Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • Radical Transparency
  • Big Wins
  • HIPAA for Individuals
  • Filing a Complaint
  • HIPAA for Professionals
  • Newsroom
Breadcrumb
  1. HHS
  2. HIPAA Home
  3. For Professionals
  4. HIPAA Compliance and Enforcement
  5. Resolution Agreements
  6. Cascade Eye and Skin Centers, P.C. Resolution Agreement and Corrective Action Plan
  • HIPAA for Professionals
  • Regulatory Initiatives
  • Privacy
    • Summary of the Privacy Rule
    • Guidance
    • Combined Text of All Rules
    • HIPAA Related Links
  • Security
    • Security Rule NPRM
    • Summary of the Security Rule
    • Security Guidance
    • Cyber Security Guidance
  • Breach Notification
    • Breach Reporting
    • Guidance
    • Reports to Congress
    • Regulation History
  • Compliance & Enforcement
    • Enforcement Rule
    • Enforcement Process
    • Enforcement Data
    • Resolution Agreements
    • Case Examples
    • Audit
    • Reports to Congress
    • State Attorneys General
  • Special Topics
    • HIPAA and Part 2
    • Change Healthcare Cybersecurity Incident FAQs
    • HIPAA and COVID-19
    • HIPAA and Reproductive Health
      • HIPAA and Final Rule Notice
    • HIPAA and Telehealth
    • HIPAA and FERPA
    • Research
    • Public Health
    • Emergency Response
    • Health Information Technology
    • Health Apps
  • Patient Safety
  • Covered Entities & Business Associates
    • Business Associate Contracts
    • Business Associates
  • Training & Resources
  • FAQs for Professionals
  • Other Administrative Simplification Rules

Cascade Eye and Skin Centers, P.C. Resolution Agreement and Corrective Action Plan

RESOLUTION AGREEMENT

I. Recitals

  1. Parties. The Parties to this Resolution Agreement (“Agreement”) are:
    1. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
    2. Cascade Eye and Skin Centers, P.C. (“CES”), meets the definition of “covered entity” under 45 C.F.R. § 160.103 and therefore is required to comply with the HIPAA Rules. CES is a privately-owned health care provider that provides health care services, i.e., general eye and skin care.
    3. HHS and CES shall together be referred to herein as the “Parties.”
  2. Factual Background and Covered Conduct. On May 26, 2017, OCR received information indicating that CES experienced a ransomware attack in March of 2017, and electronic protected health information (“ePHI”) was held at ransom. The ransomware attack affected approximately 291,000 files that contained ePHI. HHS’s investigation indicated potential violations of the following provisions (“Covered Conduct”):
    1. The requirement to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by CES. See 45 C.F.R. § 164.308(a)(1)(ii)(A).
    2. The requirement to implement procedures to regularly review records of information system activity. See 45 C.F.R. § 164.308(a)(l)(ii)(D).
  3. No Admission. This Agreement is not an admission, concession, or evidence of liability by CES.
  4. No Concession. This Agreement is not a concession by HHS that CES is not in violation of the HIPAA Rules and not liable for civil money penalties.
  5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve HHS Transaction Number: and any violations of the HIPAA Rules related to the Covered Conduct specified in paragraph I.2 of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.

II. Terms and Conditions

  1. Payment.  HHS has agreed to accept, and CES has agreed to pay HHS, the amount of $250,000 (“Resolution Amount”). CES agrees to pay the Resolution Amount in one lump sum within thirty (30) days of the Effective Date of this Agreement as defined in paragraph II.9 by automated clearing house transaction pursuant to written instructions to be provided by HHS.
  2. Corrective Action Plan. CES has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference. If CES breaches the CAP and fails to cure the breach as set forth in the CAP, then CES will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph II.3 of this Agreement.
  3. Release by HHS. In consideration of and conditioned upon CES’s performance of its obligations under this Agreement, HHS releases CES from any actions it may have against CES under the HIPAA Rules arising out of or related to the Covered Conduct identified in paragraph I.2 of this Agreement. HHS does not release CES from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under Section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
  4. Agreement by Released Parties. CES shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. CES waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
  5. Binding on Successors. This Agreement is binding on CES and its successors, heirs, transferees, and assigns.
  6. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
  7. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only and by this instrument the Parties do not release any claims against or by any other person or entity.
  8. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement shall be set forth in writing and signed by all Parties.
  9. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (“Effective Date”).
  10. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty (“CMP”) must be imposed within six (6) years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, CES agrees that the time between the Effective Date of this Agreement and the date the Agreement may be terminated by reason of CES’s breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement. CES waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct identified in paragraph I.2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement.
  11. Disclosure. HHS places no restriction on the publication of the Agreement. In addition, HHS may be required to disclose material related to this Agreement to any person upon request consistent with the applicable provisions of the Freedom of Information Act, 5 U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5.
  12. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement.
  13. Authorizations. The individual(s) signing this Agreement on behalf of CES represents and warrant that they are authorized by CES to execute this Agreement and bind CES, as set forth in paragraph I.1.B. The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement.

For Cascade Eye and Skin Centers, P.C.

/s/
Amber Gilroy 
Chief Executive Officer 
Cascade Eye and Skin Centers, P.C.

Date: 06/17/2024

For the United States Department of Health and Human Services

/s/
Michael Leoz
Regional Manager, Pacific Region
U.S. Department of Health and Human Services
Office for Civil Rights

Date: 06/17/2024

Appendix A
CORRECTIVE ACTION PLAN 
BETWEEN THE 
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES 
AND
Cascade Eye and Skin Centers, P.C.

I. Preamble

Cascade Eye and Skin Centers, P.C. (“CES”), hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”). Contemporaneously with this CAP, CES is entering into the Agreement (“Agreement”) with HHS, and this CAP is incorporated by reference into the Agreement as Appendix A.  CES enters into this CAP as part of consideration for the release set forth in paragraph II.3 of the Agreement. Capitalized terms without definition in this CAP shall have the same meaning assigned to them under the Agreement.

II. Contact Persons and Submissions

  1. Contact Persons
    CES has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP andfor receipt and submission of notifications and reports (“CES Contact”) is:

    Amber Gilroy, Chief Executive Officer
    Cascade Eye and Skin Centers, P.C.

    HHS has identified the following individual as its authorized representative and contact person with whom CES is to report information regarding the implementation of this CAP:

    Steven Chen, Investigator
    U.S. Department of Health and Human Services
    Office for Civil Rights, Pacific Region 
    90 7th Street, Suite 4-100
    San Francisco, CA 94103

    CES and HHS agree to promptly notify each other of any changes in the contact person or the other information provided above.

  2. Proof of Submissions.
    Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, electronic mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt.

III. Effective Date and Term of CAP

The Effective Date for this CAP shall be calculated in accordance with paragraph II.9 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by CES under this CAP shall begin on the Effective Date of this CAP and end two (2) years from the Effective Date, unless HHS has notified CES under section VIII. hereof of its determination that CES breached this CAP. In the event of such a notification by HHS under section VIII. hereof, the Compliance Term shall not end until HHS has notified CES that it has determined that the breach has been cured. After the Compliance Term ends, CES shall still be obligated to: (a) submit the final Annual Report as required by section VI.; and (b) comply with the document retention requirement in section VII. Nothing in this CAP is intended to eliminate or modify CES’s obligation to comply with the document retention requirements in 45 C.F.R. §§ 164.316(b) and 164.530(j).

IV. Time

In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days.

V. Corrective Action Obligations

CES agrees to the following:

  1. Conduct Risk Analysis
    1. CES shall conduct an accurate and thorough Risk Analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by CES.  The Risk Analysis shall include all ePHI created, received, maintained, or transmitted by CES, and include but not be limited to, ePHI stored on or accessed by electronic information systems, networks, and applications administered or controlled by CES. As part of this process, CES shall develop a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI, which will then be incorporated in its Risk Analysis
    2. Within thirty (30) days of the Effective Date, CES shall submit to HHS the scope and methodology by which it proposes to conduct the Risk Analysis. HHS shall notify CES whether the proposed scope and methodology is or is not consistent with 45 C.F.R. § 164.308 (a)(l)(ii)(A).
    3. CES shall provide the Risk Analysis, consistent with paragraph V.A.l., to HHS within one hundred twenty (120) days of HHS's approval of the scope and methodology described in paragraph V.B.2. for HHS's review.
    4. Upon submission by CES, HHS shall review and recommend changes to the aforementioned Risk Analysis within sixty (60) days. If HHS requires revisions to the Risk Analysis, HHS shall provide CES with a detailed, written explanation of such required revisions and with comments and recommendations in order for CES to be able to prepare a revised Risk Analysis. Upon receiving HHS’s recommended changes, CES shall have thirty (30) calendar days to submit a revised Risk Analysis. This process will continue until HHS provides final approval of the Risk Analysis.
    5. CES shall review the Risk Analysis annually (or more frequently, if appropriate) and shall promptly update the Risk Analysis in response to environmental or operational changes affecting the security of ePHI. Following an update to the Risk Analysis, CES shall assess whether its existing security measures are sufficient to protect its ePHI and revise its Risk Management Plan, Policies and Procedures, and training materials and implement additional security measures, as needed.
  2. Develop and Implement Risk Management Plan
    1. CES shall develop an enterprise-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the Risk Analysis specified in section V.A. above. The Risk Management Plan shall include a process and timeline for CES’s implementation, evaluation, and revision of its risk remediation activities.
    2. Within sixty (60) days of HHS’s final approval of the Risk Analysis described in section V.A. above, CES shall submit a Risk Management Plan to HHS for HHS’s review and approval.
    3. Within sixty (60) days of receipt of CES’s Risk Management Plan, HHS will inform CES in writing as to whether HHS approves the Risk Management Plan or HHS requires revisions. If HHS requires revisions to the Risk Management Plan, HHS shall provide CES with a written explanation of the basis of its revisions, including comments and recommendation that CES can use to prepare a revised Risk Management Plan.
    4. Upon receiving HHS’s notice of required revisions, if any, CES shall have sixty (60) days to revise the Risk Management Plan accordingly and forward for review and approval. This process shall continue until HHS approves the Risk Management Plan.
    5. Within sixty (60) days of HHS’s approval of the Risk Management Plan, CES shall finalize and officially adopt the Risk Management Plan in accordance with its applicable administrative procedures. CES shall then begin implementation of any steps to address or mitigate the risks and vulnerabilities as required by the Risk Management Plan.
  3. Implement Process to Regularly Review Records of Information System Activity Review
    1. CES shall develop a written process (“Process”) to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports as relates to the security of all of the ePHI held by CES.
    2. Within sixty (60) days of HHS’s final approval of the Risk Management Plan described in section V.B.1. above, CES shall submit CES’s Process to HHS for HHS’s review.
    3. Within sixty (60) days of receipt of CES’s Process, HHS will inform CES in writing as to whether HHS approves the Process or HHS requires revisions. If HHS requires revisions to the Process, HHS shall provide CES with a written explanation of the basis of its revisions, including comments and recommendations that CES can use to prepare a revised Process.
    4. Upon receiving HHS’s notice of required revisions, if any, CES shall have sixty (60) days to revise the Process accordingly and forward for review and approval. This process shall continue until HHS approves the Process.
    5. Within sixty (60) days of HHS’s approval of the Process, CES shall finalize and officially adopt the Process in accordance with its applicable administrative procedures. CES shall then begin implementation of procedures to regularly review records of information system activity as required by the Process.
  4. Establish and Implement a Contingency Plan
    1. CES shall develop and implement policies and procedures for responding to an emergency or other occurrence that damages systems that contain CES’s ePHI (“Contingency Plan”).
    2. Within sixty (60) days of HHS’s final approval of the Risk Management Plan described in section V.B.1. above, CES shall submit CES’s Contingency Plan to HHS for HHS’s review.
    3. Within sixty (60) days of receipt of CES’s Contingency Plan, HHS will inform CES in writing as to whether HHS approves the Contingency Plan or HHS requires revisions. If HHS requires revisions to the Contingency Plan, HHS shall provide CES with a written explanation of the basis of its revisions, including comments and recommendations that CES can use to prepare a revised Contingency Plan.
    4. Upon receiving HHS’s notice of required revisions, if any, CES shall have sixty (60) days to revise the Contingency Plan accordingly and forward for review and approval. This process shall continue until HHS approves the Contingency Plan.
    5. Within sixty (60) days of HHS’s approval of the Contingency Plan, CES shall finalize and officially adopt the Contingency Plan in accordance with its applicable administrative procedures. CES shall then begin implementation of policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI as required by the Contingency Plan.
  5. Implement Process to Assign Unique User Identification
    1. CES shall develop a written procedures to assign a unique name and/or number for identifying and tracking user identity in its systems that contain ePHI. (“Unique User Identification Procedures”).
    2. Within sixty (60) days of HHS’s final approval of the Risk Management Plan described in section V.B.1. above, CES shall submit CES’s Unique User Identification Procedures to HHS for HHS’s review.
    3. Within sixty (60) days of receipt of CES’s Unique User Identification Procedures, HHS will inform CES in writing as to whether HHS approves the Unique User Identification Procedures or HHS requires revisions. If HHS requires revisions to the Unique User Identification Procedures, HHS shall provide CES with a written explanation of the basis of its revisions, including comments and recommendations that CES can use to prepare a revised Unique User Identification Procedures.
    4. Upon receiving HHS’s notice of required revisions, if any, CES shall have sixty (60) days to revise the Unique User Identification Procedures accordingly and forward for review and approval. This process shall continue until HHS approves the Unique User Identification Procedures.
    5. Within sixty (60) days of HHS’s approval of the Unique User Identification Procedures, CES shall finalize and officially adopt the Unique User Identification Procedures in accordance with its applicable administrative procedures. CES shall then begin implementation of procedures to assign a unique name and/or number for identifying and tracking user identity as required by the Unique User Identification Procedures.
  6. Policies and Procedure
    1. CES shall develop, maintain and revise, as necessary, its written policies and procedures to comply with the Federal standards that govern the privacy, security, and breach of individually identifiable health information (45 C.F.R. Part 160 and Subparts A, C, and E of Part 164, the “Privacy Rule” and “Security Rule”) and the Federal standards for notification in the case of breach of unsecured protected health information (45 Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). CES policies and procedures shall include, but not be limited to, the minimum content set forth in section V.H.
    2. CES shall revise its existing policies and procedures related to complying with the requirements of the Breach Notification Rule, such that the policies and procedures more explicitly delineate its workforce members’ roles and responsibilities with respect to: (a) receiving and addressing internal reports made by workforce members of potential breaches of unsecured PHI; (b) receiving and addressing external reports made by individuals and business associates of potential breaches of unsecured PHI; (c) completing assessments of potential breaches of unsecured PHI to determine the probability that the PHI has been compromised; (d) preparing notifications to individuals whose unsecured PHI has been compromised as a result of a breach; (e) for breaches of unsecured PHI affecting more than 500 residents of a state or jurisdiction, preparing notifications to prominent media outlets serving the applicable state or jurisdiction; (f) preparing notifications to HHS regarding breaches of unsecured PHI; and (g) ensuring that all required breach notifications are submitted to the affected individuals, the media, and HHS without unreasonable delay and within the timeframes prescribed by the Breach Notification Rule.
    3. CES shall provide the policies and procedures identified in section V.F.1. and V.F.2. above to HHS for review within sixty (60) days of HHS’s final approval of the Risk Management Plan described in section V.B.1. above.
    4. Within sixty (60) days of its receipt of CES’s submitted policies and procedures, HHS will inform CES whether it has any feedback on the submitted policies and procedures.
    5. Upon receiving any recommended changes to such policies and procedures from HHS to support compliance with the Privacy, Security and Breach Notification Rules, CES shall have forty-five (45) days to revise such policies and procedures and provide the revised policies and procedures to HHS for review. This process shall continue until HHS confirms that such policies and procedures comply with the requirements of the Security Rule and the Breach Notification Rule.
    6. Within thirty (30) days after receiving HHS’s final approval of any revisions to the policies and procedures described in section V.F.1., CES shall implement the policies and procedures.
  7. Distribution and Updating of Policies and Procedures 
    1. CES shall distribute the policies and procedures identified in section V.F. to appropriate members of its workforce and relevant business associates within thirty (30) days of HHS approval of such revised policies, if any, and to new members of the workforce within thirty (30) days of their beginning of service. 
    2. CES shall require, at the time of distribution of such revised policies and procedures, a signed written or electronic initial compliance certification from all appropriate members of its workforce stating that the workforce members have read, understand, and shall abide by such policies and procedures.
    3. CES shall assess, update, and revise, as necessary, the policies and procedures at least annually or as needed. CES shall provide such revised policies and procedures to HHS for review and approval. Within thirty (30) days of the Effective Date of any approved substantive revisions, CES shall distribute such revised policies and procedures to appropriate members of its workforce and relevant business associates and shall require new compliance certifications.
  8. Minimum Content of Policies and Procedures
    The policies and procedures subject to this CAP shall include and be limited to policies and procedures that address the following Security Rule and Breach Notification Rule provisions:

    Security Rule Provisions:

    1. Risk Analysis - 45 C.F.R. § 164.308(a)(1)(ii)(A)
    2. Risk Management - 45 C.F.R. § 164.308(a)(1)(ii)(B)
    3. Information System Activity Review - 45 C.F.R. § 164.308(a)(1)(ii)(D)
    4. Contingency Plan - 45 C.F.R. §164.308(a)(7)(i)
    5. Data Backup Plan - 45 C.F.R. § 164.308(a)(7)(ii)(A)
    6. Disaster Recovery Plan - 45 C.F.R. § 164.308(a)(7)(ii)(B)
    7. Testing and Revision Procedures - 45 C.F.R. § 164.308(a)(7)(ii)(D)
    8. Unique User Identification - 45 C.F.R. § 164.312(a)(2)(i)

    Breach Notification Rule Provisions:

    1. Breach Notification Rule - 45 C.F.R. §§ 164.400 - 164.414
  9. Reportable Events 
    During the Compliance Term, in the event CES receives information that a workforce member subject to the policies and procedures adopted by CES under section V.F. may have failed to comply with those policies and procedures, CES shall promptly investigate the matter. If CES determines, after such investigation, that during the Compliance Term a member of its workforce subject to the policies and procedures adopted by CES under section V.F. failed to comply with those policies and procedures, CES shall notify HHS in writing within sixty (60) days and in the Annual Report, as set forth in section VI.B. Such violations shall be known as Reportable Events. The report to HHS shall include the following information:
    1. A complete description of the event, including the relevant facts, the persons involved, and the provision(s) of the policies and procedures implicated; and
    2. A description of the actions taken and any further steps CES plans to take to address the matter to mitigate any harm, and to prevent it from recurring, including application of appropriate sanctions against workforce members who failed to comply with its Privacy Rule policies and procedures.
    3. If no Reportable Events occur during the Compliance Term, CES shall so inform HHS in the Implementation Report as specified in section VI. below.

VI. Implementation Report and Annual Reports

  1. Implementation Report. Within one hundred twenty (120) days after the receipt of HHS’s approval of the policies and procedures required by section V.F. above, CES shall submit a written report to HHS summarizing the status of its implementation of the requirements of this CAP. This report, known as the “Implementation Report,” shall include:
    1. An attestation signed by an officer of CES attesting that the policies and procedures submitted to HHS under section V.F. are being implemented; and
    2. An attestation signed by an officer of CES stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
  2. Annual Report. The one (1) year period beginning on the Effective Date and each subsequent one (1) year period during the course of the Compliance Term shall be referred to as a “Reporting Period.” Within sixty (60) days after the close of the Reporting Period, CES shall submit a report or reports to HHS regarding CES’s compliance with this CAP for the Reporting Period (“Annual Report”). CES shall submit each Annual Report to HHS no later than sixty (60) days after the end of each corresponding Reporting Period. The Annual Report shall include:
    1. A summary of Reportable Events (defined in section VI), if any, the status of any corrective and preventative action(s) relating to all such Reportable Events, or an attestation signed by an officer or director of CES stating that no Reportable Events occurred during the Compliance Term.
    2. An attestation signed by an officer of CES attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.

VII. Document Retention

CES shall maintain for inspection and copying, and shall provide to HHS, upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date.

VIII. Breach Provisions

CES is expected to fully and timely comply with all provisions contained in this CAP.

  1. Timely Written Requests for Extensions. CES may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least five (5) days prior to the date such an act is required or due to be performed. This requirement may be waived by HHS only.
  2. Notice of Breach of this CAP and Intent to Impose CMP. The Parties agree that a material breach of this CAP by CES constitutes a breach of the Agreement. Upon a determination by HHS that CES has materially breached this CAP, HHS may notify CES of: (1) CES’s breach; and (2) HHS’s intent to impose a CMP pursuant to 45 C.F.R. Part 160, for the Covered Conduct set forth in paragraph I.2 of the Agreement and any other conduct that constitutes a violation of the HIPAA Privacy, Security, or Breach Notification Rules (“Notice of Breach and Intent to Impose CMP”), including the amount of such CMP.
  3. CES’s Response. CES shall have thirty (30) days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’s satisfaction that:
    1. CES is in compliance with the obligations of the CAP that HHS cited as the basis for the breach;
    2. The alleged breach has been cured; or
    3. The alleged breach cannot be cured within the thirty (30) day period, but that CES: (a) has begun to take action to cure the breach; (b) is pursuing such action with due diligence; and (c) has provided to HHS a reasonable timetable for curing the breach.
  4. Imposition of CMP. If at the conclusion of the thirty (30) day period, CES fails to meet the requirements of section VIII.C. of this CAP to HHS’s satisfaction, HHS may proceed with the imposition of a CMP against CES pursuant to the rights and obligations set forth in 45 C.F.R. Part 160 for any violations of the HIPAA Rules applicable to the Covered Conduct set forth in paragraph I.2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules. HHS shall notify CES in writing of its determination to proceed with the imposition of a CMP pursuant to 45 C.F.R. §§ 160.312(a)(3)(i) and (ii).

For Cascade Eye and Skin Centers, P.C.

/s/
Amber Gilroy 
Chief Executive Officer 
Cascade Eye and Skin Centers, P.C.

Date: 06/17/2024

For the United States Department of Health and Human Services

/s/
Michael Leoz  
Regional Manager, Pacific Region
U.S. Department of Health and Human Services
Office for Civil Rights

Date: 06/17/2024

Content created by Office for Civil Rights (OCR)
Content last reviewed September 26, 2024
Back to top

Subscribe to Email Updates

Receive the latest updates from the Secretary and Press Releases.

Subscribe
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

Follow HHS

Follow Secretary Kennedy