc. _________/s/_________________ August 7, 2013__ Bertram L. Scott Date President and CEO For the United States Department of Health and Human Services _________/s/_______________ August 7, 2013__ Linda C. Colón Date Regional Manager, Region II Office for Civil Rights
  • 5. Appendix A CORRECTIVE ACTION PLAN BETWEEN THE UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES AND AFFINITY HEALTH PLAN, INC. I. Preamble Affinity Health Plan, Inc. (AHP) hereby enters into this Corrective Action Plan (CAP) with the United States Department of Health and Human Services, Office for Civil Rights (HHS). Contemporaneously with this CAP, AHP is entering into a Resolution Agreement (Agreement) with HHS, and this CAP is incorporated by reference into the Resolution Agreement as Appendix A. AHP enters into this CAP as consideration for the release set forth in paragraph 8 of the Agreement. II. Contact Persons and Submissions A. Contact Persons AHP has identified the following individual as its contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports: Ms. Caron R. Cullen Senior Vice President and Compliance Officer Compliance & Regulatory Affairs Affinity Health Plan, Inc. 2500 Halsey Street Bronx, New York 10461 HHS has identified the following individual as its authorized representative and contact person with whom AHP is to report information regarding the implementation of this CAP: Linda C. Colón, Regional Manager, Region II Office for Civil Rights U.S. Department of Health and Human Services 26 Federal Plaza, Suite 3312 New York, New York 10278 Voice Phone (212) 264-4136 Fax: (212) 264-3039 Linda.Colon@HHS.gov
  • 6. AHP and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above. B. Proof of Submissions. Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt. III. Effective Date and Term of CAP The Effective Date for this CAP shall be calculated in accordance with paragraph 14 of the Agreement (Effective Date). The period for compliance with the obligations assumed by AHP under this CAP shall begin on the Effective Date of this CAP and end in one hundred twenty (120) days from the Effective Date except that, after this period, AHP shall be obligated to comply with the document retention requirement set forth in section VI. IV. Time In computing any period of time prescribed or allowed by this CAP, the day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days. V. Corrective Action Obligations AHP agrees to the following: 1. Within five (5) days of the Effective date, AHP shall use its best efforts to retrieve all photocopier hard drives that were contained in photocopiers previously leased by AHP that remain in the possession of Canon Financial Services, and safeguard all EPHI contained therein from impermissible disclosure. If AHP cannot retrieve said hard drives, AHP shall provide OCR with documentation explaining its “best efforts” and the reason it was unable to retrieve said hard drives. If AHP retrieves said hard drives, AHP shall provide OCR written certification that it has completed the requirements specified in this paragraph. AHP’s compliance with this corrective action will be based on the Region’s review and approval of the documentation explaining why its efforts failed to retrieve the hard drives. 2. Within thirty (30) days of the Effective Date, AHP shall conduct a comprehensive risk analysis of the EPHI security risks and vulnerabilities that incorporates all electronic equipment and systems controlled, owned or
  • 7. leased by AHP. AHP shall also, within this time period develop a plan, to address and mitigate any security risks and vulnerabilities found in this analysis and, if necessary, revise its present policies and procedures. The plan and any revised policies and procedures shall be forwarded to OCR for its review consistent with paragraph 3 below. 3. OCR shall review and recommend changes to the plan and any revised policies and procedures specified in paragraph 2. Upon receiving OCR’s recommended changes, AHP shall have thirty calendar days to provide a revised plan and any revised policies and procedures to OCR for review and approval. AHP shall implement the plan and distribute and train staff members on any revised policies and procedures within thirty (30) calendar days of OCR’s approval. VI. Document Retention AHP shall maintain for inspection and copying all documents and records relating to compliance with this CAP for six years from the Effective Date. VII. Breach Provisions AHP is expected to fully and timely comply with all provisions of its CAP obligations. A. Timely Written Requests for Extensions AHP may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act or file any notification or report required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least five (5) business days prior to the date such an act is required or due to be performed. B. Notice of Breach and Intent to Impose CMP. The Parties agree that a breach of this CAP by AHP constitutes a breach of the Agreement. Upon a determination by HHS that AHP has breached this CAP, HHS may notify AHP of: (a) AHP’s breach; and (b) HHS’ intent to impose a CMP pursuant to 45 C.F.R. Part 160 for the Covered Conduct set forth in paragraph 2 of the Agreement and for any other conduct that constitutes a violation of the HIPAA Privacy and Security Rules (Notice of Breach and Intent to Impose CMP). C. AHP’s Response. AHP shall have 30 days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’ satisfaction that:
  • 8. 1. AHP is in compliance with the obligations of the CAP cited by HHS as being the basis for the breach; 2. The alleged breach has been cured; or 3. The alleged breach cannot be cured within the 30-day period, but that: (i) AHP has begun to take action to cure the breach; (ii) AHP is pursuing such action with due diligence; and (iii) AHP has provided to HHS a reasonable timetable for curing the breach. D. Imposition of CMP. If at the conclusion of the 30-day period, AHP fails to meet the requirements of section VII.C to HHS’ satisfaction, HHS may proceed with the imposition of a CMP against AHP pursuant to 45 C.F.R. Part 160 for the Covered Conduct set forth in paragraph 2 of the Agreement and for any other conduct that constitutes a violation of the HIPAA Privacy and Security Rules. HHS shall notify AHP in writing of its determination to proceed with the imposition of a CMP. For Affinity Health Plan, Inc. _________/s/___________________ August 7, 2013__ Bertram L. Scott Date President and CEO For the United States Department of Health and Human Services _________/s/___________________ August 7, 2013___ Linda C. Colón Date Regional Manager, Region II Office for Civil Rights