RESOLUTION AGREEMENT
I. Recitals
1. Parties. The Parties to this Resolution Agreement (“Agreement’) are the
United States Department of Health and Human Services, Office for Civil Rights
(“HHS”) and the Regents of the University of California, on behalf of the University
of California at Los Angeles Health System, which includes the UCLA Ronald
Reagan Medical Center, the UCLA Santa Monica Medical Center and Orthopedic
Hospital, the Resnick Neuropsychiatric Hospital and the Faculty Practice Group of
UCLA (“UCLAHS” or “Covered Entity”). HHS and UCLAHS shall together be
referred to herein as the “Parties.”
2. Authority of HHS and Covered Conduct.
A. Authority of HHS
HHS enforces the Federal standards that govern the privacy of individually
identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164,
the “Privacy Rule”) and the Federal standards that govern the security of electronic
individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C
of Part 164, the “Security Rule”). HHS has the authority to conduct the investigations
of complaints alleging violations of the Privacy and Security Rules by covered
entities, and a covered entity must cooperate with HHS’ investigation. 45 C.F.R.
§160.306(c) and §160.310(b).
B. Covered Conduct
On June 5, 2009 and June 30, 2009, HHS began investigations of two separate
complaints alleging that the Covered Entity was in violation of the Privacy and/or
Security Rules. The investigations indicated that the following conduct occurred
(“Covered Conduct”):
(i) During the period from August 31, 2005 to November 16, 2005, numerous
Covered Entity workforce members repeatedly and without a permissible reason
examined the electronic protected health information of Covered Entity patients, and
during the period from January 31, 2008 to February 2, 2008, numerous Covered Entity
workforce members repeatedly and without a permissible reason examined the electronic
protected health information of a Covered Entity patient.
(ii) During the period 2005-2008, a workforce member of Covered Entity
employed in the office of the Director of Nursing repeatedly and without a permissible
reason examined the electronic protected health information of many patients.
(iii) During the period 2005-2008, Covered Entity did not provide and/or
did not document the provision of necessary and appropriate Privacy and/or
Resolution Agreement/Corrective Action Plan
08-82727 and 08-83510 (University of California Los Angeles Health System)
2
Security Rule training for all members of its workforce to carry out their function
within the Covered Entity.
(iv) During the period 2005-2008, Covered Entity failed to apply appropriate
sanctions and/or document sanctions on workforce members who impermissibly
examined electronic protected health information.
(v) During the period from 2005-2009, Covered Entity failed to implement
security measures sufficient to reduce the risks of impermissible access to electronic
protected health information by unauthorized users to a reasonable and appropriate level.
3. No Admission. This Agreement is not an admission of liability by Covered
Entity.
4. No Concession. This Agreement is not a concession by HHS that the
Covered Entity is not in violation of the Privacy and/or Security Rules and not liable
for civil money penalties.
5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve
Complaint Nos. 08-82727 and 08-83510 regarding possible violations related to the
Covered Conduct of the Privacy and Security Rules promulgated by HHS pursuant to the
administrative simplification provisions of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), Pub.L. 104-191, 110 Stat. 1936. In consideration
of the Parties’ interest in avoiding the uncertainty, burden, and expense of further
investigation and formal proceedings, the Parties agree to resolve these matters according
to the terms and conditions below.
II. Terms and Conditions
6. Payment. Covered Entity agrees to pay HHS the amount of $865,500.00
(“Resolution Amount”). Covered Entity agrees to pay the Resolution Amount by
electronic funds transfer pursuant to written instructions to be provided by HHS.
Covered Entity agrees to make this payment on or before the date it signs this Agreement.
7. Corrective Action Plan. Covered Entity has entered into and agrees to comply
with the Corrective Action Plan (CAP), attached as Appendix A, which is incorporated
into this Agreement by reference. If Covered Entity breaches the CAP, and fails to cure
the breach as set forth in the CAP, then Covered Entity will be in breach of this
Agreement and HHS will not be subject to the Release set forth in paragraph 8 of this
Agreement.
8. Release by HHS. In consideration and conditioned upon Covered Entity’s
performance of its obligations under this Agreement, HHS releases Covered Entity from
any actions it may have against Covered Entity under the Privacy and/or Security Rules
for the Covered Conduct identified in paragraph 2. HHS does not release Covered Entity
from, nor waive any rights, obligations, or causes of action other than those specifically
Resolution Agreement/Corrective Action Plan
08-82727 and 08-83510 (University of California Los Angeles Health System)
3
referred to in this paragraph. This release does not extend to actions that may be brought
under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
9. Agreement by Released Parties. Covered Entity shall not contest the validity of
its obligations to pay, nor the amount of, the Resolution Amount or any other obligations
agreed to under this Agreement. Covered Entity waives all procedural rights granted
under Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) and 45 C.F.R.
Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30,
including, but not limited to, notice, hearing, and appeal with respect to the Resolution
Amount.
10. Binding on Successors. This Agreement is binding on Covered Entity and its
successors, transferees, and assigns.
11. Costs. Each Party to this Agreement shall bear its own legal and other costs
incurred in connection with this matter, including the preparation and performance of this
Agreement.
12. No Additional Releases. This Agreement is intended to be for the benefit of the
Parties only. By this instrument the Parties do not release any claims against any other
person or entity.
13. Effect of Agreement. This Agreement constitutes the complete agreement
between the Parties. All material representations, understandings, and promises of the
Parties are contained in this Agreement. Any modifications to this Agreement shall be
set forth in writing and signed by both Parties.
14. Execution of Agreement and Effective Date. The Agreement shall become
effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP
by the last signatory (Effective Date).
15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a
civil money penalty must be imposed within six years from the date of the occurrence of
the violation. To insure that this six-year period does not expire during the term of this
agreement, Covered Entity agrees that the time between the Effective Date of this
Resolution Agreement (as set forth in paragraph 14) and the date same may be terminated
by reason of Covered Entity’s breach, plus one-year thereafter, will not be included in
calculating the six (6) year statute of limitations applicable to the violations which are the
subject of this agreement. Covered Entity waives and will not plead any statute of
limitations, laches, or similar defenses to any administrative action relating to the
Covered Conduct identified in paragraph 2 that is filed by HHS within the time period set
forth above, except to the extent that such defenses would have been available had an
administrative action been filed on the Effective Date of this Resolution Agreement.
16. Disclosure. HHS places no restriction on the publication of the Agreement. This
Agreement and information related to this Agreement may be made public by either
Resolution Agreement/Corrective Action Plan
08-82727 and 08-83510 (University of California Los Angeles Health System)
party. In addition, HHS may be required to disclose this Agreement and related material
to any person upon request consistent with the applicable provisions of the Freedom of
Information Act, 5 U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5.
17. Execution in Counterparts. This Agreement may be executed in counterparts,
each of which constitutes an original, and all of which shall constitute one and the same
agreement.
18. Authorizations. The individual(s) signing this Agreement on behalf of Covered
Entity represent and warrant that they are authorized by Covered Entity to execute this
Agreement. The individual signing this Agreement on behalf of HHS represents and
warrants that he is signing this Agreement in his official capacities and that he is
authorized to execute this Agreement.
For the Regents of the University of California
_ _____ __
Dr. David Feinberg Date
CEO, UCLA Hospital System
and Associate Vice Chancellor
For the United States Department of Health and Human Services
_ ______ __
Michael F. Kruley Date
Regional Manager, Region IX
Office for Civil Rights
/s/
/s/
7/5/11
7/6/11
No comments:
Post a Comment