Green Ridge Behavioral Health, LLC Resolution Agreement and Corrective Action Plan

Resolution Agreement

I. Recitals

1. Parties. The Parties to this Resolution Agreement ("Agreement") are:
   1. The United States Department of Health and Human Services, Office for Civil Rights ("HHS"), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164 , the "Privacy Rule"), the Federal standards that govern the security of electronic individually identifiable  health information (45 C.F.R. Part  160 and Subparts A and C of Part 164, the "Security Rule"), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the "Breach Notification Rule"). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the "HWAA Rules") by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
   2. Green Ridge Behavioral Health, LLC ("GRBH"), which is a covered entity, as defined at 45 C.F.R. § 160.103, and therefore is required to comply with the HIPAA Rules. GRBH is multidisciplinary group practice that provides comprehensive out­ patient mental health services to the Washington, D.C. Metropolitan area. As a medical provider which transmits health information in electronic form in connection with a transaction for which HHS has adopted standards, GRBH is a covered entity that is required to comply with the Security Rules.
   3. HHS and GRBH shall together be referred to herein as the "Parties."
2. Factual Background and Covered Conduct. On December 12, 2019, OCR initiated an investigation of GRBH pursuant to a Breach Report dated February 11, 2019. OCR' s investigation revealed that GRBH was subject to a ransomware attack that resulted in the acquisition of the protected health information of over 14,000 patients. The evidence gathered by OCR during the investigation indicates GRBH's noncompliance with the Privacy and Security Rules. HHS' investigation indicated potential violations of the following provisions ("Covered Conduct"):
   1. The requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its ePHI. (See 45 C.F.R. § 164.308(a)(l)(ii)(A)).
   2. The requirement to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level. (See 45 C.F.R. § 164.308(a)(I)(ii)(B)).
   3. The requirement to implement policies and procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. (See 45 C.F.R. § 164.308(a)(l)(ii) (A)).
   4. The requirement to not use or disclose protected health information except as permitted by the Privacy Rule. (See 45 C.F.R. § 164.502(a)).
3. No Admission. This Agreement is not an admission of liability by GRBH.
4. No Concession. This Agreement is not a concession by HHS that GRBH is not in violation of the HIPAA Rules and not liable for civil money penalties ("CMPs").
5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve OCR Transaction Number: 19-332642 and any potential violations of the HTPAA Rules related to the Covered Conduct specified in paragraph I.2 of this Agreement. In consideration of the Parties' interest in avoiding the uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.

II. Terms and Conditions

6. Payment. HHS has agreed to accept, and GRBH has agreed to pay HHS, the amount of $40,000 ("Resolution Amount"). GRBH agrees to pay the Resolution  Amount in one lump sum within 3 days of the Effective Date of this Agreement as defined in paragraph 11.14 by automated clearing house transaction pursuant to written instructions to be provided by HHS.
7. Corrective Action Plan. GRBH has entered into and agrees to comply with the Corrective Action Plan ("CAP"), attached as Appendix A, which is incorporated into this Agreement by reference. If GRBH breaches the CAP and fails to cure the breach as set forth in the CAP, then GRBH will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph Il.8 of this Agreement.
8. Release by HHS. In consideration of and conditioned upon GRBH's performance of its obligations under this Agreement, HHS releases GRBH from any actions it may have against GRBH under the HIPAA Rules arising out of or related to the Covered Conduct identified in paragraph 1.2 of this Agreement. HHS does not release GRBH from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
9. Agreement by Released Parties. GRBH shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. GRBH waives all procedural rights granted under Section 11 28 A of the Social Security Act (42 U.S.C. § 1320a- 7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
10. Binding on Successors. This Agreement is binding on GRBH and its successors, heirs, transferees, and assigns.
11. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
12. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only, and by this instrument the Parties do not release any claims against or by any other person or entity.
13. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations , understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement shall be set forth in writing and signed by all Parties.
14. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory ("Effective Date").
15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)( l ), a CMP must be imposed within six (6) years from the date of the occurrence of the violation. To ensure that this six-year period does  not expire during  the term  of  this Agreement, GRBH agrees that the time between the Effective Date of this Agreement (as set  forth in paragraph II.14) and the date the Agreement  may  be terminated by reason of GRBH's breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement. GRBH waives and will not plead any statute of limitations, !aches, or similar defenses to any administrative action relating to the Covered Conduct identified in paragraph 1.2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement.
16. Disclosure. HHS places no restriction on the publication of the Agreement. In addition, HHS may be required to disclose material related to this Agreement to any person upon request consistent with the applicable provisions of the Freedom of Information Act, 5 U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5.
17. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement.
18. Authorizations. The individual(s) signing this Agreement on behalf of GRBH represent and warrant that they are authorized by GRBH to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement.

For Green Ridge Behavioral Health

/s/

Dr. Samina Yousufi, Owner

10/30/2023

Date

For the United States Department of Health and Human Services

/s/

Jamie Rahn Ballay
Regional Manager
Office for Civil Rights

10/31/2023

Date

Corrective Action Plan

Between the

U.S. Department of Health and Human Services

And

Green Ridge Behavioral Health

I. Preamble

Green Ridge Behavioral Health,  LLC ("GRBH") hereby enters into this Corrective Action Plan ("CAP") with the United States Department of Health and Human Services, Office for Civil Rights ("HHS"). Contemporaneously with this CAP, GRBH is entering into a Resolution Agreement ("Agreement") with HHS, and this CAP is incorporated by reference into the Resolution Agreement as Appendix A. GRBH enters into this CAP as part of consideration for the release set forth in paragraph ll.8 of the Agreement.

II. Contact Persons and Submissions

1. Contact Persons

   GRBH has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports:

   Dr. Samina Yousufi
   Owner - GRBH
   610 Professional Drive, Suite 255
   Gaithersburg, MD 20879
   syousu!i(@greenridgebh.com
   Phone: 240-683-6202
   Fax: 240-683-6203

   HHS has identified the following individual as its authorized representative and contact person with whom GRBH is to report information regarding the implementation of this CAP:

   Jamie Rahn Ballay, Regional Manager
   Mid-Atlantic Region
   Office for Civil Rights
   U.S. Department of Health and Human Services

   GRBH and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above.

2. Proof of Submissions. Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt.

III. Effective Date and Term of CAP

The Effective Date for this CAP shall be calculated in accordance with paragraph II.14 of the Agreement ("Effective Date"). The period for compliance ("Compliance Term") with the obligations assumed by GRBH under this CAP shall begin on the Effective Date of this CAP and end three (3) years from the Effective Date, unless HHS has notified GRBH under Section VIII hereof of its determination that GRBH breached this CAP. In the event HHS notifies GRBH of a breach under section VIII hereof, the Compliance Term shall not end until HHS notifies GRBH that HHS has determined GRBH failed to meet the requirements of section VTII.C of this CAP and issues a written  notice of intent to proceed with an  imposition of a civil money penalty against GRBH pursuant to 45 C.F.R. Part 160. After the Compliance Term ends, GRBH shall still be obligated to: (a) submit the final Annual Report as required by section VI; and (b) comply with the document retention requirement in section VII. Nothing in this CAP is intended to eliminate or modify GRBH's obligation to comply with the document retention requirements in 45 C.F.R. § 164.3 16(b) and § 164.5300).

IV. Time

In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not  be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days.

V. Corrective Action Obligations

GRBH agrees to the following:

1. Security Management Process
   1. GRBH shall conduct a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by GRBH. This Risk Analysis shall incorporate all GRBH facilities, whether owned or rented, and evaluate the risks to the ePHI on all of its electronic equipment, data systems, and applications controlled, administered or owned by GRBH or any GRBH entity, that contain, store, transmit, or receive ePHI. Prior to conducting the Risk Analysis, GRBH shall develop a complete inventory of all of its facilities, electronic equipment, data systems, and applications that contain or store ePHI that will then be incorporated into its Risk Analysis.
   2. GRBH shall provide the Risk Analysis, consistent with section V.A. I, to HHS within sixty (60) days of the Effective Date for HHS' review. Within sixty (60) days of its receipt of GRBH's Risk Analysis, HHS will inform GRBH whether HHS approves or disapproves of the Risk Analysis. If HHS disapproves of the Risk Analysis, HHS shall provide GRBH with technical assistance, as necessary, regarding the basis for the disapproval so that GRBH may prepare a revised Risk Analysis. GRBH hall have sixty (60) days in which to revise its Risk Analysis accordingly, and then submit the revised Risk Analysis to HHS for review and approval. This submission and review process shall continue until HHS approves the Risk Analysis.
   3. GRBH shall develop an enterprise-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the Risk Analysis described above in paragraph V.A. I. The Risk Management Plan shall include a process and timeline for GRBH's implementation, evaluation, and revision of its risk remediation activities. GRBH may submit a Risk Management Plan currently underway for consideration by HHS for compliance with this provision.
   4.  Within ninety (90) days of HHS' final approval of the Risk Analysis described in section V.A. above, GRBH shall submit GRBH's Risk Management Plan for HHS' review. Within sixty (60) days of its receipt of GRBH's Risk Management Plan, HHS will inform GRBH whether HHS approves the Risk Management Plan or HHS requires revisions. If HHS requires revisions to the Risk Management Plan, HHS shall provide GRBH with a written explanation of the basis of  its revisions,  including comments and  recommendation that GRBH can use to prepare a revised Risk Management Plan. Upon receiving HHS's notice of required revisions, if any, GRBH shall have sixty (60) days in which to revise its Risk Management Plan accordingly, and submit the revised Risk Management Plan to HHS for review and approval. This submission and review process shall continue until HHS approves the Risk Management Plan. Within thirty (30) days of HHS's approval of the Risk Management Plan, GRBH shall finalize and officially adopt the Risk Management Plan in accordance with its applicable administrative procedures and distribute the plan to workforce members involved with implementation of the plan.

B. Policies and Procedures

1. GRBH shall review, and as necessary, develop, or revise written policies and procedures to address the Minimum Content set forth in Section V.D. to comply with the HIPAA Rules.
2. GRBH shall provide the policies and procedures identified in section V.8 .1 above to HHS for review and approval  within sixty (60) days of HHS' approval  of the Risk Management Plan, as required by V.A.4. Upon receiving any recommended changes to such policies and procedures from HHS, GRBH shall have forty-five (45) days to revise such policies and procedures accordingly and provide the revised policies and  procedures to HHS for review and approval. This process shall continue until HHS approves such policies and procedures.
3. GRBH shall adopt (in accordance with its applicable administrative procedures) the policies and procedures approved by HHS pursuant to section V.8 .2 within thirty (30) days of receipt of HHS' approval.

C. Distribution and Updating of Policies and Procedures

1. GRBH shall distribute the policies and procedures identified in Section V.B to all members of the workforce [and all business associates that have access to PHI] within thirty (30) days of the adoption of such policies pursuant to Section V.B.3 and to new members of the workforce [and new business associates that have such access] within thirty (30) days of their beginning of service.
2. GRBH shall require, at the time of distribution of the policies and procedures, a signed written or electronic initial compliance certification from all members of the workforce [and all business associates that have access to PHI], stating that the workforce members [and business associates] have read, understand, and shall abide by such policies and procedures.
3. GRBH shall assess, update, and revise, as necessary, the policies and procedures at least annually (and more frequently if appropriate). GRBH shall provide the revised policies and procedures to HHS for review and approval to HHS within 30 days of revision. Within thirty (30) days of the effective date of any approved substantive revisions, GRBH shall distribute such revised policies and procedures to all members of its workforce [and business associates with access to PHI], and shall require new compliance certifications.
4. GRBH shall not provide any member of its workforce [or any business associate] with access to PHI if that workforce member [or business associate) has not signed or provided the written or electronic certification required by sections 2 and 3 of this section.

D. Minimum Content of the Policies and Procedures

1. The Policies and Procedures subject to this CAP shall include policies and procedures that address the following Privacy and Security Rule provisions:

1. Risk Analysis---45 C.F.R. § 164.308(a)(l)(ii) (A), including provisions to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by GRBH and to conduct the accurate and thorough assessment on an annual basis.
2. Risk Management---45 C.F.R. § 164.308(a)(l)(ii)(B), including provisions to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with§ 164.306(a).
3. Information System Activity Review---45 C.F.R. § 164.308(a)(l )(ii)(D), including procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
4. Assigned Security Responsibility---45 C.F.R. § 164.308(a)(2), including identifying security official responsible for development and implementation of Security Rule policies and procedures.
5. Security Awareness and Training---45 C.F.R. § 164.308 (a)(S), including implementation of a security awareness and training program for all workforce members.
6. Password Management---45 C.F.R. § 164.308(a)(5)(ii)(D), including procedures for creating, changing, and safeguarding passwords.
7. Data Backup Plan---45 C.F.R. § 164.308(a)(7), including establishing and implementing procedures to create and maintain retrievable exact copies of electronic protected health information.
8. Access Control--45 C.F.R. § I64.3I 2(a)(I) , including provisions to address access between systems, such as network or portal segmentation, provisions to limit access to ePHI to individuals and software programs granted access rights, and provisions to enforce password management requirements, such as password age, and encryption and decryption.
9. Audit Controls---45 C.F.R. § 164.312(b), including procedures for the implementation of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health in formation.
10. Business Associate Agreements---45 C.F.R. § 164.308(b) , including provisions to document satisfactory assurances from business associates through a written contract  or other arrangement  with  the business associate that  meets the requirements of§ 164.314(a) .
11. Privacy Rule ---45 C.F.R. § 164.530, including uses and disclosures of protected health information and safeguarding protected health information.

E. Reportable Events

1. During the Compliance Term, GRBH shall, upon learning that a  workforce member (or business associate) likely failed to comply with  its policies and procedures described in Section V.B, promptly investigate this matter. If GRBH, after review and investigation, determines that a member of  its workforce [or a  business associate that has agreed  to comply with policies and procedures under section V.C.2) has failed to comply with its policies and procedures, GRBH shall  report such events to HHS as provided  in section Vl.8 .3.  Such violations shall be known as Reportable Events. The report to HHS shall include the following:
   1. A complete description of the event, including the relevant facts, the persons involved, and the applicable provision(s) of GRBH's Privacy, Security, and Breach Notification policies and procedures; and
   2. A description of the actions taken and any further steps GRBH plans to take to address the matter to mitigate any harm, and to prevent it from recurring, including application of any appropriate sanctions against workforce members who failed to comply with its Privacy, Security, and Breach Notification policies and procedures.
2. If no Reportable Events occur during the Compliance term, GRBH shall so inform HHS in the Annual Report as specified in Section VJ below.

F. Training

1. Pursuant to  the requirements of 45 C.F.R. § I 64.308(a)(5) and §164.530(b), GRBH shall provide HHS with training materials for all members of the workforce [or business associates] that have access to PHI within thirty (30) days of HHS approval of GRBH  policies and procedures pursuant to section V.B.2.
2. Upon receiving notice from HHS specifying any required changes, GRBH shall make the required changes and provide revised training materials to HHS within thirty (30) days.
3. Within sixty (60) days after receiving HHS' final approval and at least every 12 months thereafter, GRBH shall provide training for each workforce member who has access to PHI. GRBH shall also provide such training to each new member of the workforce [or business associate] who has access to PHI within 30 days of their beginning of service.
4. Each workforce member who is required to attend training shall certify, in electronic or written form, that be or she has received the training.  The training certification shall specify the date training was received. All course materials shall be retained in compliance with Section VII and the Privacy Rule.
5. GRBH shall review the training at least annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.

G. Business Associate Agreements

1. Within sixty (60) days of the Effective Date and annually following the Effective Date, GRBH shall review all relationships with vendors and third-party service providers to identify business associates. GRBH shall provide HHS with the following:

1. An accounting of GRBH's business associates, to include the names of business associates, a description of services provided, the date services began, and a description of the business associate's handling of/interaction with GRBH's PHI; and
2. Copies of the business associate agreements that GRBH maintains with each business associate.

VI.    Implementation Report and Annual Reports

A. Implementation Report. Within one hundred twenty (120) days after HHS approves GRBH's HIPAA training materials for workforce members specified in Section V.F above, GRBH shall submit a written report with the documentation described below to HHS for review and approval (" Implementation Repo rt"). The Implementation Report shall include:

1. An attestation signed by an officer of GRBH attesting that the policies and procedures are being implemented, have been distributed to all appropriate members of the workforce [and business associates], and that GRBH has obtained all of the compliance certifications required by Sections V.C.2 and V.C.3;
2. A copy of all training materials used for the training required by this CAP, a description of the training, including a summary of the topics covered, the length of the session(s) and a schedule of when the training session(s) were held;
3. An attestation signed by an officer of GRBH attesting that all members of the workforce [and business associates] have completed the initial training required by this CAP and have executed the training certifications required by Section V.F.4;
4. An attestation signed by an officer of GRBH listing all GRBH locations (including locations and mailing addresses), the corresponding name under which each location is doing business, the corresponding phone numbers and fax numbers, and attesting that each such location has complied with the obligations of this CAP; and
5. An attestation signed by an officer of GRBH stating that he or she bas reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.

B. Annual Reports. The one-year period beginning on the Effective Date and each subsequent one-year period during the course of the period of compliance obligations shall be referred to as "the Reporting Periods." GRBH also shall submit to HHS Annual Reports with respect to the status of and findings regarding GRBH's compliance with this CAP for each of the two (2) Reporting Periods. GEBH shall submit each Annual Report to HHS no later than sixty days after the end of each corresponding Reporting Period. The Annual Report shall include:

1. A schedule, topic outline, and copies of the training materials for the training programs attended in accordance with this CAP during the Reporting Period that is the subject of the report;
2. An updated accounting of business associates as required by Section V.G.;
3. An attestation signed by an officer of GRBH attesting that it is obtaining and maintaining written training certifications from all persons that require training that they received training pursuant to the requirements set forth in this CAP;
4. A summary of Reportable Events (defined in Section V.E. l) identified during the Reporting Period and the status of any corrective and preventative action relating to all such Reportable Events;
5. An attestation signed by an officer of GRBH attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.

VII.    Document Retention

GRBH shall maintain for inspection and copying, and shall provide to HHS upon request, all documents and records relating  to compliance with this CAP for six (6) years from the Effective Date.

VIII.   Breach Provisions

GRBH is expected to fully and timely comply with all provisions contained in this CAP.

A. Timely Written Requests for Extensions

GRBH may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A "timely written request" is defined as a request in writing received by HHS at least five days prior to the date such an act is required or due to be performed . This requirement may be waived by OCR only.

B. Notice of Breach of this CAP and Intent to Impose Civil Monetary Penalty

The parties agree that a breach of this CAP by GRBH constitutes a breach of the  Agreement.  Upon a determination by HHS that GRBH has breached this CAP, HHS may notify GRBH of: (I) GRBH's  breach; and (2) HHS' intent to impose a  CMP pursuant  to 45 C.F.R. Part  160, or other remedies for the Covered Conduct set forth in paragraph 1.2 of the Agreement and any other conduct  that constitutes a violation of the HIPAA  Privacy, Security, or Breach Notification Rules ("Notice of Breach and Intent to Impose CMP").

C. GRBH's Response

GRBH shall  have thirty (30) days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS' satisfaction that:

1. GRBH is in compliance with the obligations of the CAP that HHS cited as the basis for the breach;
2. The alleged breach has been cured; or
3. The alleged breach cannot be cured within the thirty-day period, but that: (a) GRBH has begun to take action to cure the breach; (b) GRBH is pursuing such action with due diligence; and (c) GRBH has provided to HHS a reasonable timetable for curing the breach.

D. Imposition of CMP

If at the conclusion of the thirty-day period, GRBH fails to meet the requirements of Section VIII.C of this CAP to HHS’s satisfaction, HHS may proceed with the imposition of the CMP against GRBH pursuant to 45 C.F.R. Part 160 for any violations of the Covered Conduct set forth in paragraph I.2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules. HHS shall notify GRBH in writing of its determination to proceed with the imposition of the CMP pursuant to 45 C.F.R. Part 160.

For Green Ridge Behavioral Health

/s/

Dr. Samina Yousufi
Owner

Date: October 30, 2023

For United States Department of Health and Human Services

/s/

Jamie Rahn Ballay
Regional Manager
Office for Civil Rights

Date: October 31, 2023