Doctors’ Management Services, Inc. Resolution Agreement and Corrective Action Plan

Resolution Agreement

I. Recitals

1. Parties.  The Parties to this Resolution Agreement (“Agreement”) are:
   1. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”).  HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations.  See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
   2. Doctors’ Management Services, Inc. (“DMS”) meets the definition of “business associate” under 45 C.F.R. § 160.103 and therefore is required to comply with the HIPAA Rules.
   3. HHS and DMS shall together be referred to herein as the “Parties.”
2. Factual Background and Covered Conduct

On April 22, 2019, OCR opened an investigation based on a breach report from DMS, a practice management company that acts as a business associate to several covered entities. The report stated that approximately 206,695 individuals were affected when the DMS network server was infected with GandCrab ransomware. The initial unauthorized access to the network occurred on April 1, 2017; however, DMS did not detect the intrusion until December 24, 2018 after ransomware was used to encrypt their files.

HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”):

1. DMS reported that an unauthorized third party gained access to its network on April 1, 2017 and deployed ransomware on December 24, 2018.  The breach impacted the ePHI of approximately 206,695 individuals. See  45 C.F.R. § 164.502(a);
2. DMS failed to conduct an accurate and thorough risk analysis that assesses technical, physical, and environmental risks and vulnerabilities associated with handling ePHI. See 45 C.F.R. § 164.308(A)(1)(i);
3. DMS failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. See 45 C.F.R. § 164.308(a)(1)(ii)(D); and
4. DMS failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule. See 45 C.F.R. § 164.316(b).

3. No Admission.  This Agreement is not an admission of liability by DMS.
4. No Concession.  This Agreement is not a concession by HHS that DMS is not in violation of the HIPAA Rules and not liable for civil money penalties.
5. Intention of Parties to Effect Resolution.  This Agreement is intended to resolve HHS Transaction Number 01-19-340860 and any violations of the HIPAA Rules related to the Covered Conduct specified in paragraph I.2 of this Agreement.  In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.

II. Terms and Conditions

6. Payment.  HHS has agreed to accept, andDMS has agreed to pay HHS, the amount of $100,000 (“Resolution Amount”).  DMS agrees to pay the Resolution Amount within 30 days of the Effective Date of this Agreement as defined in paragraph II.14 pursuant to written instructions to be provided by HHS.
7. Corrective Action Plan.  DMS has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference.  If DMS breaches the CAP and fails to cure the breach as set forth in the CAP, then DMS will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph II.8 of this Agreement.
8. Release by HHS.  In consideration of and conditioned upon DMS’s performance of its obligations under this Agreement, HHS releases DMS from any actions it may have against DMS under the HIPAA Rules arising out of or related to the Covered Conduct identified in paragraph I.2 of this Agreement.  HHS does not release DMS from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct and referred to in this paragraph.  This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
9. Agreement by Released Parties.  DMS shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. DMS waive all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
10. Binding on Successors.  This Agreement is binding on DMS and its successors, heirs, transferees, and assigns.
11. Costs.  Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
12. No Additional Releases.  This Agreement is intended to be for the benefit of the Parties only and by this instrument the Parties do not release any claims against or by any other person or entity.
13. Effect of Agreement.  This Agreement constitutes the complete agreement between the Parties.  All material representations, understandings, and promises of the Parties are contained in this Agreement.  Any modifications to this Agreement shall be set forth in writing and signed by all Parties. 
14. Execution of Agreement and Effective Date.  The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (Effective Date).
15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty (“CMP”) must be imposed within six years from the date of the occurrence of the violation.  To ensure that this six-year period does not expire during the term of this Agreement, DMS agrees that the time between the Effective Date of this Agreement and the date the Agreement may be terminated by reason of DMS’s breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement.  DMS waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct identified in paragraph I.2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement.
16. Disclosure.  HHS places no restriction on the publication of the Agreement.  However, HHS agrees that it shall not disclose the name or other identifying information related to DMS’ clients in any online publication, media release, or other external publication, description or summary of the Agreement.
17. Execution in Counterparts.  This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement. 
18. Authorizations.  The individual(s) signing this Agreement on behalf of DMS represents and warrants that they are authorized to execute this Agreement and bind DMS, as set forth in paragraph I.1.b.  The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement.

For Doctors’ Management Services, Inc. (DMS)

/s/
Timothy DiBona                                                                  
Chief Executive Officer
Doctors’ Management Services, Inc.          

Date

For U.S. Department of Health and Human Services

/s/
Susan M. Pezzullo Rhodes                                                   
Regional Manager, New England Region
Office for Civil Rights      

Date                             

Appendix A

Corrective Action Plan

Between the

U.S. Department of Health and Human Services

And

Doctors’ Management Services, Inc. (DMS)

I.          Preamble

DMS hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”).  Contemporaneously with this CAP, DMS is entering into the Agreement with HHS, and this CAP is incorporated by reference into the Agreement as Appendix A.  DMS enters into this CAP as part of consideration for the release set forth in paragraph II.8 of the Agreement.  Capitalized terms without definition in this CAP shall have the same meaning assigned to them under the Agreement.

II.        Contact Persons and Submissions

1. Contact Persons
   
   The contact person for DMS regarding the implementation of this CAP and for receipt and submission of notifications and reports (“DMS Contact”) is:
   
   Mr. Tim DiBona
   Chief Executive Officer
   Doctors’ Management Services, Inc.
   35 United Dr
   Suite 102Bridgewater, MA 02379
   Telephone:  (508) 682-1670
   email: tim@doctorsmanagementservice.org
   
   HHS has identified the following individual as its authorized representative and contact person with whom DMS is to report information regarding the implementation of this CAP:
   
   Ms. Susan M. Pezzullo Rhodes, Regional Manager
   Office for Civil Rights, New England Region
   Department of Health and Human Services
   JFK Federal Building, Room 1875
   Boston, MA 02203
   Susan.Rhodes@hhs.gov  
   Telephone: 617-565-1347
   Facsimile:  617-565-3809
   
   DMS and HHS agree to promptly notify each other of any changes in the contact person or the other information provided above.

2. Proof of Submissions.  Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, electronic mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt.

III.       Effective Date and Term of CAP

The Effective Date for this CAP shall be calculated in accordance with paragraph II.14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by DMS under this CAP shall begin on the Effective Date of this CAP and end three (3) years from the Effective Date, unless HHS has notified DMS under Section VIII hereof of its determination that DMS breached this CAP.  In the event of such a notification by HHS under Section VIII hereof, the Compliance Term shall not end until HHS notifies DMS that it has determined that the breach has been cured.  After the Compliance Term ends, DMS shall still be obligated to: (a) submit the final Annual Report as required by section VI; and (b) comply with the document retention requirement in section VII. Nothing in this CAP is intended to eliminate or modify DMS’s obligation to comply with the document retention requirements in 45 C.F.R. §§ 164.316(b) and 164.530(j).

IV.       Time

In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days.

V.        Corrective Action Obligations

            DMS agrees to the following:

1.  Security Management Process
   
   DMS shall review and update the Risk Analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by DMS. Prior to updating the Risk Analysis, DMS shall develop a complete inventory of all of its facilities, electronic equipment, data systems, and applications that contain or store ePHI that will then be incorporated into its Risk Analysis.  DMS shall provide documentation supporting a review of current security measures and level of risk to its ePHI associated with the following: network segmentation; network infrastructure; vulnerability scanning; logging and alerts; and patch management. 
2. DMS shall provide the updated Risk Analysis, consistent with section V.A.1, to HHS within one hundred eighty (180) days of the Effective Date for HHS’ review. Within sixty (60) days of its receipt of DMS’s updated Risk Analysis, HHS will inform DMS whether HHS approves or disapproves of the updated Risk Analysis. If HHS disapproves of the updated Risk Analysis, HHS shall provide DMS with technical assistance, as necessary, regarding the basis for disapproval so that DMS may prepare a revised Risk Analysis. DMS shall have sixty (60) days in which to revise its Risk Analysis accordingly and then submit the revised Risk Analysis to HHS for review and approval. This submission and review process shall continue until HHS approves the revised Risk Analysis. 
3. DMS shall update its enterprise-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis described above. The updated Risk Management Plan shall include a process and timeline for DMS’s implementation, evaluation, and revision of its risk remediation activities. .
4. Within ninety (90) days of HHS’ final approval of the updated or revised Risk Analysis described in section V.A above, DMS shall submit DMS’s updated Risk Management Plan to HHS for HHS' review. Within sixty (60) days of its receipt of DMS’s Risk Management Plan, HHS will inform DMS whether HHS approves or disapproves of the updated Risk Management Plan. If HHS disapproves of the updated Risk Management Plan, HHS shall provide DMS with technical assistance, as necessary, so that DMS may prepare a revised Risk Management Plan. Upon receiving a letter of disapproval of the updated Risk Management Plan from HHS and a description of any required changes to the updated Risk Management Plan, DMS shall have sixty (60) days in which to revise its Risk Management Plan accordingly, and submit the revised Risk Management Plan to HHS for review and approval. This submission and review process shall continue until HHS approves the revised Risk Management Plan. Within thirty (30) days of HHS’ approval of the revised Risk Management Plan, DMS shall begin implementation of the revised Risk Management Plan and distribute the plan to workforce members involved with implementation of the plan.

2. Policies and Procedures
   1. DMS shall review and revise, if necessary, its written policies and procedures to comply with the Federal standards that govern the security standards for the protection of electronic protected health information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules) DMS’ updated policies and procedures shall specifically address the Minimum Content set forth in Section V.D.1.
   2. DMS shall provide the revised policies and procedures identified in section V.B.1 above to HHS for review and approval within sixty (60) days of HHS’ approval of its updated Risk Analysis, as required by A.2.  Upon receiving any recommended changes to such policies and procedures from HHS, DMS shall have thirty (30) days to revise such policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval.  This process shall continue until HHS approves such revised policies and procedures. 
   3. DMS shall adopt (in accordance with its applicable administrative procedures) the policies and procedures approved by HHS pursuant to section V.B.2 within thirty (30) days of receipt of HHS’ approval.
3. Distribution of Policies and Procedures
   1. DMS shall distribute the policies and procedures identified in section V.B. to all members of the DMS’s workforce who use or disclose ePHI within thirty (30) days of HHS approval of such policies and procedures, to the extent the revisions are applicable to such workforce members’ job duties, and thereafter to new members of the workforce who will use or disclose ePHI within thirty (30) days of their becoming a member of the workforce.
4. Minimum Content of the Policies and Procedures
   
   The Policies and Procedures shall include, but not be limited to:
   1. Measures that address the following Security Rule provisions:
      1. Information System Activity Review – 45 C.F.R. § 164.308(a)(1)(ii)(D), including a process(es) for the regular review of all records of information system activity collected by DMS and processes for evaluating when the collection of new or different records needs to be included in the review; DMS will ensure that the process will be expansive enough to review access to local devices and ensure that its external firewall will be up to date with the necessary security patches, and configuration to adequately review external threats; and,
      2. Security Awareness and Training – 45 C.F.R. § 164.308 (5)(i), including implementing a security awareness and training program for all members of its workforce (including management).
5. Training
   1. DMS shall provide HHS with its HIPAA training materials for all members of the workforce that have access to PHI within sixty (60) days of the adoption of training policies and procedures described section V.B.3Upon receiving notice from HHS specifying any required changes, DMS shall make the required changes and provide revised training materials to HHS within thirty (30) days.
   2. Within sixty (60) days after receiving HHS’ final approval and at least every 12 months thereafter, DMS shall provide training for each workforce member who has access to PHI.  DMS shall also provide such training to each new member of the workforce who has access to PHI within thirty (30) days of their beginning of service.
   3. Each DMS workforce member who is required to attend training shall certify, in electronic or written form, that he or she has received the training.  The training certification shall specify the date training was received.  All course materials shall be retained in compliance with Section VII.
   4. DMS shall review the training at least annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.

VI.       Training Report and Annual Reports

1. Training Report.  Within one hundred and twenty (120) days after the receipt of HHS’ approval of the Training Program required by section V.E, DMS shall submit a written report to HHS known as the “Training Report,” which shall consist of:
   1. A copy of all training materials used for the training required by this CAP, a description of the training including a summary of the topics covered, the length of the session(s) and a schedule of when the training session(s) were held;
   2. An attestation signed by an officer or director of DMS that all applicable members of the workforce of DMS have completed the initial training required by section V.E and have executed the training certifications required by paragraph V.E.4.
2. Annual Reports.  The one (1) year period after the Effective Date and each subsequent one (1) year period during the course of the Compliance Term shall be known as a “Reporting Period.”  Within sixty (60) days after the close of each corresponding Reporting Period, DMS shall submit a report or reports to HHS regarding DMS’s compliance with this CAP for each corresponding Reporting Period (“Annual Report”).  The Annual Report shall include:
   1. A copy of the schedule, topic outline, and training materials for the training programs provided during the Reporting Period that is the subject of the Annual Report;
   2. An attestation signed by an officer or director of DMS attesting that DMS obtain and maintain written or electronic training certifications from all persons who are required to attend training under this CAP;
   3. An attestation signed by an officer or director of DMS attesting that any revision(s) to the Policies and Procedures required by section V were finalized and adopted within thirty (30) days of HHS’ approval of the revision(s), which shall include a statement affirming that DMS distributed the revised Policies and Procedures to all appropriate members of DMS’s workforce within sixty (60) days of HHS’ approval of the revision(s); and
   4. A summary of Reportable Events, if any, the status of any corrective and preventative action(s) relating to all such Reportable Events, or an attestation signed by an officer or director of DMS stating that no Reportable Events occurred during the Compliance Term.

VII.     Reportable Events

1. Reportable Events.  After the implementation of the Policies and Procedures in accordance with paragraph V.B.1, DMS shall, during the remainder of the Compliance Term, upon receiving information that a workforce member may have failed to comply with such Policies and Procedures, promptly investigate the matter.  If DMS, after review and investigation, determines that a member of its workforce has failed to comply with such policies and procedures, DMS shall report such event(s) to HHS as provided in section VI.B.4. Such violations shall be known as “Reportable Events.” The report to HHS shall include the following:
   1. A complete description of the event, including the relevant facts, the persons involved, and the provision(s) of the Policies and Procedures implicated; and
   2. A description of the actions taken and any further steps DMS plans to take to address the matter to mitigate any harm, and to prevent it from recurring, including application of appropriate sanctions against workforce members who failed to comply with the Policies and Procedures.

VIII.    Document Retention

DMS shall maintain for inspection and copying, and shall provide to HHS, upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date.  

IX.       Breach Provisions

DMS is expected to fully and timely comply with all provisions contained in this CAP.

1. Timely Written Requests for Extensions.  DMS may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP.  A “timely written request” is defined as a request in writing received by HHS at least five (5) days prior to the date such an act is required or due to be performed. This requirement may be waived by HHS only.
2. Notice of Breach of this CAP and Intent to Impose CMP.  The Parties agree that a breach of this CAP by DMS constitutes a breach of the Agreement.  Upon a determination by HHS that DMS has breached this CAP, HHS may notify DMS Contact of: (1) DMS’s breach; and (2) HHS’ intent to impose a CMP pursuant to 45 C.F.R. Part 160, for the Covered Conduct set forth in paragraph I.2 of the Agreement and any other conduct that constitutes a violation of the HIPAA Privacy, Security, or Breach Notification Rules (“Notice of Breach and Intent to Impose CMP”).
3. DMS’s Response.  If DMS is named in a Notice of Breach and Intent to Impose CMP, DMS shall have thirty (30) days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’  satisfaction that:
   1. DMS is in compliance with the obligations of the CAP that HHS cited as the basis for the breach;
   2. The alleged breach has been cured; or
   3. The alleged breach cannot be cured within the thirty (30) day period, but that DMS: (a) has begun to take action to cure the breach; (b) is pursuing such action with due diligence; and (c) has provided to HHS a reasonable timetable for curing the breach.
4. Imposition of CMP.  If at the conclusion of the thirty (30) day period, DMS fails to meet the requirements of section IX.C. of this CAP to HHS’ satisfaction, HHS may proceed with the imposition of a CMP against DMS pursuant to the rights and obligations set forth in 45 C.F.R. Part 160 for any violations of the HIPAA Rules applicable to the Covered Conduct set forth in paragraph I.2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules.  HHS shall notify DMS Contact in writing of its determination to proceed with the imposition of a CMP pursuant to 45 C.F.R. §§ 160.312(a)(3)(i) and (ii).

For Doctors’ Management Services, Inc. (DMS)

/s/

Timothy DiBona
Chief Executive Officer

Date

For U.S. Department of Health and Human Services

/s/

Susan M. Pezzullo Rhodes                                                 
Regional Manager, New England Region
Office for Civil Rights

Date