MedEvolve, Inc. Resolution Agreement and Corrective Action Plan | HHS.gov
MedEvolve, Inc. Resolution Agreement and Corrective Action Plan
Resolution Agreement
I. Recitals
Parties. The Parties to this Resolution Agreement ("Agreement") are:
The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
MedEvolve, Inc. (“MedEvolve”) is a business associate, as defined under 45 C.F.R. § 160.103, and therefore is required to comply with the HIPAA Security Rule and certain provisions of the Privacy and Breach Notification Rules. MedEvolve provides covered entities practice management, revenue cycle management and practice analytics software services. MedEvolve is located in Little Rock, Arkansas. HHS and MedEvolve shall together be referred to herein as the “Parties.”
Factual Background and Covered Conduct. OCR received an initial Breach Notification Report on July 10, 2018, followed by addendums on July 30, 2018 and August 12, 2020 (the Reports) filed by MedEvolve. According to the Reports, on May 4, 2018, MedEvolve discovered that a File Transfer Protocol (FTP) server containing PHI had been unsecure and accessible on the internet since January 1, 2018. The breach affected the PHI of a total of 230,572 individuals at two covered entities for which MedEvolve provided software and revenue cycle management services: Premier Immediate Medical Care, LLC (204,607 individuals affected) and the office of Dr. Beverly Held (25,965 individuals affected). OCR has evidence that the PHI for both covered entities was viewed by at least one unauthorized individual during the time the FTP server was open to the public.
HHS's investigation indicated that the following conduct occurred (Covered Conduct):
The protected heath information (PHI) of 230,572 individuals had been disclosed. See 45 C.F.R. § 164.502(a);
MedEvolve failed to enter into a business associate agreement with a subcontractor. See 45 C.F.R. § 164.502(e)(1)(ii);
MedEvolve’s assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by it as a business associate was not sufficiently accurate or thorough. See 45 C.F.R. § 164.308(a)(1)(ii)(A).
No Admission. This Agreement is not an admission of liability by MedEvolve.
No Concession. This Agreement is not a concession by HHS that MedEvolve is not in violation of the HIPAA Rules and not liable for civil money penalties.
Intention of Parties to Effect Resolution. This Agreement is intended to resolve OCR Transaction Number 18-311029 and any potential violations of the HIPAA Rules related to the Covered Conduct specified in paragraph I.2 of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.
II. Terms and Conditions
Payment. HHS has agreed to accept, and MedEvolve has agreed to pay HHS, the amount of $350,000 (“Resolution Amount”). MedEvolve agrees to pay the Resolution Amount within 14 days from the Effective Date of this Agreement as defined in paragraph II.14 by automated clearing house transaction pursuant to written instructions to be provided by HHS.
Corrective Action Plan. MedEvolve has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference. If MedEvolve breaches the CAP, and fails to cure the breach as set forth in the CAP, then MedEvolve will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph II.8 of this Agreement.
Release by HHS. In consideration of and conditioned upon MedEvolve’s performance of its obligations under this Agreement, HHS releases MedEvolve from any actions it may have against MedEvolve under the HIPAA Rules arising out of or related to the Covered Conduct identified in paragraph I.2 of this Agreement. HHS does not release MedEvolve from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
Agreement by Released Party. MedEvolve shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. MedEvolve waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a-7a) and 45 C.F.R. Part 160, Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
Binding on Successors. This Agreement is binding on MedEvolve and its successors, heirs, transferees, and assigns.
Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
No Additional Releases. This Agreement is intended to be for the benefit of the Parties only and by this instrument the Parties do not release any claims against or by any other person or entity.
Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement shall be set forth in writing and signed by all Parties.
Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (“Effective Date”).
Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty (“CMP”) must be imposed within six (6) years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, MedEvolve agrees that the time between the Effective Date of this Agreement (as set forth in Paragraph 14) and the date the Agreement may be terminated by reason of MedEvolve’s breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement. MedEvolve waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the covered conduct identified in paragraph I.2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement.
Disclosure. HHS places no restriction on the publication of the Agreement.
Execution in Counterparts.This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement.
Authorizations. The individual(s) signing this Agreement on behalf of MedEvolve represent and warrant that they are authorized by MedEvolve to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement.
For MedEvolve, Inc.
/s/
Matthew D. Rolfes,
President and CEO
MedEvolve, Inc.
03/17/2023
Date
For the United States Department of Health and Human Services
/s/
Marisa M. Smith, Ph.D.
Regional Manager
Office for Civil Rights, Southwest Region
03/17/2023
Date
Appendix A
Corrective Action Plan
Between the
U.S. Department of Health and Human Services
And
Medevolve, Inc.
I. Preamble
MedEvolve, Inc. (referred to herein as “MedEvolve”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”). Contemporaneously with this CAP, MedEvolve is entering into a Resolution Agreement (“Agreement”) with HHS, and this CAP is incorporated by reference into the Agreement as Appendix A. MedEvolve enters into this CAP as part of the consideration for the release set forth in paragraph II.8 of the Agreement.
II. Contact Persons and Submissions
Contact Persons.
MedEvolve has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports:
Matthew D. Rolfes
President and CEO
MedEvolve, Inc.
U.S. Department of Health and Human Services
1115 West 3rd Street
Little Rock, AR 72201
Voice Phone (800) 964-5129
Fax: (501) 687-9276
[email protected]
HHS has identified the following individual as its authorized representative and contact person with whom MedEvolve is to report information regarding the implementation of this CAP:
Marisa M. Smith, Ph.D.
Regional Manager
Office for Civil Rights, Southwest Region
U.S. Department of Health and Human Services
1301 Young Street, Suite 106-1130
Dallas, TX 75202
Voice Phone (214) 767-6973
Fax: (214) 767-0432
[email protected]
MedEvolve and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above.
Proof of Submissions.
Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt.
III. Effective Date and Term of CAP
The Effective Date for this CAP shall be calculated in accordance with paragraph II.14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by MedEvolve under this CAP shall begin on the Effective Date of this CAP and end two (2) years from the Effective Date, unless HHS has notified MedEvolve under section VIII hereof of its determination that MedEvolve has breached this CAP. In the event of such a notification by HHS under section VIII hereof, the Compliance Term shall not end until HHS notifies MedEvolve that it has determined that the breach has been cured. After the Compliance Term ends, MedEvolve shall still be obligated to: (a) submit the final Annual Report as required by section VI; and (b) comply with the document retention requirement in section VII.
IV. Time
In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days.
V. Corrective Action Obligations
MedEvolve agrees to the following:
Conduct a Risk Analysis
MedEvolve shall conduct and complete an accurate and thorough analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by MedEvolve or its affiliates that are owned, controlled or managed by MedEvolve that contain, store, transmit or receive MedEvolve ePHI. As part of this process, MedEvolve shall include a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and application that contain or store ePHI which will then be incorporated in its risk analysis.
Within 30 calendar days of the Effective Date, MedEvolve shall submit to HHS the scope and methodology by which it proposes to conduct the risk analysis. HHS shall notify MedEvolve whether the proposed scope and methodology is or is not consistent with 45 C.F.R. § 164.308 (a)(l)(ii)(A).
MedEvolve shall provide the risk analysis, consistent with paragraph V.B.l., to HHS within 60 days of HHS's approval of the scope and methodology described in paragraph V.B.2 for HHS's review.
Upon submission by MedEvolve, HHS shall review and recommend changes to the aforementioned risk analysis. Upon receiving HHS’s recommended changes, MedEvolve shall have 30 calendar days to submit a revised risk analysis. This process will continue until HHS provides final approval of the risk analysis.
MedEvolve shall annually conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by MedEvolve, affiliates that are owned, controlled, or managed by MedEvolve; and document the security measures MedEvolve implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level. Subsequent risk analyses and corresponding management plans shall be submitted for review by HHS in the same manner as described in this section until the conclusion of the CAP.
Develop and Implement a Risk Management Plan
MedEvolve shall develop an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis specified in section V.A.1. above. The risk management plan shall include a process and timeline for MedEvolve’s implementation, evaluation, and revision of its risk remediation activities.
Within 60 calendar days of HHS’s final approval of the risk analysis described in section V.A.1 above, MedEvolve shall submit a risk management plan to HHS for HHS’s review and approval. HHS shall approve, or, if necessary, require revisions to MedEvolve’s risk management plan.
Upon receiving HHS’s notice of required revisions, if any, MedEvolve shall have 30 calendar days to revise the risk management plan accordingly and forward for review and approval. This process shall continue until HHS approves the risk management plan.
Within 60 calendar days of HHS’s approval of the risk management plan, MedEvolve shall finalize and officially adopt the risk management plan in accordance with its applicable administrative procedures.
Policies and Procedures
MedEvolve shall develop, maintain, and revise, as necessary, its written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information (45 C.F.R. Part 160 and Subparts A, C, and E of Part 164, the “Privacy Rule” and “Security Rule”). MedEvolve’s policies and procedures shall include, but not be limited to, the minimum content set forth in section V.E.
MedEvolve shall provide such policies and procedures to HHS within 60 calendar days of receipt of HHS’s approval of the risk management plan required by paragraph V.B above.
Upon receiving HHS’s notice of required revisions, if any, MedEvolve shall have calendar days to revise the policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval. This process shall continue until HHS approves the policies and procedures.
Within 60 calendar days of HHS’s approval of the policies and procedures, MedEvolve shall implement such policies and procedures.
Distribution of Policies and Procedures
Upon HHS’s approval of policies and procedures in Section V.C., MedEvolve shall distribute the approved policies and procedures to all members of the workforce who have access to PHI during MedEvolve’s reoccurring annual training or within 60 calendar days of HHS’ approval of such policies, whichever comes first. MedEvolve shall also distribute such policies and procedures to new workforce members whose job duties involve access to PHI within 30 days of their beginning service.
MedEvolve shall require, at the time of distribution of such policies and procedures, a signed written or electronic initial compliance certification from all workforce members stating that such workforce members have read, understand, and shall abide by such policies and procedures.
MedEvolve shall not provide access to PHI to any workforce member if that workforce member has not signed or provided the written or electronic certification required by paragraph 2 of this section.
Minimum Content of the Policies and Procedures
The Policies and Procedures shall include, but not be limited to, measures to address the following:
Business Associate Agreements 45 C.F.R. § 164.502(e)(1)(ii);
Any recommendations from MedEvolve’s risk management plan completed pursuant to section V.B.
Training
Within 30 calendar days of HHS's final approval of the policies and procedures required by section V.C. of this CAP, MedEvolve shall augment its existing HIPAA and Security Training Program (“Training Program”) for all MedEvolve workforce members who have access to PHI. The Training Program shall include general instruction on compliance with MedEvolve’s HIPAA policies and procedures. MedEvolve shall submit its proposed training materials on the policies and procedures to HHS for its review and approval. HHS shall approve, or, if necessary, require revisions to MedEvolve’s Training Program.
Upon receiving HHS’s notice of required revisions, if any, MedEvolve shall have 30 calendar days to revise the Training Program accordingly and forward to HHS for review and approval. This process shall continue until HHS approves the Training Program.
After receiving HHS’s final approval of the Training Program, MedEvolve shall provide training to all appropriate workforce members who have access to PHI during its annual scheduled training or within 60 days of HHS’s approval, whichever comes first. MedEvolve will provide this training to new workforce members whose job duties involve access to PHI within 30 calendar days of their beginning of service and in accordance with MedEvolve’s applicable administrative procedures for training.
Notwithstanding MedEvolve’s obligation to train its workforce members on revised policies and procedures in section V.C. above, after providing the training required by section V.F., MedEvolve shall provide annual retraining on MedEvolve’s HIPAA policies and procedures to all appropriate workforce members for the duration of the Compliance Term of this CAP.
Each workforce member who is required to attend training shall certify, in electronic or written form, that he or she has received the training. The training certification shall specify the date training was received. All training materials shall be retained in compliance with Section VII of this CAP.
Reportable Events
During the Compliance Term, in the event that MedEvolve receives information that a workforce member may have failed to comply with the policies and procedures submitted to HHS under section V.C., MedEvolve shall promptly investigate this matter. If MedEvolve determines, after such investigation, that during the Compliance Term a member of its workforce has failed to comply with the policies and procedures submitted to HHS under section V.C., and such failure is material, MedEvolve shall notify HHS in writing within 60 calendar days. Such violations shall be known as Reportable Events. The report to HHS shall include the following information:
A complete description of the event, including the relevant facts, the persons involved, and the provision(s) of the policies and procedures implicated; and
A description of the actions taken and any further steps MedEvolve plans to take to address the matter to mitigate any harm, and to prevent it from recurring, including application of appropriate sanctions against workforce members who failed to comply with the policies and procedures approved by HHS under section V.C.
VI. Implementation Report and Annual Reports
Implementation Report.
Within 120 calendar days after the receipt of HHS’s approval of all the policies and procedures required by section V.C., MedEvolve shall submit a written report to HHS summarizing the status of its implementation of the requirements of this CAP. This report, known as the “Implementation Report,” shall include:
An attestation signed by an owner or officer of MedEvolve attesting that the policies and procedures approved by HHS in section V.C. are being implemented;
An attestation signed by an owner or officer of MedEvolve attesting that all members of the workforce have completed the initial training required by section V.F.;
An attestation signed by an owner or officer of MedEvolve stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
Annual Reports.
The one (1) year period after the Effective Date and each subsequent one (1) year period during the course of the Compliance Term shall be known as a “Reporting Period.” Within 60 calendar days after the close of each corresponding Reporting Period, MedEvolve shall submit a report to HHS regarding MedEvolve’s compliance with this CAP for each corresponding Reporting Period. This report, known as the “Annual Report,” shall include:
An attestation signed by an owner or officer of MedEvolve attesting that all members of the workforce have completed the training required by section V.F. during the Reporting Period;
An attestation signed by an officer or owner of MedEvolve attesting that any revision(s) to the policies and procedures required by section V.C. were adopted and distributed to all appropriate members of MedEvolve’s workforce in accordance with section V.D;
A summary of Reportable Events (defined in section V.G.), if any, the status of any corrective and preventative action(s) relating to all such Reportable Events, or an attestation signed by an officer or director of MedEvolve stating that no Reportable Events occurred during the Compliance Term.
An attestation signed by an owner or office of MedEvolve attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
VII. Document Retention
MedEvolve shall maintain for inspection and copying, and shall provide to HHS, upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date.
VIII. Breach Provisions
MedEvolve is expected to fully and timely comply with all provisions contained in this CAP.
Timely Written Requests for Extensions. MedEvolve may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least 5 calendar days prior to the date such an act is required or due to be performed. HHS shall respond to requested extensions within 5 calendar days of the request.
Notice of Breach of this CAP and Intent to Impose Civil Monetary Penalty. The parties agree that a breach of this CAP by MedEvolve constitutes a breach of the Agreement. Upon a determination by HHS that MedEvolve has breached this CAP, HHS may notify MedEvolve of: (1) MedEvolve’s breach; and (2) HHS’s intent to impose a civil money penalty (CMP), pursuant to 45 C.F.R. Part 160, or other remedies, for the Covered Conduct set forth in paragraph I.2 of the Agreement and for any other conduct that constitutes a violation of the HIPAA Privacy, Security, and Breach Notification Rules (“Notice of Breach and Intent to Impose CMP”).
MedEvolve Response. MedEvolve shall have 30 calendar days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’s satisfaction that:
MedEvolve is in compliance with the obligations of the CAP that HHS cited as the basis for the breach;
the alleged breach has been cured; or
the alleged breach cannot be cured within the 30-day period, but that: (a) MedEvolve has begun to take action to cure the breach; (b) MedEvolve is pursuing such action with due diligence; and (c) MedEvolve has provided to HHS a reasonable timetable for curing the breach.
HHS shall not unreasonably withhold its satisfaction of MedEvolve’s compliance with Section VIII(C).
Imposition of CMP. If at the conclusion of the 30-day period, MedEvolve fails to meet the requirements of section VIII.C of this CAP to HHS’s satisfaction or the Parties cannot agree to a mutual resolution per section VIII.C, HHS may proceed with the imposition of the CMP against MedEvolve pursuant to 45 C.F.R. Part 160 for any violations of the Covered Conduct set forth in paragraph 2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules. HHS shall notify MedEvolve in writing of its determination to proceed with the imposition of the CMP. MedEvolve reserves all rights to dispute HHS’ determination, in law and equity. HHS must offset any CMP amount levied under this section by the amounts already paid by MedEvolve in lieu of CMPs under this Resolution Agreement. Any such offset will apply only to Covered Conduct up to and including the Effective Date.
For MedEvolve, Inc.
/s/
Matthew D. Rolfes
President and CEO
MedEvolve, Inc.
03/17/2023
Date
For the United States Department of Health and Human Services
/s/
Marisa M. Smith, Ph.D.
Regional Manager
Office for Civil Rights
Southwest Region
03/17/2023
Date
Resolution Agreement
I. Recitals
Parties. The Parties to this Resolution Agreement ("Agreement") are:
The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
MedEvolve, Inc. (“MedEvolve”) is a business associate, as defined under 45 C.F.R. § 160.103, and therefore is required to comply with the HIPAA Security Rule and certain provisions of the Privacy and Breach Notification Rules. MedEvolve provides covered entities practice management, revenue cycle management and practice analytics software services. MedEvolve is located in Little Rock, Arkansas. HHS and MedEvolve shall together be referred to herein as the “Parties.”
Factual Background and Covered Conduct. OCR received an initial Breach Notification Report on July 10, 2018, followed by addendums on July 30, 2018 and August 12, 2020 (the Reports) filed by MedEvolve. According to the Reports, on May 4, 2018, MedEvolve discovered that a File Transfer Protocol (FTP) server containing PHI had been unsecure and accessible on the internet since January 1, 2018. The breach affected the PHI of a total of 230,572 individuals at two covered entities for which MedEvolve provided software and revenue cycle management services: Premier Immediate Medical Care, LLC (204,607 individuals affected) and the office of Dr. Beverly Held (25,965 individuals affected). OCR has evidence that the PHI for both covered entities was viewed by at least one unauthorized individual during the time the FTP server was open to the public.
HHS's investigation indicated that the following conduct occurred (Covered Conduct):
The protected heath information (PHI) of 230,572 individuals had been disclosed. See 45 C.F.R. § 164.502(a);
MedEvolve failed to enter into a business associate agreement with a subcontractor. See 45 C.F.R. § 164.502(e)(1)(ii);
MedEvolve’s assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by it as a business associate was not sufficiently accurate or thorough. See 45 C.F.R. § 164.308(a)(1)(ii)(A).
No Admission. This Agreement is not an admission of liability by MedEvolve.
No Concession. This Agreement is not a concession by HHS that MedEvolve is not in violation of the HIPAA Rules and not liable for civil money penalties.
Intention of Parties to Effect Resolution. This Agreement is intended to resolve OCR Transaction Number 18-311029 and any potential violations of the HIPAA Rules related to the Covered Conduct specified in paragraph I.2 of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.
II. Terms and Conditions
Payment. HHS has agreed to accept, and MedEvolve has agreed to pay HHS, the amount of $350,000 (“Resolution Amount”). MedEvolve agrees to pay the Resolution Amount within 14 days from the Effective Date of this Agreement as defined in paragraph II.14 by automated clearing house transaction pursuant to written instructions to be provided by HHS.
Corrective Action Plan. MedEvolve has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference. If MedEvolve breaches the CAP, and fails to cure the breach as set forth in the CAP, then MedEvolve will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph II.8 of this Agreement.
Release by HHS. In consideration of and conditioned upon MedEvolve’s performance of its obligations under this Agreement, HHS releases MedEvolve from any actions it may have against MedEvolve under the HIPAA Rules arising out of or related to the Covered Conduct identified in paragraph I.2 of this Agreement. HHS does not release MedEvolve from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
Agreement by Released Party. MedEvolve shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. MedEvolve waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a-7a) and 45 C.F.R. Part 160, Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
Binding on Successors. This Agreement is binding on MedEvolve and its successors, heirs, transferees, and assigns.
Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
No Additional Releases. This Agreement is intended to be for the benefit of the Parties only and by this instrument the Parties do not release any claims against or by any other person or entity.
Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement shall be set forth in writing and signed by all Parties.
Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (“Effective Date”).
Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty (“CMP”) must be imposed within six (6) years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, MedEvolve agrees that the time between the Effective Date of this Agreement (as set forth in Paragraph 14) and the date the Agreement may be terminated by reason of MedEvolve’s breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement. MedEvolve waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the covered conduct identified in paragraph I.2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement.
Disclosure. HHS places no restriction on the publication of the Agreement.
Execution in Counterparts.This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement.
Authorizations. The individual(s) signing this Agreement on behalf of MedEvolve represent and warrant that they are authorized by MedEvolve to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement.
For MedEvolve, Inc.
/s/
Matthew D. Rolfes,
President and CEO
MedEvolve, Inc.
03/17/2023
Date
For the United States Department of Health and Human Services
/s/
Marisa M. Smith, Ph.D.
Regional Manager
Office for Civil Rights, Southwest Region
03/17/2023
Date
Appendix A
Corrective Action Plan
Between the
U.S. Department of Health and Human Services
And
Medevolve, Inc.
I. Preamble
MedEvolve, Inc. (referred to herein as “MedEvolve”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”). Contemporaneously with this CAP, MedEvolve is entering into a Resolution Agreement (“Agreement”) with HHS, and this CAP is incorporated by reference into the Agreement as Appendix A. MedEvolve enters into this CAP as part of the consideration for the release set forth in paragraph II.8 of the Agreement.
II. Contact Persons and Submissions
Contact Persons.
MedEvolve has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports:
Matthew D. Rolfes
President and CEO
MedEvolve, Inc.
U.S. Department of Health and Human Services
1115 West 3rd Street
Little Rock, AR 72201
Voice Phone (800) 964-5129
Fax: (501) 687-9276
[email protected]
HHS has identified the following individual as its authorized representative and contact person with whom MedEvolve is to report information regarding the implementation of this CAP:
Marisa M. Smith, Ph.D.
Regional Manager
Office for Civil Rights, Southwest Region
U.S. Department of Health and Human Services
1301 Young Street, Suite 106-1130
Dallas, TX 75202
Voice Phone (214) 767-6973
Fax: (214) 767-0432
[email protected]
MedEvolve and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above.
Proof of Submissions.
Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt.
III. Effective Date and Term of CAP
The Effective Date for this CAP shall be calculated in accordance with paragraph II.14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by MedEvolve under this CAP shall begin on the Effective Date of this CAP and end two (2) years from the Effective Date, unless HHS has notified MedEvolve under section VIII hereof of its determination that MedEvolve has breached this CAP. In the event of such a notification by HHS under section VIII hereof, the Compliance Term shall not end until HHS notifies MedEvolve that it has determined that the breach has been cured. After the Compliance Term ends, MedEvolve shall still be obligated to: (a) submit the final Annual Report as required by section VI; and (b) comply with the document retention requirement in section VII.
IV. Time
In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days.
V. Corrective Action Obligations
MedEvolve agrees to the following:
Conduct a Risk Analysis
MedEvolve shall conduct and complete an accurate and thorough analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by MedEvolve or its affiliates that are owned, controlled or managed by MedEvolve that contain, store, transmit or receive MedEvolve ePHI. As part of this process, MedEvolve shall include a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and application that contain or store ePHI which will then be incorporated in its risk analysis.
Within 30 calendar days of the Effective Date, MedEvolve shall submit to HHS the scope and methodology by which it proposes to conduct the risk analysis. HHS shall notify MedEvolve whether the proposed scope and methodology is or is not consistent with 45 C.F.R. § 164.308 (a)(l)(ii)(A).
MedEvolve shall provide the risk analysis, consistent with paragraph V.B.l., to HHS within 60 days of HHS's approval of the scope and methodology described in paragraph V.B.2 for HHS's review.
Upon submission by MedEvolve, HHS shall review and recommend changes to the aforementioned risk analysis. Upon receiving HHS’s recommended changes, MedEvolve shall have 30 calendar days to submit a revised risk analysis. This process will continue until HHS provides final approval of the risk analysis.
MedEvolve shall annually conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by MedEvolve, affiliates that are owned, controlled, or managed by MedEvolve; and document the security measures MedEvolve implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level. Subsequent risk analyses and corresponding management plans shall be submitted for review by HHS in the same manner as described in this section until the conclusion of the CAP.
Develop and Implement a Risk Management Plan
MedEvolve shall develop an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis specified in section V.A.1. above. The risk management plan shall include a process and timeline for MedEvolve’s implementation, evaluation, and revision of its risk remediation activities.
Within 60 calendar days of HHS’s final approval of the risk analysis described in section V.A.1 above, MedEvolve shall submit a risk management plan to HHS for HHS’s review and approval. HHS shall approve, or, if necessary, require revisions to MedEvolve’s risk management plan.
Upon receiving HHS’s notice of required revisions, if any, MedEvolve shall have 30 calendar days to revise the risk management plan accordingly and forward for review and approval. This process shall continue until HHS approves the risk management plan.
Within 60 calendar days of HHS’s approval of the risk management plan, MedEvolve shall finalize and officially adopt the risk management plan in accordance with its applicable administrative procedures.
Policies and Procedures
MedEvolve shall develop, maintain, and revise, as necessary, its written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information (45 C.F.R. Part 160 and Subparts A, C, and E of Part 164, the “Privacy Rule” and “Security Rule”). MedEvolve’s policies and procedures shall include, but not be limited to, the minimum content set forth in section V.E.
MedEvolve shall provide such policies and procedures to HHS within 60 calendar days of receipt of HHS’s approval of the risk management plan required by paragraph V.B above.
Upon receiving HHS’s notice of required revisions, if any, MedEvolve shall have calendar days to revise the policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval. This process shall continue until HHS approves the policies and procedures.
Within 60 calendar days of HHS’s approval of the policies and procedures, MedEvolve shall implement such policies and procedures.
Distribution of Policies and Procedures
Upon HHS’s approval of policies and procedures in Section V.C., MedEvolve shall distribute the approved policies and procedures to all members of the workforce who have access to PHI during MedEvolve’s reoccurring annual training or within 60 calendar days of HHS’ approval of such policies, whichever comes first. MedEvolve shall also distribute such policies and procedures to new workforce members whose job duties involve access to PHI within 30 days of their beginning service.
MedEvolve shall require, at the time of distribution of such policies and procedures, a signed written or electronic initial compliance certification from all workforce members stating that such workforce members have read, understand, and shall abide by such policies and procedures.
MedEvolve shall not provide access to PHI to any workforce member if that workforce member has not signed or provided the written or electronic certification required by paragraph 2 of this section.
Minimum Content of the Policies and Procedures
The Policies and Procedures shall include, but not be limited to, measures to address the following:
Business Associate Agreements 45 C.F.R. § 164.502(e)(1)(ii);
Any recommendations from MedEvolve’s risk management plan completed pursuant to section V.B.
Training
Within 30 calendar days of HHS's final approval of the policies and procedures required by section V.C. of this CAP, MedEvolve shall augment its existing HIPAA and Security Training Program (“Training Program”) for all MedEvolve workforce members who have access to PHI. The Training Program shall include general instruction on compliance with MedEvolve’s HIPAA policies and procedures. MedEvolve shall submit its proposed training materials on the policies and procedures to HHS for its review and approval. HHS shall approve, or, if necessary, require revisions to MedEvolve’s Training Program.
Upon receiving HHS’s notice of required revisions, if any, MedEvolve shall have 30 calendar days to revise the Training Program accordingly and forward to HHS for review and approval. This process shall continue until HHS approves the Training Program.
After receiving HHS’s final approval of the Training Program, MedEvolve shall provide training to all appropriate workforce members who have access to PHI during its annual scheduled training or within 60 days of HHS’s approval, whichever comes first. MedEvolve will provide this training to new workforce members whose job duties involve access to PHI within 30 calendar days of their beginning of service and in accordance with MedEvolve’s applicable administrative procedures for training.
Notwithstanding MedEvolve’s obligation to train its workforce members on revised policies and procedures in section V.C. above, after providing the training required by section V.F., MedEvolve shall provide annual retraining on MedEvolve’s HIPAA policies and procedures to all appropriate workforce members for the duration of the Compliance Term of this CAP.
Each workforce member who is required to attend training shall certify, in electronic or written form, that he or she has received the training. The training certification shall specify the date training was received. All training materials shall be retained in compliance with Section VII of this CAP.
Reportable Events
During the Compliance Term, in the event that MedEvolve receives information that a workforce member may have failed to comply with the policies and procedures submitted to HHS under section V.C., MedEvolve shall promptly investigate this matter. If MedEvolve determines, after such investigation, that during the Compliance Term a member of its workforce has failed to comply with the policies and procedures submitted to HHS under section V.C., and such failure is material, MedEvolve shall notify HHS in writing within 60 calendar days. Such violations shall be known as Reportable Events. The report to HHS shall include the following information:
A complete description of the event, including the relevant facts, the persons involved, and the provision(s) of the policies and procedures implicated; and
A description of the actions taken and any further steps MedEvolve plans to take to address the matter to mitigate any harm, and to prevent it from recurring, including application of appropriate sanctions against workforce members who failed to comply with the policies and procedures approved by HHS under section V.C.
VI. Implementation Report and Annual Reports
Implementation Report.
Within 120 calendar days after the receipt of HHS’s approval of all the policies and procedures required by section V.C., MedEvolve shall submit a written report to HHS summarizing the status of its implementation of the requirements of this CAP. This report, known as the “Implementation Report,” shall include:
An attestation signed by an owner or officer of MedEvolve attesting that the policies and procedures approved by HHS in section V.C. are being implemented;
An attestation signed by an owner or officer of MedEvolve attesting that all members of the workforce have completed the initial training required by section V.F.;
An attestation signed by an owner or officer of MedEvolve stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
Annual Reports.
The one (1) year period after the Effective Date and each subsequent one (1) year period during the course of the Compliance Term shall be known as a “Reporting Period.” Within 60 calendar days after the close of each corresponding Reporting Period, MedEvolve shall submit a report to HHS regarding MedEvolve’s compliance with this CAP for each corresponding Reporting Period. This report, known as the “Annual Report,” shall include:
An attestation signed by an owner or officer of MedEvolve attesting that all members of the workforce have completed the training required by section V.F. during the Reporting Period;
An attestation signed by an officer or owner of MedEvolve attesting that any revision(s) to the policies and procedures required by section V.C. were adopted and distributed to all appropriate members of MedEvolve’s workforce in accordance with section V.D;
A summary of Reportable Events (defined in section V.G.), if any, the status of any corrective and preventative action(s) relating to all such Reportable Events, or an attestation signed by an officer or director of MedEvolve stating that no Reportable Events occurred during the Compliance Term.
An attestation signed by an owner or office of MedEvolve attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
VII. Document Retention
MedEvolve shall maintain for inspection and copying, and shall provide to HHS, upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date.
VIII. Breach Provisions
MedEvolve is expected to fully and timely comply with all provisions contained in this CAP.
Timely Written Requests for Extensions. MedEvolve may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least 5 calendar days prior to the date such an act is required or due to be performed. HHS shall respond to requested extensions within 5 calendar days of the request.
Notice of Breach of this CAP and Intent to Impose Civil Monetary Penalty. The parties agree that a breach of this CAP by MedEvolve constitutes a breach of the Agreement. Upon a determination by HHS that MedEvolve has breached this CAP, HHS may notify MedEvolve of: (1) MedEvolve’s breach; and (2) HHS’s intent to impose a civil money penalty (CMP), pursuant to 45 C.F.R. Part 160, or other remedies, for the Covered Conduct set forth in paragraph I.2 of the Agreement and for any other conduct that constitutes a violation of the HIPAA Privacy, Security, and Breach Notification Rules (“Notice of Breach and Intent to Impose CMP”).
MedEvolve Response. MedEvolve shall have 30 calendar days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’s satisfaction that:
MedEvolve is in compliance with the obligations of the CAP that HHS cited as the basis for the breach;
the alleged breach has been cured; or
the alleged breach cannot be cured within the 30-day period, but that: (a) MedEvolve has begun to take action to cure the breach; (b) MedEvolve is pursuing such action with due diligence; and (c) MedEvolve has provided to HHS a reasonable timetable for curing the breach.
HHS shall not unreasonably withhold its satisfaction of MedEvolve’s compliance with Section VIII(C).
Imposition of CMP. If at the conclusion of the 30-day period, MedEvolve fails to meet the requirements of section VIII.C of this CAP to HHS’s satisfaction or the Parties cannot agree to a mutual resolution per section VIII.C, HHS may proceed with the imposition of the CMP against MedEvolve pursuant to 45 C.F.R. Part 160 for any violations of the Covered Conduct set forth in paragraph 2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules. HHS shall notify MedEvolve in writing of its determination to proceed with the imposition of the CMP. MedEvolve reserves all rights to dispute HHS’ determination, in law and equity. HHS must offset any CMP amount levied under this section by the amounts already paid by MedEvolve in lieu of CMPs under this Resolution Agreement. Any such offset will apply only to Covered Conduct up to and including the Effective Date.
For MedEvolve, Inc.
/s/
Matthew D. Rolfes
President and CEO
MedEvolve, Inc.
03/17/2023
Date
For the United States Department of Health and Human Services
/s/
Marisa M. Smith, Ph.D.
Regional Manager
Office for Civil Rights
Southwest Region
03/17/2023
Date
