iHealth Solutions, LLC Resolution Agreement and Corrective Action Plan

Resolution Agreement

I.    Recitals

1. Parties.  The Parties to this Resolution Agreement (“Agreement”) are:
   1. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”).  HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
   2. iHealth Solutions, LLC, d/b/a Advantum Health (“iHealth”), which meets the definition of “business associate” under 45 C.F.R. § 160.103 and therefore is required to comply with the HIPAA Rules.
   3. HHS and iHealth shall together be referred to herein as the “Parties.”
2. Factual Background and Covered Conduct
   On August 22, 2017, OCR received a breach report from iHealth indicating that on May 2, 2017, the electronic protected health information (ePHI) of  267 individuals was exfiltrated from an iHealth insecure server by an unauthorized individual. OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):
   1. iHealth impermissibly disclosed the ePHI of 267 individuals in violation of 45 C.F.R. §164.502(a).
   2. iHealth did not conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by iHealth, as required by 45 C.F.R. §164.308(a)(1)(ii)(A).
3. No Admission.  This Agreement is not an admission of liability by iHealth.
4. No Concession.  This Agreement is not a concession by HHS that iHealth is not in violation of the HIPAA Rules and not liable for civil money penalties.
5. Intention of Parties to Effect Resolution.  This Agreement is intended to resolve HHS Transaction Number: 04-17-281410 and any violations of the HIPAA Rules related to the Covered Conduct specified in paragraph I.2 of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.

II.    Terms and Conditions

6. Payment.  HHS has agreed to accept, andiHealth has agreed to pay HHS, the amount of $75,000 (“Resolution Amount”).  iHealth agrees to pay the Resolution Amount within 30 days of the Effective Date of this Agreement as defined in paragraph II.14 pursuant to written instructions to be provided by HHS.
7. Corrective Action Plan.  iHealth has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference.  If iHealth breaches the CAP, and fails to cure the breach as set forth in the CAP, then iHealth will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph II.8 of this Agreement.
8. Release by HHS.  In consideration of and conditioned upon iHealth’s performance of its obligations under this Agreement, HHS releases iHealth from any actions it may have against iHealth under the HIPAA Rules arising out of or related to the Covered Conduct identified in paragraph I.2 of this Agreement.  HHS does not release iHealth from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct and referred to in this paragraph.  This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
9. Agreement by Released Parties.  iHealth shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. iHealth waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
10. Binding on Successors. This Agreement is binding on iHealth and its successors, heirs, transferees, and assigns.
11. Costs.  Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
12. No Additional Releases.  This Agreement is intended to be for the benefit of the Parties only and by this instrument the Parties do not release any claims against or by any other person or entity.
13. Effect of Agreement.  This Agreement constitutes the complete agreement between the Parties.  All material representations, understandings, and promises of the Parties are contained in this Agreement.  Any modifications to this Agreement shall be set forth in writing and signed by all Parties. 
14. Execution of Agreement and Effective Date.  The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (Effective Date).
15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty (“CMP”) must be imposed within six years from the date of the occurrence of the violation.  To ensure that this six-year period does not expire during the term of this Agreement, iHealth agrees that the time between the Effective Date of this Agreement and the date the Agreement may be terminated by reason of iHealth’s breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement.  iHealth waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct identified in paragraph I.2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement.
16. Disclosure.  HHS places no restriction on the publication of the Agreement.
17. Execution in Counterparts.  This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement. 
18. Authorizations.  The individual(s) signing this Agreement on behalf of iHealth represents and warrants that they are authorized to execute this Agreement and bind iHealth, as set forth in paragraph I.1.b.  The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement.

For iHealth Solutions, LLC

/s/                                                                                           
John Taft, CFO                                                                                                
iHealth Solutions, LLC
462 S. 4th Street
Louisville, KY 40202

4/20/2023
Date  

For U.S Department of Health and Human Services

/s/                                                                                           
Barbara Stampul                                                                    
Regional Manager, Southeast Region
Office for Civil Rights         

4/20/2023
Date                          

Appendix A

Corrective Action Plan

Between the

U.S. Department of Health and Human Services

and

iHealth Solutions, LLC

I.          Preamble

iHealth Solutions, LLC (“iHealth”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”). Contemporaneously with this CAP, iHealth is entering into the Agreement with HHS, and this CAP is incorporated by reference into the Agreement as Appendix A.  iHealth enters into this CAP as part of consideration for the release set forth in paragraph II.8 of the Agreement.  Capitalized terms without definition in this CAP shall have the same meaning assigned to them under the Agreement.

II.        Contact Persons and Submissions

1. Contact Persons
   
   The contact person for iHealth regarding the implementation of this CAP and for receipt and submission of notifications and reports (“iHealth Contact”) is:
   
   John Taft, CFO                                                                      
   iHealth Solutions, LLC
   462 S. 4th Street
   Louisville, KY 40202
   Telephone: 502-694-7643
   
   HHS has identified the following individual as its authorized representative and contact person with whom iHealth is to report information regarding the implementation of this CAP:
   
   Ms. Barbara Stampul, Regional Manager
   Office for Civil Rights, Southeast Region
   Department of Health and Human Services
   61 Forsyth Street SW, Ste. 16T70
   Atlanta, GA 30303
   Barbara.Stampul@hhs.gov
   Telephone: 404-562-2799
   Facsimile:  404-562-7881
   
   iHealth and HHS agree to promptly notify each other of any changes in the contact person or the other information provided above.
    
2. Proof of Submissions.  Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, electronic mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt.

III.       Effective Date and Term of CAP

The Effective Date for this CAP shall be calculated in accordance with paragraph II.14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by iHealth under this CAP shall begin on the Effective Date of this CAP and end two (2) years from the Effective Date, unless HHS has notified iHealth under Section VIII hereof of its determination that iHealth breached this CAP.  In the event of such a notification by HHS under Section VIII hereof, the Compliance Term shall not end until HHS notifies iHealth that it has determined that the breach has been cured.  After the Compliance Term ends, iHealth shall still be obligated to: (a) submit the final Annual Report as required by section VI; and (b) comply with the document retention requirement in section VII. Nothing in this CAP is intended to eliminate or modify iHealth’s obligation to comply with the document retention requirements in 45 C.F.R. §§ 164.316(b) and 164.530(j).

IV.       Time

In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days.

V.        Corrective Action Obligations

iHealth agrees to the following:

1. Conduct Risk Analysis
   1. iHealth shall conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of iHealth’s electronic protected health information (ePHI) (“Risk Analysis”). The Risk Analysis shall incorporate all iHealth’s facilities and must include an evaluation of the risks to the security of ePHI in electronic equipment, information systems, devices and media, and applications controlled, administered or owned by iHealth, that contain, store, transmit, or receive ePHI.  The Risk Analysis shall also include an assessment of the risks to ePHI security in the physical environment.  Prior to conducting the Risk Analysis, iHealth shall develop a complete inventory of all of their facilities, categories of electronic equipment, information systems, devices and media, and applications that contain or store ePHI, which will then be incorporated into their Risk Analysis.
   2. Within forty-five (45) days of the Effective Date, iHealth shall provide to HHS a Statement of Work (SOW) for the Risk Analysis. Within thirty (30) days of its receipt of iHealth’s Risk Analysis SOW, if HHS identifies deficiencies in the Risk Analysis SOW, HHS shall provide iHealth with written technical assistance, as necessary, such as through suggested edits to the SOW, so that iHealth may revise its SOW accordingly. Within thirty (30) days of HHS providing such written technical assistance, if any, the Parties shall meet and confer in good faith to determine the deadline by which iHealth shall submit a revised SOW for HHS review. Within thirty (30) days of iHealth submitting any such revised SOW, the Parties shall meet and confer in good faith to determine the deadline by which HHS shall review the revised SOW and provide URMC with written technical assistance, if any. This submission and review process shall continue until HHS approves the SOW.
   3. iHealth shall provide the Risk Analysis, consistent with Section V.A.1., to HHS within sixty (60) days of HHS’s approval of the Risk Analysis SOW, as required by Section V.A.1., for HHS’s review. Within thirty (30) days of its receipt of iHealth’s Risk Analysis, HHS will inform iHealth whether it has any technical assistance to provide for the submitted Risk Analysis. Upon receiving any recommended changes to the Risk Analysis to confirm compliance with the Security Rule, iHealth shall have thirty (30) days to revise the Risk Analysis and provide the revised Risk Analysis to HHS for review. This process shall continue until HHS determines the Risk Analysis has been completed in accordance with the Security Rule.
   4. iHealth shall review the Risk Analysis annually. iHealth shall also promptly update the Risk Analysis in response to environmental or operational changes affecting the security of ePHI. Following an update to the risk analysis, iHealth shall assess whether its existing security measures are sufficient to protect its electronic PHI, and revise its risk management plan, policies and procedures, and training materials, as needed.
2. Develop and Implement a Risk Management Plan
   1. iHealth shall develop a risk management plan sufficient to address and mitigate any security risks and vulnerabilities identified in the Risk Analysis described in section V.A. above (“Risk Management Plan”). The Risk Management Plan shall include a process and timeline for iHealth’s implementation, evaluation, and revision of their risk remediation activities.
   2. The risk management plan shall be forwarded to HHS for review and approval within sixty 60 days of HHS’ approval of the Risk Analysis describe in section V.A. above. HHS shall approve, or, if necessary, require revisions to iHealth’s Risk Management Plan.
   3. Upon receiving HHS’s notice of required revisions, if any, iHealth shall have 30 days to revise the Risk Management Plan accordingly and forward to HHS for review and approval. This process shall continue until HHS approves the Risk Management Plan.
   4. Within 30 days of HHS’s approval of the Risk Management Plan, iHealth shall finalize and officially adopt the Risk Management Plan in accordance with its applicable administrative procedures.
3. Implement Process for Evaluating Environmental and Operational Changes
   Within one hundred twenty (120) days of the Effective Date, iHealth shall develop a process to evaluate any environmental or operational changes that affect the security of iHealth ePHI. HHS shall review and recommend changes to the process. Upon receiving HHS’ recommended changes, iHealth shall have sixty (60) days to provide a revised process to HHS for review and approval. iHealth shall implement its process, including distributing to workforce members with responsibility for performing such evaluations within ninety (90) days of HHS’ approval.
4. Policies and Procedures
   1. iHealth shall develop, maintain, and revise, as necessary, its written policies and procedures (“policies and procedures”) to comply with the Federal standards that govern the privacy and security of individually identifiable health information and to address any threats and vulnerabilities to the electronic PHI identified in the risk analysis and risk management plan required by Sections V.A and V.B.
   2. Within 60 days of HHS’s approval of the Risk Analysis identified in Section V.A., iHealth shall provide such policies and procedures, consistent with paragraph 1 above, to HHS for review and approval. Upon receiving any required changes to such policies and procedures from HHS, iHealth shall have 30 days to revise the policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval. This process shall continue until HHS approves such policies and procedures.
5. Minimum Content of the Policies and Procedures
   The Policies and Procedures required by Paragraph V.D above shall include, but not be limited to, the following provisions, standards, implementation specifications and obligations:

Privacy Rule Provisions:

1. Uses and Disclosures of PHI - 45 C.F.R. § 164.502(a)
2. Minimum Necessary - 45 C.F.R. § 164.502(b)

Security Rule Provisions:

3. Administrative Safeguards, including all required and addressable implementation specifications – 45 C.F.R. § 164.308(a) and (b).
4. Physical Safeguards, including all required and addressable implementation specifications – 45 C.F.R. § 164.310.
5. Technical Safeguards, including all required and addressable implementation specifications – 45 C.F.R. § 164.312.
6. Policies and Procedures and documentation requirements. – 45 C.F.R. § 164.316.

Breach Notification Rule Provisions:

7. Notification by a business associate, including all required and addressable implementation specifications – 45 C.F.R. §164.410.

6. Distribution and Updating of Policies and Procedures
   1. iHealth shall distribute the policies and procedures identified in Section V.D., to all members of the workforce within 30 days of HHS’s approval of such policies and to new members of the workforce within 15 days of the beginning of service.
   2. iHealth shall require, at the time of distribution of the policies and procedures, a signed written or electronic initial compliance certification from all members of the workforce, stating that the workforce members have read, understand, and shall abide by such policies and procedures.
   3. iHealth shall assess, update, and revise, as necessary, the policies and procedures at least annually. iHealth shall provide any revised policies and procedures to HHS for review and approval. Within 30 days of the effective date of any approved substantive revisions by HHS, iHealth shall distribute such revised policies and procedures to all members of its workforce and shall require new compliance certifications.
   4. iHealth shall not provide any member of its workforce with access to PHI if that workforce member has not signed or provided the written or electronic certification required by paragraphs 2 and 3 of this section.
7. Reportable Events
   1. During the Compliance Term, iHealth shall, upon learning that a workforce member likely failed to comply with its policies and procedures described in Section V.D.1, promptly investigate this matter. If iHealth, after review and investigation, determines that a member of its workforce has failed to comply with its policies and procedures, iHealth shall report such events to HHS as provided in Section VI.B.4. Such violations shall be known as Reportable Events. The report to HHS shall include the following:
      1. A complete description of the event, including the relevant facts, the persons involved, and the applicable provision(s) of iHealth’s Privacy, Security, and Breach Notification policies and procedures; and
      2. A description of the actions taken and any further steps iHealth plans to take to address the matter, to mitigate any harm, and to prevent it from recurring, including application of any appropriate sanctions against workforce members who failed to comply with its Privacy, Security, and Breach Notification policies and procedures.
   2. If no Reportable Events occur during the Compliance Term, iHealth shall so inform HHS in the Implementation Report as specified in Section VI below.

VI.       Implementation Report and Annual Reports

1. Implementation Report.  Within 60 days after HHS approves the policies and procedures required by section V.D.1 above, iHealth shall submit a written report with the documentation described below to HHS for review and approval ("Implementation Report"). The Implementation Report shall include:
   1. An attestation signed by an owner or officer of iHealth attesting that the policies and procedures are being implemented, have been distributed to all appropriate members of the workforce, and that iHealth has obtained all of the compliance certifications required by Sections V.D.;
   2. A copy of all training materials used to train workforce members on the new or revised policies and procedures required by Section V.D., including a description of the training, a summary of the topics covered, the length of the session(s),a schedule of when the training session(s) were held, and a list of attendants. The owner or officer of iHealth shall attest that such workforce training has been provided;
   3. An attestation signed by an owner or officer of iHealth listing all iHealth locations (including locations and mailing addresses), the corresponding name under which each location is doing business, the corresponding phone numbers and fax numbers, and an attestation that each location has complied with the obligations of this CAP; and
   4. An attestation signed by an owner or officer of iHealth stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
2. Annual Reports.  The one-year period beginning on the Effective Date and each subsequent one-year period during the course of the period of compliance obligations shall be referred to as "the Reporting Periods." iHealth also shall submit to HHS Annual Reports with respect to the status of and findings regarding iHealth’s compliance with this CAP for each of the two Reporting Periods. iHealth shall submit each Annual Report to HHS no later than 60 days after the end of each corresponding Reporting Period. The Annual Reports shall include:
   1. An attestation signed by an owner or officer of iHealth attesting that the policies and procedures required by Section V of this CAP: (a) have been adopted; (b) are being implemented; and (c) have been distributed to all workforce members;
   2. An attestation signed by an owner or officer of iHealth attesting that it is maintaining
      written or electronic certifications from all workforce members that are required to receive training that they received the requisite training pursuant to the requirements set forth on this CAP and pursuant to the iHealth’s approved training procedures;
   3. A summary of Reportable Events (defined in Section V.G.1) identified during the Reporting Period and the status of any corrective and preventative action relating to all such Reportable Events;
   4. An attestation signed by an owner or officer of iHealth attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.

VII.     Document Retention

iHealth shall maintain for inspection and copying, and shall provide to HHS upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date.

VIII.    Breach Provisions

iHealth Solutions, LLC is expected to fully and timely comply with all provisions contained in this CAP.

1. Timely Written Requests for Extensions.  iHealth may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A "timely written request" is defined as a request in writing received by HHS at least five days prior to the date such an act is required or due to be performed. This requirement may be waived by OCR only.
2. Notice of Breach of this CAP and Intent to Impose Civil Monetary Penalty.  The parties agree that a breach of this CAP by iHealth constitutes a breach of the Agreement. Upon a determination by HHS that iHealth has breached this CAP, HHS may notify iHealth of: (l) iHealth’s breach; and (2) HHS's intent to impose a CMP pursuant to 45 C.F.R. Part 160, or other remedies for the Covered Conduct set forth in paragraph I.2 of the Agreement and any other conduct that constitutes a violation of the HIPAA Privacy, Security, or Breach Notification Rules ("Notice of Breach and Intent to Impose CMP").
3. iHealth’s Response.   iHealth shall have 30 days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS's satisfaction that:
   1. iHealth is in compliance with the obligations of the CAP that HHS cited as the basis for the breach;
   2. The alleged breach has been cured; or
   3. The alleged breach cannot be cured within the 30-day period, but that: (a) iHealth has begun to take action to cure the breach; (b) iHealth is pursuing such action with due diligence; and (c) iHealth has provided to HHS a reasonable timetable for curing the breach.
4. Imposition of CMP.  If at the conclusion of the 30-day period, iHealth fails to meet the requirements of this CAP to HHS's satisfaction, HHS may proceed with the imposition of a CMP against iHealth pursuant to 45 C.F.R. Part 160 for any violations of the Covered Conduct set forth in paragraph I.2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules. HHS shall notify iHealth in writing of its determination to proceed with the imposition of a CMP pursuant to 45 C.F.R. Part 160.

For iHealth Solutions, LLC

/s/                                                                                         
John Taft, CFO                                                                                            
iHealth Solutions, LLC
462 S. 4th Street
Louisville, KY 40202

4/20/2023
Date

For U.S. Department of Health and Human Services

/s/
Barbara Stampul                                                                  
Regional Manager, Southeast Region
Office for Civil Rights

4/20/2023
Date