RESOLUTION AGREEMENT
Exhibit 10.23
I. Recitals
1. |
Parties. The Parties to this Resolution Agreement (“Agreement”) are:
|
A. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
B. Triple-S Management Corporation, on behalf of its wholly owned subsidiaries Triple-S Advantage, Inc. (“TSA”) (formerly known as American Health, Inc. d/b/a American Health Medicare (“AHM”)), Triple-S Salud, Inc. (“TSS”), and Triple-C, Inc. (“Triple-C”) (collectively, “TRIPLE-S”). TSA, TSS, and Triple-C are covered entities or business associates, as defined at 45 C.F.R. § 160.103, and therefore are required to comply with, all or part of, the HIPAA Rules.
HHS and TRIPLE-S shall together be referred to herein as the “Parties.”
2.
|
Factual Background and Covered Conduct.
|
Breaches Affecting Over 500 Individuals
On November 15, 2010, TSS and Triple-C reported to OCR that on September 21, 2010, it discovered that two former Triple-S workforce members employed by a competitor improperly accessed restricted areas of TSS’s proprietary internet IPA database managed by Triple-C, Inc. They were able to gain access to the database because their access rights were not terminated upon leaving the employment of Triple-S. As a result, the electronic Protected Health Information (ePHI) accessed in the database included members’ names, contract numbers, home addresses, diagnostic codes and treatment codes.
On November 8, 2013, TSS reported to OCR that on September 23, 2013, they became aware that their vendor disclosed TSS’s Medicare Advantage beneficiaries’ Protected Health Information (PHI) on the outside of a pamphlet mailed to the beneficiaries on September 20, 2013. The PHI disclosed included the beneficiary’s names, mailing addresses, and the Health Insurance Claim Number (HICN). The disclosure of the PHI to the vendor for purposes of the mailing took place without a Business Associate Agreement.
On May 18, 2014, AHM reported to OCR that on April 16, 2014, they became aware that their vendor disclosed the PHI of AHM’s Medicare Advantage beneficiaries’ on the outside of a pamphlet mailed to beneficiaries on September 20, 2013. The PHI disclosed included the beneficiary’s names, mailing addresses, and the Health Plan Identification Number. The disclosure of the PHI to the vendor for purposes of the mailing took place without a Business Associate Agreement.
On April 2, 2014, TSS and AHM (TSA) reported to OCR that on January 14, 2014, a former employee of their business associate, Triple-S Advantage Solutions, copied beneficiary ePHI onto a CD sometime before October 9, 2013, which he took home for an unknown period of time and subsequently downloaded onto a computer at his new employer. The ePHI used included beneficiaries enrollment information, including names, dates of births, contract numbers, HICN, home addresses’ and Social Security numbers.
On March 31, 2015, TSA reported to OCR that on October 15, 2014, an unauthorized disclosure occurred when enrollment staff placed the incorrect member ID cards in mailing envelopes, resulting in beneficiaries receiving the member ID card of another individual. The PHI impermissibly disclosed included members’ names, identification numbers, benefit packages, effective dates, contract numbers, co-payments and deductibles.
Breaches Affecting Under 500 Individuals
On February 27, 2015, TSA reported to OCR that on December 12, 2014, an unauthorized disclosure of PHI occurred when beneficiaries Health Plan Identification numbers was placed on labels used in a mailing to their beneficiaries. The PHI impermissibly disclosed included members’ names, mailing addresses and Health Plan Identification numbers.
On August 13, 2015, TSA reported to OCR that on January 28, 2015, a preventive mailing was sent to beneficiaries that included PHI for another member on the back of the member’s letter. The PHI impermissibly disclosed included members’ names, addresses and the name of the preventative test the member should have their doctor perform.
2
Following receipt of the aforementioned reports, HHS initiated investigations of TSS, TSA, and Triple-C to ascertain the entities’ compliance with the Privacy, Security, and Breach Notification Rules promulgated by HHS pursuant to the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.L. 104-191, 110 Stat. 1936. HHS’ investigations indicated that the following conduct occurred (“Covered Conduct”):
I. | TSS, TSA, and Triple-C impermissibly disclosed the PHI of beneficiaries as a result of the aforementioned breach incidents. See Uses and Disclosure of PHI – 45 C.F.R. §164.502(a). |
II. | TSS and TSA failed to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI. See Safeguards-45 C.F.R. § 164.530(C)(1) and (C)(2)(i). |
III. | TSS and TSA impermissibly disclosed its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement. See Business Associate Agreement - 45 C.F.R § 164.314(a)(2)(1). |
IV. | TSS and TSA disclosed more PHI than was necessary to accomplish the purpose for which it hired the outside vendor. See Minimum Necessary - 45 C.F.R § 164.514(d). |
V. | TSS and TSA failed to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI. See Risk Analysis – 45 C.F.R § 164.308(a)(1)(ii)(A). |
VI. | TSS and TSA failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. See Risk Management Plan – 45 C.F.R § 164.308(a)(1)(ii)(B). |
VII. | TSS and Triple-C failed to implement procedures for terminating access to ePHI when the employment of a workforce member ends. See Termination Procedures – 45 C.F.R § 164.308(a)(3)(ii)(c). |
3. No Admission. This Agreement is not an admission, concession, or evidence of liability by TRIPLE-S or of any fact or any violation of any law, rule, or regulation, including any violation of the HIPAA Rules.
4. No Concession. This Agreement is not a concession by HHS that TRIPLE is not in violation of the HIPAA Rules and not liable for civil money penalties.
5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve any and all actual and potential breaches reported by TRIPLE-S to OCR prior to the Effective Date of this Agreement as defined in paragraph II.14 herein, including but not limited to, OCR Transaction Numbers: 11-150604, 11-150610, 14-170434, 14-183456, 14-180044, 14-180045, 15-206212, 15-207588, & 15-219035 (collectively “Reported Events”), and any violations of the HIPAA Rules related to the Covered Conduct specified in paragraph I.2 of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.
II. Terms and Conditions
6. Payment. HHS has agreed to accept, and TRIPLE-S has agreed to pay HHS, the amount of $3,500,000 (“Resolution Amount”). TRIPLE-S agrees to pay the Resolution Amount on the Effective Date of this Agreement as defined in paragraph II.14 by automated clearing house transaction pursuant to written instructions to be provided by HHS.
3
7. Corrective Action Plan. TRIPLE-S has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference. If TRIPLE-S breaches the CAP, and fails to cure the breach as set forth in the CAP, then TRIPLE-S will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph II.8 of this Agreement.
8. Release by HHS. In consideration of and conditioned upon TRIPLE-S ’s performance of its obligations under this Agreement, HHS releases TRIPLE-S from any actions it may have against TRIPLE-S under the HIPAA Rules arising out of or related to the Reported Events or the Covered Conduct identified in paragraphs I.2 and I.5 of this Agreement. HHS does not release TRIPLE-S from, nor waive, any rights, obligations, or causes of action other than those arising out of or related to the Reported Events or the Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
9. Agreement by Released Parties. TRIPLE-S shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. TRIPLE-S waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a-7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
10. Binding on Successors. This Agreement is binding on TRIPLE-S, and its successors, heirs, transferees, and assigns.
11. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
12. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only, and by this instrument the Parties do not release any claims against or by any other person or entity.
13. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement shall be set forth in writing and signed by all Parties.
14. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (“Effective Date”).
4
15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty (“CMP”) must be imposed within six years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, TRIPLE-S agrees that the time between the Effective Date of this Agreement and the date the Agreement may be terminated by reason of TRIPLE-S’s breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement. TRIPLE-S waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct or the Reported Events identified in paragraphs I.2 or I.5 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement.
16. Disclosure. HHS places no restriction on the publication of the Agreement. In addition, HHS may be required to disclose material related to this Agreement to any person upon request consistent with the applicable provisions of the Freedom of Information Act, 5 U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5.
17. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement.
18. Authorizations. The individual(s) signing this Agreement on behalf of TRIPLE-S represent and warrant that they are authorized by TRIPLE-S to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement.
For TRIPLE-S
|
|||
|
|||
/s/ Xxxxxxx Xxxxxx-Xxxxxxxxx | 11/20/2015 | ||
Xxxxxxx Xxxxxx-Xxxxxxxxx
|
Date
|
||
Chief Operating Officer
|
|||
Triple-S Management Corporation
|
|||
/s/ Xxxxx Xxxxxxxxx-Xxxxxxx | 11/20/2015 | ||
Xxxxx Xxxxxxxxx-Xxxxxxx
|
Date
|
||
President and Chief Executive Officer
|
|||
Triple-S Salud, Inc.
|
|||
/s/ Xxxxxxxx Xxxxxxxxx-Xxxxxxx | 11/20/2015 | ||
Xxxxxxxx Xxxxxxxxx-Xxxxxxx
|
Date
|
||
President and Chief Executive Officer
|
|||
Triple-S Advantage, Inc.
|
|||
For Department of Health and Human Services
|
|||
/s/ Xxxxx X. Xxxxx | |||
Xxxxx X. Xxxxx
|
11/20/2015
|
||
Regional Manager, Eastern and Caribbean Region
|
Date
|
||
Office for Civil Rights
|
5
Appendix A
CORRECTIVE ACTION PLAN
BETWEEN THE
DEPARTMENT OF HEALTH AND HUMAN SERVICES
AND
TRIPLE-S
I.
|
Preamble
|
TRIPLE-S Management Corporation, on behalf of its wholly owned subsidiaries Triple-S Salud, Inc., Triple-S Advantage, Inc., and Triple-C, Inc. (hereinafter known as “TRIPLE-S”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”). Contemporaneously with this CAP, TRIPLE-S is entering into a Resolution Agreement (“Agreement”) with HHS and this CAP is incorporated by reference into the Resolution Agreement as Appendix A. TRIPLE-S enters into this CAP as part of consideration for the release set forth in paragraph II.8 of the Agreement.
II. | Contact Persons and Submissions |
A. Contact Persons
TRIPLE-S has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports:
Xxxx Xxxx Xxxxxx, Chief Information Officer
Triple-S Management, Inc.
0000 X.X Xxxxxxxxx Xxxxxx
Xxx Xxxx, Xxxxxx Xxxx 00000
Telephone: (000) 000-0000
Fax: (000) 000-0000
Email: xxxxxx@xxxxx.xxx
HHS has identified the following individual as its authorized representative and contact person with whom TRIPLE-S is to report information regarding the implementation of this CAP:
Xxxxx X. Xxxxx, Regional Manager, Region II
Office for Civil Rights
U.S. Department of Health and Human Services
00 Xxxxxxx Xxxxx, Xxxxx 0000
Xxx Xxxx, Xxx Xxxx 00000
Voice Phone (000) 000-0000
Fax: (000) 000-0000
6
TRIPLE-S and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above.
B. Proof of Submissions. Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, hand delivery, or email, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt.
III. | Effective Date and Term of CAP |
The Effective Date for this CAP shall be calculated in accordance with paragraph II.14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by TRIPLE-S under this CAP shall begin on the Effective Date of this CAP and end three (3) years from receipt of HHS’ approval of the policies and procedures required by paragraph V.C, unless HHS has notified TRIPLE-S under section VIII hereof of its determination that TRIPLE-S breached this CAP. In the event of such a notification by HHS under section VIII hereof, the Compliance Term shall not end until HHS notifies TRIPLE-S that it has determined that the breach has been cured. After the Compliance Term ends, TRIPLE-S shall still be obligated to submit the final Annual Report as required by section VI and comply with the document retention requirement in section VII.
IV. | Time |
In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days.
V. | Corrective Action Obligations |
TRIPLE-S agrees to take the corrective actions specified below. To the extent necessary, TRIPLE-S shall collaborate with Puerto Rico Health Insurance Administration, also known as the Administracion de Seguros Salud de Puerto Rico, or “ASES,” as it relates to the privacy and security of Protected Health Information (“PHI”) created, received, maintained or transmitted by TRIPLE-S from, or on behalf of, ASES according to the terms of the contract(s) between TRIPLE-S and ASES.
A. Conduct Risk Analysis and Implement Risk Management Plan
1. Within one hundred eighty (180) calendar days of the Effective Date, TRIPLE-S shall conduct and complete an accurate, thorough, enterprise-wide risk analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by TRIPLE-S or its affiliates that contain, store, transmit or receive TRIPLE-S ePHI. As part of this process, TRIPLE-S shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI which will then be incorporated in its Risk Analysis.
7
2. Within ninety (90) calendar days of the completion of the Risk Analysis required in paragraph V.A.1., TRIPLE-S shall develop an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in its risk analysis. The plan shall include a process and timeline for implementation, evaluation, and revision. The plan shall be forwarded to HHS for its review consistent with paragraph V.A.3.
3. HHS shall review and recommend changes to the aforementioned risk management plan. Upon receiving HHS’ recommended changes, TRIPLE-S shall have sixty (60) calendar days to provide a revised plan. This process will continue until HHS provides final approval of the plan. TRIPLE-S shall begin implementation of the plan and distribute to workforce members involved with the implementation of the plan within ninety (90) calendar days of HHS’ approval.
4. TRIPLE-S shall annually conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by TRIPLE-S and TRIPLE-S Business Associates, and document the security measures TRIPLE-S implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level.
B. Implement Process for Evaluating Environmental and Operational Changes.
Within one hundred twenty (120) calendar days of the Effective Date, TRIPLE-S shall develop a process to evaluate any environmental or operational changes that affect the security of TRIPLE-S ePHI. HHS shall review and recommend changes to the process. Upon receiving HHS’ recommended changes, TRIPLE-S shall have sixty (60) calendar days to provide a revised process to HHS for review and approval. TRIPLE-S shall implement its process, including distributing to workforce members with responsibility for performing such evaluations within ninety (90) calendar days of HHS’ approval.
C. Policies and Procedures
1. TRIPLE-S shall review and revise, as necessary, all of its written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information (45 C.F.R. Part 160 and Subparts A, C and E of Part 164, the “Privacy Rule” and the “Security Rule”). TRIPLE-S’s policies and procedures shall include, but not be limited to, the minimum content set forth in section V.E.
2. TRIPLE-S shall provide such policies and procedures, consistent with paragraph 1 above, to HHS within 60 days of receipt of HHS’ approval of the risk management plan required by paragraph V.A above. Upon receiving any recommended changes to such policies and procedures from HHS, TRIPLE-S shall have 30 days to revise such policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval.
3. TRIPLE-S shall implement such policies and procedures within 30 days of receipt of HHS’ approval.
8
D. Distribution and Updating of Policies and Procedures
1. TRIPLE-S shall distribute the policies and procedures identified in section V.C. to all workforce members within thirty (30) days of HHS approval of such policies. TRIPLE-S shall distribute such policies and procedures to all new workforce members within thirty (30) days of the commencement of each such workforce member’s service. Triple S shall also distribute such policies and procedures to all of its business associates who utilize Triple S ePHI in carrying out contractual or work responsibilities.
2. TRIPLE-S shall require, at the time of distribution of such policies and procedures, a signed written or electronic initial compliance certification from all workforce members and business associates stating that such workforce members and business associates have read, understand, and shall abide by such policies and procedures.
3. TRIPLE-S shall assess, update, and revise, as necessary, the policies and procedures at least annually. TRIPLE-S shall provide such revised policies and procedures to HHS for review and approval. Within thirty (30) days of the effective date of any approved revisions, TRIPLE-S shall distribute such revised policies and procedures to all workforce members and business associates, and shall require new compliance certifications.
4. TRIPLE-S shall not provide access to PHI to any workforce member or business associate if that workforce member has not signed or provided the written or electronic certification required by paragraphs 2 & 3 of this section within a reasonable period of time after distribution of such policies and procedures.
E. Minimum Content of the Policies and Procedures
The Policies and Procedures shall include measures to address the following Privacy and Security Rule Provisions:
Privacy Rule Provisions
1. | Uses and Disclosures of PHI - 45 CFR § 164.502(a) |
2. | Minimum Necessary - 45 CFR § 164.502(b) |
3. | Disclosures to Business Associates- 45 C.F.R. § 164.502(e)(1) |
4. | Training – 45 C.F.R. § 530(b)(1) |
5. | Safeguards - 45 C.F.R. § 164.530(c)(1) |
6. | Changes to Policies and Procedures - 45 C.F.R. § 164.530(i)(2) |
Security Rule Provisions
7. | Administrative Safeguards, including all required and addressable implementation specifications – 45 C.F.R. § 164.308(a) and (b) |
9
8. | Device and Media Controls – 45 C.F.R. § 164.310(d)(1) |
9. | Encryption and Decryption – 45 C.F.R. § 164.312(a)(2)(iv) & 164.312(e)(2)(ii) |
10. | Audit Controls – 45 C.F.R. § 164.312(b) |
F. Reportable Events.
During the Compliance Term, TRIPLE-S shall, upon receiving information that a workforce member may have failed to comply with its Privacy, Security or Breach Notification Rule Policies and Procedures, promptly investigate this matter. If TRIPLE-S determines, after review and investigation, that a workforce member who agreed to comply with policies and procedures under section V.D.2. failed to comply with these policies and procedures, TRIPLE-S shall notify in writing HHS within thirty (30) days of reaching such determination. Such violations shall be known as Reportable Events. The report to HHS shall include the following information:
1. A complete description of the event, including the relevant facts, the persons involved, and the provision(s) of the policies and procedures implicated; and
2. A description of the actions taken and any further steps TRIPLE-S plans to take to address the matter to mitigate any harm, and to prevent it from recurring, including application of appropriate sanctions against workforce members who failed to comply with its Privacy, Security, or Breach Notification Rule Policies and Procedures.
If no Reportable Events occur within the Compliance Term, TRIPLE-S shall so inform HHS as provided in Section VI.B.4.
G. Training
1. TRIPLE-S shall provide HHS with training materials addressing the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all workforce members within sixty (60) days of receipt of HHS’ approval of the policies and procedures required by V.C above.
2. Upon receiving notice from HHS specifying any required changes, TRIPLE-S shall make the required changes and provide revised training materials to HHS within thirty (30) days.
3. Upon receiving approval from HHS, TRIPLE-S shall provide training using the approved training materials for all workforce members within (60) days of HHS’ approval and at least every twelve (12) months thereafter. TRIPLE-S shall also provide such training to each workforce member within (30) days of the commencement of such workforce member’s service.
4. Each workforce member who is required to attend training shall certify, in electronic or written form, that he or she has received the training. The training certification shall specify the date training was received. All course materials shall be retained in compliance with section VII.
10
5. TRIPLE-S shall review the training annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.
6. TRIPLE-S shall not provide access to ePHI to any workforce member if that workforce member has not signed or provided the written or electronic certification required by paragraph V.G.4 within a reasonable period of time after completion of such training.
VI. | Implementation Report and Annual Reports |
A. Implementation Report. Within one hundred and twenty (120) days after the receipt of HHS’ approval of the policies and procedures required by section V.C., TRIPLE-S shall submit a written report to HHS summarizing the status of its implementation of the requirements of this CAP. This report, known as the “Implementation Report,” shall include:
1. An attestation signed by an owner or officer of TRIPLE-S attesting that the Policies and Procedures are being implemented, have been distributed to all workforce members, and that TRIPLE-S has obtained all of the compliance certifications required by sections V.D.2. and V.D.3.;
2. A copy of all training materials used for the training required by this CAP, a description of the training, including a summary of the topics covered, the length of the session(s), and a schedule of when the training session(s) were held;
3. An attestation signed by an owner or officer of TRIPLE-S attesting that all workforce members have completed the initial training required by this CAP and have executed the training certifications required by section V.D.2.;
4. An attestation signed by an owner or officer of TRIPLE-S listing each legal entity within TRIPLE-S and each TRIPLE-S Business Associate, including mailing addresses, the corresponding name under which each entity is doing business, and the corresponding phone numbers and fax numbers, and attesting that each such entity has complied with the obligations of this CAP; and
5. An attestation signed by an owner or officer of TRIPLE-S stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
B. Annual Reports. The one-year period beginning on the Effective Date and each subsequent one-year period during the course of the period of compliance obligations shall be referred to as “the Reporting Periods.” TRIPLE-S also shall submit to HHS Annual Reports with respect to the status of and findings regarding TRIPLE-S’s compliance with this CAP for each of the three (3) Reporting Periods. TRIPLE-S shall submit each Annual Report to HHS no later than sixty (60) days after the end of each corresponding Reporting Period. The Annual Report shall include:
1. A schedule, topic outline, and copies of the training materials for the training programs attended in accordance with this CAP during the Reporting Period that is the subject of the report;
11
2. An attestation signed by an owner or officer of TRIPLE-S attesting that it is obtaining and maintaining written or electronic training certifications from all persons that require training that they received training pursuant to the requirements set forth in this CAP;
3. A summary of Reportable Events (defined in section V.F) identified during the Reporting Period and the status of any corrective and preventative action relating to all such Reportable Events;
4. An attestation signed by an owner or officer of TRIPLE-S attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
VII. | Document Retention |
TRIPLE-S shall maintain for inspection and copying, and shall provide to OCR, upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date.
VIII. | Breach Provisions |
TRIPLE-S is expected to fully and timely comply with all provisions contained in this CAP.
A. Timely Written Requests for Extensions
TRIPLE-S may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least five (5) days prior to the date such an act is required or due to be performed.
B. Notice of Breach of this CAP and Intent to Impose Civil Monetary Penalty. The parties agree that a breach of this CAP by TRIPLE-S constitutes a breach of the Agreement. Upon a determination by HHS that TRIPLE-S has breached this CAP, HHS may notify TRIPLE-S of: (1) TRIPLE-S’s breach; and (2) HHS’ intent to impose a civil money penalty (“CMP”) pursuant to 45 C.F.R. Part 160, or other remedies for the Covered Conduct set forth in paragraph I.2 of the Agreement and any other conduct that constitutes a violation of the HIPAA Privacy, Security, or Breach Notification Rules (“Notice of Breach and Intent to Impose CMP”).
C. TRIPLE-S’s Response. TRIPLE-S shall have thirty (30) days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’ satisfaction that:
1. TRIPLE-S is in compliance with the obligations of the CAP that HHS cited as the basis for the breach;
2. The alleged breach has been cured; or
3. The alleged breach cannot be cured within the thirty (30) day period, but that: (a) TRIPLE-S has begun to take action to cure the breach; (b) TRIPLE-S is pursuing such action with due diligence; and (c) TRIPLE-S has provided to HHS a reasonable timetable for curing the breach.
12
D. Imposition of CMP. If at the conclusion of the thirty (30) day period, TRIPLE-S fails to meet the requirements of section VIII.C. of this CAP to HHS’ satisfaction, HHS may proceed with the imposition of a CMP against TRIPLE-S pursuant to 45 C.F.R. Part 160 for any violations of the Covered Conduct set forth in paragraph I.2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules. HHS shall notify TRIPLE-S in writing of its determination to proceed with the imposition of a CMP.
For TRIPLE-S
|
|||
/s/ Xxxxxxx Xxxxxx-Xxxxxxxxx | 11/20/2015 | ||
Xxxxxxx Xxxxxx-Xxxxxxxxx
|
Date
|
||
Chief Operating Officer
|
|||
Triple-S Management Corporation
|
|||
/s/ Xxxxx Xxxxxxxxx-Xxxxxxx | 11/20/2015 | ||
Xxxxx Xxxxxxxxx-Xxxxxxx
|
Date
|
||
President and Chief Executive Officer
|
|||
Triple-S Salud, Inc.
|
|||
/s/ Xxxxxxxx Xxxxxxxxx-Xxxxxxx | 11/20/2015 | ||
Xxxxxxxx Xxxxxxxxx-Xxxxxxx
|
Date
|
||
President and Chief Executive Officer
|
|||
Triple-S Advantage, Inc.
|
|||
For United States Department of Health and Human Services
|
|||
11/20/2015 | |||
/s/ Xxxxx X. Xxxxx |
Date
|
||
Xxxxx X. Xxxxx
|
|||
Regional Manager, Eastern and Caribbean Region
|
|||
Office for Civil Rights
|
13