Inmediata Health Group, LLC Resolution Agreement and Corrective Action Plan

Resolution Agreement

I.  Recitals

  1. Parties. The Parties to this Resolution Agreement (“Agreement”) are:
    1. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”).  HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations.  See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
    2. Inmediata Health Group, LLC (formerly known as Inmediata Health Group, Corp.)  (“Inmediata”) is a covered entity, as defined at 45 C.F.R. § 160.103, and therefore is required to comply with the HIPAA Rules. Inmediata is a health care clearinghouse that provides medical data processing and clearinghouse services to physicians, dentists, hospitals, labs, medical schools and payers in Puerto Rico.  Its corporate headquarters is located in San Juan, Puerto Rico and a branch located in Charlotte, North Carolina.

HHS and Inmediata shall together be referred to herein as the “Parties.”

  1. Factual Background and Covered Conduct. On November 16, 2018, OCR received a complaint filed by a complainant against Inmediata regarding this breach incident alleging that electronic protected health information (ePHI) of patients belonging to Inmediata was available online to unauthorized individuals.   OCR’s investigation substantiated the allegations and determined that from May 16, 2016 to January 23, 2019, the ePHI of 1,565,338 individuals’ was made publicly available online and was indexed and cached by search engines.   Inmediata reported that the breached ePHI included patient names, dates of birth, home addresses, Social Security numbers, claims information, diagnosis/conditions and other treatment information. 
  2. No Admission.  This Agreement is not an admission of liability by Inmediata.
  3. No Concession.  This Agreement is not a concession by HHS that Inmediata is not in violation of the HIPAA Rules and not liable for civil money penalties.
  4. Intention of Parties to Effect Resolution.  This Agreement is intended to resolve OCR Transaction Number 19-342429 and any violations of the HIPAA Rules related to the Covered Conduct specified in paragraph I.2 of this Agreement.  In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.

II. Terms and Conditions

  1. Payment. Inmediata has agreed to pay HHS the amount of $250,000 (“Resolution Amount”).  Inmediata agrees to pay the Resolution Amount in one-lump sum within seven (7) days of the Effective Date of this Agreement as defined in paragraph II.14 pursuant to written instructions to be provided by HHS.
  2. Release by HHS.  In consideration of and conditioned upon Inmediata’s performance of its obligations under this Agreement, HHS releases Inmediata from any actions it may have against Inmediata under the HIPAA Rules arising out of or related to the Covered Conduct identified in paragraph I.2 of this Agreement.  HHS does not release Inmediata from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under Section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
  3. Agreement by Released Parties. Inmediata shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement.  Inmediata waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
  4. Binding on Successors.  This Agreement is binding on Inmediata and its successors, heirs, transferees, and assigns.
  5. Costs.  Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
  6. No Additional Releases.  This Agreement is intended to be for the benefit of the Parties only, and by this instrument the Parties do not release any claims against or by any other person or entity.
  7. Effect of Agreement.  This Agreement constitutes the complete agreement between the Parties.  All material representations, understandings, and promises of the Parties are contained in this Agreement.  Any modifications to this Agreement shall be set forth in writing and signed by all Parties. 
  8. Execution of Agreement and Effective Date.  The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement (Effective Date).
  9. Tolling of Statute of Limitations.  Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty (“CMP”) must be imposed within six years from the date of the occurrence of the violation.  To ensure that this six-year period does not expire during the term of this Agreement, Inmediata agrees that the time between the Effective Date of this Agreement and the date the Agreement may be terminated by reason of Inmediata’s breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement.  Inmediata waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the covered conduct identified in paragraph I.2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement.
  10. Disclosure.  HHS places no restriction on the publication of the Agreement.
  11. Execution in Counterparts.  This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement. 
  12. Authorizations.  The individual(s) signing this Agreement on behalf of Inmediata represent and warrant that they are authorized by Inmediata to execute this Agreement.  The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement.

For the Covered Entity

/s/

Angel Morales Contreras
Chief Financial Officer
Inmediata Health Group, LLC
636 Avenue, San Patricio
San Juan, Puerto Rico 00920

Dated: 8/12/2024

For U.S. Department of Health and Human Services

/s/

Linda C. Colón
Regional Manager
Eastern and Caribbean Region
Office for Civil Rights

Dated: 8/13/2024

Content created by Office for Civil Rights (OCR)
Content last reviewed