With HIPAA enforcement on the upswing and the recent news of the UCLA Health System settlement for $865,000, several readers asked what a Resolution Agreement looked like. In this post, we provide a “bullet-point” summary and a copy of the Resolution Agreement and Corrective Action Plan from which you may derive lots of “lessons learned”…
As stated in the HHS/OCR Press Release announcing the Resolution Agreement…
The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these patients. OCR’s investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.
HHS Resolution with Regents of the University of California posted on July 5th:
- Numerous CE workforce members repeatedly and without a permissible reason examined the ePHI of CE patients
- A CE workforce member repeatedly and with a permissible reason examined the ePHI of many patients
- During the period, CE did not provide and/or did not document the provision of necessary and appropriate Privacy and/or Security Rule training for all workforce members
- CE failed to apply appropriate sanctions and/or document sanctions on workforce members who impermissibly examined ePHI
- CE failed to implement security measures sufficient to reduce the risks of impermissible access to ePHI by unauthorized users to a reasonable and appropriate level
Terms and Conditions:
- Payment: $865,500.00
- Obligations of the Corrective Action Plan (CAP)
Policies and Procedures (PnPs):
- CE shall review, revise and maintain existing PnPs and develop, implement and maintain written PnPs that comply with Federal standards that govern the privacy and security of PII
- CE shall provide such PnPs to HHS within 60 days for review and approval and will have 60 days to revise and resubmit such PnPs based on HHS recommendations, and will have 60 days to implement such PnPs following receipt of HHS approval
- CE will distribute PnPs to all applicable workforce members within 30 days of HHS approval and to new members within 30 days of their start date, requiring signed written or electronic initial compliance certification for all applicable workforce members (that they have read, understand, know where to seek information and will abide by such PnPs) that must be submitted to CE designee within 30 days of PnP distribution
- CE will assess, update and revise as necessary PnPs at least annually and more frequently if appropriate, distributing to and receiving new compliance certifications from all applicable workforce members within 30 days of effective date of any approved substantive revisions
- PnPs shall include but not be limited to:
- Instructions and procedures that address permissible and impermissible uses and disclosures of PHI by various categories of workfo4rce members and address security awareness standards, information access management standards, workstation use standards, authorization and/or supervision standards and workforce clearance procedures
- Application of appropriate sanctions against CE members who fail to comply with PnPs; if CE after review and investigations determines that a workforce member has failed to comply, CE must notify HHS within 30 days of such “Reportable Events”
- Protocols for training
- All workforce members shall receive specific training related to PnPs within 90 days of implementation or within 30 days of their beginning as a workforce member
- Each workforce member required to attend training shall certify, in wiring or in electronic form, that required training has been received and the date of that training. All course materials must be retained for compliance period
- CE must review training annually and update to reflect changes in federal law or HHS guidance, any issues discovered during audits or reviews, or any other relevant developments
- CE shall prohibit any workforce member of accessing PHI if requisite training has n0t been completed
- Designation of Independent Monitor within 90 days to review compliance with this CAP
- Monitor Plan must be submitted to OCR describing with adequate detail the plan for fulfilling the duties of the Monitor; which must be reviewed at least annually and revisions must be provided to OCR within 10 business days which must be approved by OCR
- Retention of Records: CE must retain and make available to HHS upon request, all work papers supporting documentation, correspondence and draft reports related to reviews
- Monitor Reviews: the Monitor reviews shall investigate, assess, and make specific determinations about CE compliance with the CAP requirements, including unannounced site visits at least 2 times a year, interviews with staff and BAs and follow up on noncompliance reports.
- Monitor Review Reports and Response: Monitor shall prepare a semi-annual report based on reviews and provide to HHS and CE. CE shall prepare a response to the report and provide to HHS. The Monitor shall immediately report any significant violations of the CAP to HHS and CE and CE shall prepare a response including a correction plan and prove to HHS within 10 days of receiving Monitor’s report of a significant violation.
- Monitor Removal/Termination: CE must submit a notice of intention to terminate any Monitor along with explanation as to why. If HHS has reason to believe that a Monitor does not possess the expertise, independence, or objectivity required by this CAP or has failed to carry out the responsibilities, HHS may at its sole discretion, require CE to engage a new Monitor.
- Validation Review: in the event HHS has reason to believe that the Monitor reviews or reports fail to conform to the CAP requirements or the Monitor reports are inaccurate, HHS may at its sole discretion conduct its own review to determine the accuracy of the Monitor review or reports. The use of the Monitor does not affect HHS’ authority to investigate complaints or conduct compliance reviews or audits itself
Implementation Report and Annual Reports
- Implementation Report: CE shall submit a written report to HHS and the Monitor
- summarizing the status of its implementation of the requirements of this CAP within 120 days of receipt of HHS’ approval of the PnPs, including an attestation signed by a CE officer;
- a copy of all training materials, including an attestation signed by a CE officer that training has been completed and certifications received;
- an engagement letter with the Monitor with a summary description of all engagements including any outside financial audits, compliance program engagements or reimbursement consulting and the proposed start and completion dates of the first Monitor review
- Certification from the Monitor regarding its independence from CE
- An attestation signed by a CE officer listing all CE locations and attesting each location is in compliance with CAP obligations
- An attestation signed by a CE officer that the Implementation Report is accurate and truthful.
Annual Report: for each one-year period CE shall submit to HHS and the Monitor Annual Reports with respect to the status of and findings regarding the CE compliance with this CAP no later than 90 days after each reporting period with will include
- A schedule, topic outline and copies of the training materials
- Attestation signed by a CE officer that written or electronic certifications have been received from all applicable workforce members
- A summary description of all engagements between CE and Monitor
- Summary of Reportable Events and status of related corrective and preventative action
- Attestation signed by a CE officer that the Annual Report is accurate and truthful
Document Retention: 6 years
C. Term of CAP: 3 years: submit annual report; submit response to the final Monitor Report and comply with the document retention requirement
Here at AboutHIPAA.com, we are committed to helping covered entities and business associates across the healthcare industry become and remain compliant with the regulations while protecting the personal and intimate health information of Americans. Please contact us with any feedback or questions you may have.
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.