This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. HHS does not release Banner from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct associated with the compliance review and referred to in this paragraph. In consideration of and conditioned upon Banner’s performance of its obligations under this Agreement, HHS releases Banner from any actions it may have against Banner under the HIPAA Rules arising out of or related to the Factual Background and Covered Conduct associated with the compliance review identified in paragraph I. If Banner breaches the CAP and fails to cure the breach as set forth in the CAP, then Banner will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph II.8 of this Agreement. Banner has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix B, which is incorporated into this Agreement by reference. Banner agrees to pay the Resolution Amount on the Effective Date of this Agreement as defined in paragraph II.14 pursuant to written instructions to be provided by HHS. HHS has agreed to accept, and Banner has agreed to pay HHS, the amount of $1,250,000. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below. This Agreement is intended to resolve OCR Transaction Number: 16-245464 and any potential violations of the HIPAA Rules related to the Covered Conduct associated with the compliance review and investigation specified in paragraph I.2 of this Agreement. Intention of Parties to Effect Resolution.This Agreement is not a concession by HHS that Banner is not in violation of the HIPAA Rules and not liable for civil money penalties (“CMPs”). This Agreement is not an admission, concession or evidence of liability by Banner. The requirement to implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.The requirement to implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed (see 45 CFR § 164.312(d)).The requirement to implement sufficient procedures to regularly review records of information system activity (see 45 C.F.R.The requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by Banner (see 45 C.F.R.HHS’s investigation indicated potential violations of the following provisions (“Covered Conduct”): The total number of individuals involved was determined to be 2.81 million. The breach report stated that on July 13, 2016, Banner discovered a threat actor gained unauthorized access to the electronic protected health information (ePHI). HHS initiated a compliance review of Banner on November 21, 2016, pursuant to a breach report submitted by Banner. Factual Background and Covered Conduct.HHS and Banner shall together be referred to herein as the “Parties.”.§ 160.103, and therefore is required to comply with the HIPAA Rules. Banner Health (“Banner”), on behalf of the Banner Health Affiliated Covered Entities (Banner Health ACE) 1 which meets the definition of a Covered Entity as defined at 45 C.F.R.HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. Part 164, the “Breach Notification Rule”). Part 160 and Subparts A and D of 45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |