Factual Background and Covered Conduct. On September 27, 2010, the HHS Office for Civil Rights received notification from “New York-Presbyterian Hospital and Columbia Medical Center” regarding a breach of unsecured electronic protected health information (ePHI). On November 5, 2010, HHS notified CU of HHS’ investigation regarding CU’s compliance with the Privacy and Security Rules promulgated by HHS pursuant to the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.L. 104-191, 110 Stat. 1936. HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”):
Factual Background and Covered Conduct. On June 2, 2017, Respondent made a submission pursuant to OIG's Self Disclosure Protocol (Protocol), and OIG accepted Respondent into the Protocol on July 24, 2017. The OIG contends that Respondent knowingly presented to Medicare, Tricare, and VA claims for items or services that Respondent knew or should have known were not provided as claimed and were false or fraudulent. Specifically, the OIG contends that, in certain cases of three or more concurrent neurosurgical procedures performed at University Hospital Shreveport during the period November 1, 2011 through January 3, 2017, Respondent submitted claims for physician services by teaching surgeons when those services were supervisory services to the hospital rather than a physician service to individual patients. The OIG contends that the conduct described in this Paragraph (hereinafter referred to as the "Covered Conduct") subjects Respondent to civil monetary penalties, assessments, and exclusion under 42 U.S.C. §§ 1320a-7a and 1320a-7(b)(7).
Factual Background and Covered Conduct. In February 2014, the HHS Office for Civil Rights (OCR) received separate notifications from each of the six nursing homes regarding a breach of unsecured electronic protected health information (ePHI) at CHCS. On April 17, 2014, OCR notified CHCS of OCR’s investigation regarding CHCS’s compliance with the HIPAA Rules. OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):
Factual Background and Covered Conduct. Between August 23, 2013 and November 1, 2013, Advocate submitted three breach notification reports to HHS. Each breach report pertained to a separate and distinct incident involving Advocate Health and Hospitals Corporation d/b/a Advocate Medical Group (“AMG”), an Advocate subsidiary: On August 23, 2013, Advocate notified HHS regarding a breach of Advocate's unsecured electronic protected health information ("ePHI"). Advocate reported that four desktop computers containing the ePHI of approximately 4,029,530 individuals (later amended to 3,994,175) had been stolen from an AMG administrative office building, located on Touhy Avenue in Park Ridge, Illinois ("Touhy Support Center"), during the early morning hours of July 15, 2013. On August 29, 2013, HHS notified Advocate that HHS was opening an investigation into those aspects of Advocate's compliance with the HIPAA Rules implicated by Advocate's breach report. On September 13, 2013, Advocate notified HHS regarding another breach of Advocate's unsecured ePHI. This breach involved Blackhawk Consulting Group (`Blackhawk"), a business associate of Advocate, which provides billing services to AMG. Advocate reported that, at some point between June 30, 2013 and August 15, 2013, the ePHI of 2,027 AMG patients had been potentially compromised when an unauthorized third party accessed Blackhawk's network. On October 29, 2013, HHS notified Advocate that it was opening an investigation into Advocate's compliance with the HIPAA Rules implicated by Advocate's second breach report. On November 1, 2013, HHS received notification from Advocate regarding a third breach of Advocate's unsecured ePHI. Advocate reported that an unencrypted laptop containing the ePHI of approximately 2,237 individuals was stolen from an AMG workforce member's vehicle. On January 8, 2014, HHS notified Advocate that it was commencing an investigation regarding Advocate's compliance with the HIPAA Rules implicated by Advocate's third breach report. HHS’ investigations of the above breach reports indicated that the following conduct appears to have occurred, which shall be defined as “Covered Conduct” for purposes of this Agreement:
Factual Background and Covered Conduct. On February 10, 2015, OCR received an anonymous complaint alleging that on February 6 and 9, 2015, a “dumpster diver” brought medical records obtained from Filefax to a shredding and recycling facility to exchange for cash. OCR opened an investigation, which confirmed that an individual had left medical records of approximately 2,150 patients at the shredding and recycling facility, and that these medical records contained the patients’ protected health information (PHI). OCR’s investigation indicated that the following Covered Conduct occurred: Between January 28, 2015, and February 14, 2015, Filefax impermissibly disclosed the PHI of 2,150 individuals by leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to a person to remove the PHI from Filefax and leaving the PHI, unsecured, outside the Filefax facility for her to collect.
Factual Background and Covered Conduct. On September 14, 2012, HHS received notification from FIMR regarding a breach of its unsecured electronic protected health information (ePHI). FIMR reported that an unencrypted laptop was stolen on September 2, 2012, out of the car of one of its employees. On November 14, 2012, HHS notified FIMR that it was initiating an investigation regarding FIMR’s compliance with the HIPAA Rules. HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”):
Factual Background and Covered Conduct. On March 2, 2012, the HHS Office for Civil Rights (OCR) received notification from ACMHS regarding a breach of unsecured electronic protected health information (e-PHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. On June 1, 2012, OCR notified ACMHS of OCR’s investigation regarding ACMHS’s compliance with the Privacy, Security, and Breach Notification Rules. OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):
Factual Background and Covered Conduct. On March 21, 2013, the HHS Office for Civil Rights (“OCR”) received notification from UMMC regarding a breach of unsecured electronic protected health information (“ePHI”) affecting 500 or more individuals at UMMC’s University Hospital. On October 25, 2013, HHS notified UMMC of its investigation regarding UM’s compliance with the Privacy, Security, and Breach Notification Rules.
Factual Background and Covered Conduct. On April 15, 2010, the HHS Office for Civil Rights (OCR) received notification from AHP regarding a breach of its unsecured electronic protected health information (EPHI). On May 19, 2010, OCR notified AHP of OCR’s investigation regarding AHP’s compliance with the Privacy, Security, and Breach Notification Rules. OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):
Factual Background and Covered Conduct. On November 27, 2013, HHS received notification from UW Medicine regarding a breach of its unsecured electronic protected health information (e-PHI). On December 26, 2013, HHS notified UW Medicine of this investigation regarding UW Medicine’s compliance with the Privacy, Security, and Breach Notification Rules. HHS’s investigation indicated that the following conduct occurred (“Covered Conduct”).
