Factual Background and Covered Conduct. On June 2, 2017, Respondent made a submission pursuant to OIG's Self Disclosure Protocol (Protocol), and OIG accepted Respondent into the Protocol on July 24, 2017. The 010 contends that Respondent knowingly presented to Medicare, Tricare, and VA claims for items or services that Respondent knew or should have known were not provided as claimed and were false or fraudulent. Specifically, the OIG contends that, in certain cases of three or more concurrent neurosurgical procedures performed at University Hospital Shreveport during the period November 1, 201 1 through January 3, 2017, Respondent submitted claims for physician services by teaching surgeons when those services were supervisory services to the hospital rather than a physician service to individual patients. The OIG contends that the conduct described in this Paragraph (hereinafter referred to as the "Covered Conduct") subjects Respondent to civil monetary penalties, assessments, and exclusion under 42 U.S.C. §§ l 320a-7a and 1320a-7(b)(7).
Factual Background and Covered Conduct. In February 2014, the HHS Office for Civil Rights (OCR) received separate notifications from each of the six nursing homes regarding a breach of unsecured electronic protected health information (ePHI) at CHCS. On April 17, 2014, OCR notified CHCS of OCR’s investigation regarding CHCS’s compliance with the HIPAA Rules. OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):
(1) From September 23, 2013, the compliance date of the Security Rule for business associates, until the present, CHCS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by CHCS (See 45 C.F.R. § 164.308(a)(1)(ii)(A));
(2) From September 23, 2013, the compliance date of the Security Rule for business associates, until the present, CHCS failed to implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) of the Security Rule. (See 45 C.F.R. § 164.308(a)(1)(ii)(B)).
Factual Background and Covered Conduct. On March 21, 2013, the HHS Office for Civil Rights (“OCR”) received notification from UMMC regarding a breach of unsecured electronic protected health information (“ePHI”) affecting 500 or more individuals at UMMC’s University Hospital. On October 25, 2013, HHS notified UMMC of its investigation regarding UM’s compliance with the Privacy, Security, and Breach Notification Rules.
1 The University of Mississippi (“UM”) is a covered entity, as defined at 45 C.F.R. § 160.103, and a hybrid entity, as defined at 45 C.F.R. § 164.103, whose operations include both covered and non-covered functions and which has designated health care components, including the University of Mississippi Medical Center (“UMMC”), in accordance with 45 C.F.R. § 164.105(a)(2)(iii)(D). Other than certain oversight, compliance and enforcement obligations, as set forth at 45 C.F.R. §§ 164.105, 164.314, and 164.504, which apply to UM, the remaining provisions of the HIPAA Rules apply only to the health care components of UM, including UMMC. See 45 C.F.R. § 164.105(a)(1). OCR’s investigation indicated UM2 had implemented policies and procedures pursuant to the HIPAA Rules; however, OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):
A. From the compliance date of the Security Rule, April 20, 2005, until present, UM failed to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI it holds, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level (See 45 C.F.R. §164.308(a)(1)(i));
B. From January 19, 2013, until March 1, 2014, UM failed to implement physical safeguards for all workstations that access ePHI to restrict access to authorized users (See 45 C.F.R. §164.310(c));
C. From the compliance date of the Security Rule, April 20, 2005, to March 14, 2013, UM failed to assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI including, for example, allowing workforce members to access ePHI on a shared department network drive through a generic account, preventing UMMC from tracking which specific users were accessing ePHI (See 45 C.F.R. § 164.312 (a)(2)(i)); and
D. UM, following the discovery of this breach of unsecured ePH...
Factual Background and Covered Conduct. On September 14, 2012, HHS received notification from FIMR regarding a breach of its unsecured electronic protected health information (ePHI). FIMR reported that an unencrypted laptop was stolen on September 2, 2012, out of the car of one of its employees. On November 14, 2012, HHS notified FIMR that it was initiating an investigation regarding FIMR’s compliance with the HIPAA Rules. HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”):
(i) FIMR impermissibly disclosed the ePHI of 13,000 individuals when an FIMR-owned laptop computer containing ePHI was left unsecured in the back seat of an employee’s car. See 45 C.F.R. § 164.502(a).
(ii) FIMR failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI held by FIMR, including the ePHI on the aforementioned laptop computer. See 45 C.F.R. § 164.308(a)(1)(ii)(A).
(iii) FIMR failed to implement policies and procedures for granting access to ePHI by its workforce members. See 45 C.F.R. § 164.308(a)(4)(ii)(B).
(iv) FIMR failed to implement physical safeguards for a laptop that contained ePHI to restrict access to unauthorized users. See 45 C.F.R. § 164.310(c).
(v) FIMR failed to implement policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility. See 45 C.F.R. § 163.310(d).
(vi) FIMR failed to implement a mechanism to encrypt ePHI or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption to safeguard ePHI. See 45 C.F.R. § 164.312(a)(2)(iv).
Factual Background and Covered Conduct. On March 2, 2012, the HHS Office for Civil Rights (OCR) received notification from ACMHS regarding a breach of unsecured electronic protected health information (e-PHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. On June 1, 2012, OCR notified ACMHS of OCR’s investigation regarding ACMHS’s compliance with the Privacy, Security, and Breach Notification Rules. OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):
A. From April 21, 2005, the compliance date of the Security Rule, until March 12, 2012, ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by ACMHS (See 45 C.F.R. § 164.308(a)(1)(ii)(A));
B. From April 21, 2005, the compliance date of the Security Rule, until March 12, 2012, ACMHS failed to implement policies and procedures requiring implementation of security measures sufficient to reduce risks and vulnerabilities to its e-PHI to a reasonable and appropriate level (See 45 C.F.R. § 164.308(a)(1)(ii)(B)); and
C. From January 1, 2008, until March 29, 2012, ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network (See 45 C.F.R. § 164.312(e)) by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.
Factual Background and Covered Conduct. On December 9, 2011, HHS received notification from Skagit County regarding a breach of its unsecured electronic protected health information (ePHI). On May 25, 2012, HHS notified Skagit County of its investigation regarding Skagit County’s compliance with the Privacy, Security, and Breach Notification Rules. HHS’s investigation indicated that the following conduct occurred (“Covered Conduct”).
i. From approximately September 14, 2011 until September 28, 2011, Skagit County disclosed the ePHI of 1,581 individuals in violation of the Privacy Rule (See 45 C.F.R. §§160.103 and 164.502 (a)) by providing access to electronic protected health information (ePHI) on its public web server;
ii. From November 28, 2011 until present, Skagit County failed to provide notification as required by the Breach Notification Rule (See 45 C.F.R. § 164.404) to all of the individuals for whom it knew or should have known that the privacy or security of the individual’s ePHI had been compromised as a result of the breach incident described in paragraph I.3.i., above;
iii. From April 20, 2005 until present, Skagit County failed to implement sufficient policies and procedures to prevent, detect, contain, and correct security violations (See 45 C.F.R. § 164.308(a)(1)(i));
iv. From April 20, 2005 until June 1, 2012, Skagit County failed to implement and maintain in written or electronic form policies and procedures reasonably designed to ensure compliance with the Security Rule (See 45 C.F.R. § 164.316(a) and (b)); and
v. From April 20, 2005 until present, Skagit County failed to provide security awareness and training to all workforce members, including its Information Security staff members, as necessary and appropriate for the workforce members to carry out their functions within Skagit County (See 45 C.F.R. § 164.308(a)(5)).
Factual Background and Covered Conduct. On September 27, 2010, the HHS Office for Civil Rights received notification from “New York-Presbyterian Hospital and Columbia University Medical Center” regarding a breach of its unsecured electronic protected health information (ePHI). On November 5, 2010, HHS notified NYP of HHS’ investigation regarding NYP’s compliance with the Privacy and Security Rules promulgated by HHS pursuant to the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.L. 104-191, 110 Stat. 1936. HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”):
a. NYP impermissibly disclosed the ePHI of 6,800 patients to Google and other Internet search engines when a computer server that had access to NYP ePHI information systems was errantly reconfigured.
b. NYP failed to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI.
c. NYP failed to implement processes for assessing and monitoring all IT equipment, applications, and data systems that were linked to NYP patient data bases prior to the breach incident, and failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.
d. NYP failed to implement appropriate policies and procedures for authorizing access to its NYP patient data bases, and it failed to comply with its own policies on information access management.
Factual Background and Covered Conduct. On September 27, 2010, the HHS Office for Civil Rights received notification from “New York-Presbyterian Hospital and Columbia Medical Center” regarding a breach of unsecured electronic protected health information (ePHI). On November 5, 2010, HHS notified CU of HHS’ investigation regarding CU’s compliance with the Privacy and Security Rules promulgated by HHS pursuant to the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.L. 104-191, 110 Stat. 1936. HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”):
a. CU failed to conduct an accurate, and thorough risk analysis that incorporates all IT equipment, applications and data systems utilizing ePHI, including the server accessing NYP-ePHI.
b. CU failed to implement processes for assessing and monitoring IT equipment, applications and data systems that were linked to NYP patient data bases prior to the breach incident and failed to implement security measures sufficient to reduce the risks of inappropriate disclosure to an acceptable level.
Factual Background and Covered Conduct. On November 27, 2013, HHS received notification from UW Medicine regarding a breach of its unsecured electronic protected health information (e-PHI). On December 26, 2013, HHS notified UW Medicine of this investigation regarding UW Medicine’s compliance with the Privacy, Security, and Breach Notification Rules. HHS’s investigation indicated that the following conduct occurred (“Covered Conduct”).
A. UW Medicine failed to implement policies and procedures to prevent, detect, contain, and correct security violations. Specifically it has failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI. (See 45 C.F.R. § 164.308(a)(1)(i)).
Factual Background and Covered Conduct. On March 23, 2013, HHS received notification from OHSU regarding a breach of its unsecured electronic protected health information (“ePHI”) resulting from a stolen laptop computer. On July 28, 2013, HHS received notification from OHSU regarding a breach of its ePHI resulting from storing ePHI at an internet-based service provider without a business associate agreement. On May I, 2013, and on November 8, 2013, HHS notified OHSU of its investigations of these breach incidents, respectively, regarding OHSU’s compliance with the HIPAA Rules. HHS’s investigations indicated that OHSU had implemented policies and procedures pursuant to the HIPAA Rules; however, HHS’s investigations indicated the following conduct occurred (“Covered Conduct”).
A. From January 5, 2011, until July 3, 2013, OHSU disclosed the ePHI of 3,044 individuals in violation of the Privacy Rule (See 45 C.F.R. §§160.103 and 164.502 (a)) when workforce members disclosed the ePHI to a third party internet-based service provider without obtaining a business associate agreement or other satisfactory assurance that the internet-based service provider would safeguard the ePHI;
B. From January 5, 2011, until July 3, 2013, OHSU failed to obtain a business associate agreement from an internet-based service provider that was storing ePHI on its behalf as a business associate as required by 45 C.F.R. § 164.308(b);
C. From January 5, 2011, until July 3, 2013, OHSU failed to implement policies and procedures to prevent, detect, contain, and correct security violations. (See 45 C.F.R. § 164.308(a)(1)(i);
D. From July 12, 2010, to present, OHSU failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for all ePHI maintained in OHSU’s enterprise. (See 45 C.F.R. §§ 164.312(a)(2)(iv) and 164.306(d)(3)); and
E. From May 29, 2013, until July 3, 2013, OHSU failed to implement policies and procedures to address security incidents. (See 45 C.F.R. § 164.308(a)(6)(i)).
