L.A. CARE HEALTH PLAN Resolution Agreement and Corrective Action Plan

RESOLUTION AGREEMENT

I. Recitals

Parties. The Parties to this Resolution Agreement (“Agreement”) are:
1. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
2. Local Initiative Health Authority for Los Angeles County, operating and doing business as A. Care Health Plan (“LACHP”), is a Covered Entity as defined at 45 C.F.R. § 160.103, and therefore is required to comply with the HIPAA Rules. LACHP is an independent local public agency authorized by the State of California and created by the County of Los Angeles to provide health coverage to low-income Los Angeles County residents. LACHP supports the safety net of health care providers needed to care for them and is the nation’s largest publicly operated health plan with more than 2.7 million members.
  HHS and LACHP shall together be referred to herein as the “Parties.”
Factual Background and Covered Conduct.
On January 13, 2016, HHS opened a compliance review of LACHP based on a March 3, 2014, online media article which reported that, “on January 24, 2014….some L.A. Care Covered members who logged onto (their) payment portal were able to see another member's name, address and member identification number…the disclosures took place between January 22, 2014 to January 24, 2014 and were the result of a manual information processing error." Pursuant to its obligations under the Breach Notification Rule, during the course of OCR’s investigation, LACHP filed a breach report regarding this incident with OCR February 26, 2016. The breach report described that the breach, potentially affecting less than 500 individuals, occurred when LACHP members were able to view the protected health information (PHI) of other LACHP members through LACHP’s member portal.

On May 19, 2016, HHS notified LACHP of its investigation regarding LACHP's compliance with the HIPAA Rules. (OCR transaction number 16-228631)

On March 15, 2019, LACHP reported to OCR that on or around January 30, 2019, Los Angeles Department of Public Social Services (DPSS) reported to LACHP that a LACHP member received identification (ID) cards for other members. LACHP discovered that a mailing error caused member ID cards to be mailed to the wrong members. Approximately 1,498 individuals were affected by the breach. (OCR transaction number 19-336535)

HHS’s investigation of LACHP’s compliance with the HIPAA Rules indicated potential violations of the following provisions (''Covered Conduct"):
1. The requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by LACHP (See 45 C.F.R. § 164.308(a)(1)(ii)(A)).
2. The requirement to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. (See 45 C.F.R. § 164.308(a)(1)(ii)(B).)
3. The requirement to implement sufficient procedures to regularly review records of information system activity (See 45 C.F.R. § 164.308(a)(1)(ii)(D).)
4. The requirement to perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI. (See 45 CFR F.R. § 164.308(a)(8).)
5. The requirement to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. (See 45 C.F.R. 164.312(b)).
6. LACHP impermissibly disclosed the ePHI of 1,498 individuals (See 45 C.F.R. § 164.502(a)).
No Admission. This Agreement is not an admission, concession or evidence of liability by LACHP, or of any fact or any violation of law, rule, or regulation, including any violation of the HIPAA Rules.
No Concession. This Agreement is not a concession by HHS that LACHP is not in violation of the HIPAA Rules in connection with the Covered Conduct and not liable for civil money penalties (“CMPs”).
Intention of Parties to Effect Resolution. This Agreement is intended to resolve OCR Transaction Numbers: 16-228631 and 19-336535, and any potential violations of the HIPAA Rules related to the Covered Conduct associated with the compliance review specified in paragraph I.2 of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.

II. Terms and Conditions

Payment. In consideration of the release and other obligations from HHS as set forth in this Agreement, LACHP has agreed to pay HHS, the amount of $1,300,000 (“Resolution Amount”) in resolution of the Covered Conduct as set forth in this Agreement. LACHP agrees to pay the Resolution Amount within thirty (30) days of the Effective Date of this Agreement as defined in paragraph II.14 pursuant to written instructions to be provided by HHS.
Corrective Action Plan. LACHP has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference. If LACHP breaches the CAP, and fails to cure the breach as set forth in the CAP, then LACHP will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph II.8 of this Agreement, and LACHP will not be subject to the agreement and waiver set forth in paragraph II.9 of this Agreement.
Release by HHS. In consideration of and conditioned upon LACHP’s performance of its obligations under this Agreement, HHS releases LACHP and its officers, directors, employees and agents (the “Released Parties”) from any actions it may have against the Released Parties under the HIPAA Rules arising out of or related to the Covered Conduct associated with the compliance review identified in paragraph I.2 of this Agreement. HHS does not release LACHP from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct associated with the compliance review and referred to in this paragraph. This release does not extend to criminal actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
Agreement by Released Parties. LACHP shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. LACHP waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
Binding on Successors. This Agreement is binding on LACHP and its successors, heirs, transferees, and assigns.
Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
No Additional Releases. This Agreement is intended to be for the benefit of the Parties only, and by this instrument the Parties do not release any claims against or by any other person or entity.
Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement shall be set forth in writing and signed by all Parties.
Execution of Agreement and Effective Date. The Agreement shall become effective (e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (“Effective Date”).
Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a CMP must be imposed within six (6) years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, LACHP agrees that the time between the Effective Date of this Agreement (as set forth in Paragraph 14) and the date the Agreement may be terminated by reason of LACHP’s breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement. LACHP waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct associated with the compliance review identified in paragraph I.2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement.
Disclosure. HHS places no restriction on the publication of the Agreement. In addition, HHS or LACHP may be required to disclose material related to this Agreement to any person upon request consistent with the applicable provisions of the Freedom of Information Act, 5 U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5, or state Public Record laws.
Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement.
Authorizations. The individual(s) signing this Agreement on behalf of LACHP represent and warrant that they are authorized by LACHP to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement.

III. Signatures

The individuals signing represent that they are authorized to execute this Agreement and legally bind the parties to this Agreement.

For L.A. Care Health Plan

_______________________________________
Date: July 28, 2023
Augustavia Haydel, General Counsel

For the U.S. Department of Health and Human Services

_______________________________________
Date: August 1, 2023

Michael Leoz, Regional Manager
Office for Civil Rights, Pacific Region

APPENDIX A TO RESOLUTION AGREEMENT

CORRECTIVE ACTION PLAN
BETWEEN THE
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
AND
L.A. CARE HEALTH PLAN

I. Preamble

L.A. Care Health Plan (“LACHP”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”). Contemporaneously with this CAP, LACHP is entering into a Resolution Agreement (“Agreement”) with HHS, and this CAP is incorporated by reference into the Resolution Agreement as Appendix A. LACHP enters into this CAP as part of consideration for the release set forth in paragraph II.8 of the Agreement.

II. Contact Persons and Submissions

Contact Persons
LACHP has identified the following individuals as its authorized representatives and contact persons regarding the implementation of this CAP and for receipt and submission of notifications and reports:

Thomas Mapp, Chief Compliance Officer
L.A. Care Health Plan
1055 West 7^th Street, 10^th Floor
TMapp@lacare.org

With a copy to:
Serge Herrera, Privacy Officer
L.A. Care Health Plan
1055 West 7^th Street, 10^th Floor
privacyofficer@lacare.org

Gene Magerr, Information Security Officer
L.A. Care Health Plan
1055 West 7^th Street, 10^th Floor
GMagerr@lacare.org

HHS has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports:

Steven Chen, Investigator
Department of Health and Human Services
Office for Civil Rights
90 7^th Street, Suite 4-100
San Francisco, California 94103-6705

LACHP and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above.
Proof of Submissions. Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, electronic mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. The receiving party will acknowledge receipt of any electronic mail. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt.

III. Effective Date and Term of CAP

The Effective Date for this CAP shall be calculated in accordance with paragraph II.14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by LACHP under this CAP shall begin on the Effective Date of this CAP and end three (3) years from the Effective Date, unless HHS has notified LACHP under Section VIII hereof of its determination that LACHP breached this CAP. In the event HHS notifies LACHP of a breach under section VIII hereof, the Compliance Term shall not end until HHS notifies LACHP that HHS has determined LACHP failed to meet the requirements of section VIII.C of this CAP and issues a written notice of intent to proceed with an imposition of a civil money penalty against LACHP pursuant to 45 C.F.R. Part 160. After the Compliance Term ends, LACHP shall still be obligated to: (a) submit the final Annual Report as required by section VI; and (b) comply with the document retention requirement in section VII. Nothing in this CAP is intended to eliminate or modify LACHP’s obligation to comply with the document retention requirements in 45 C.F.R. § 164.316(b) and § 164.530(j).

IV. Time

In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days.

V. Corrective Action Obligations

LACHP agrees to the following:

Conduct an Enterprise-wide Risk Analysis
1. LACHP shall conduct and complete an accurate, thorough, enterprise-wide analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by LACHP or its affiliates that are owned, controlled or managed by LACHP that contain, store, transmit or receive LACHP ePHI (the “Risk Analysis”). As part of this process, LACHP shall develop a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI, which will then be incorporated in its Risk Analysis.
2. Within thirty (30) days of the Effective Date, LACHP shall submit to HHS the scope and methodology by which it proposes to conduct the Risk Analysis. HHS shall notify LACHP whether the proposed scope and methodology is or is not consistent with 45 C.F.R. § 164.308 (a)(l)(ii)(A).
3. LACHP shall provide the Risk Analysis, consistent with paragraph V.B.l., to HHS within one hundred twenty (120) days of HHS's approval of the scope and methodology described in paragraph V.B.2 for HHS's review.
4. Upon submission by LACHP, HHS shall review and recommend changes to the aforementioned risk analysis within sixty (60) days. If HHS requires revisions to the Risk Analysis, HHS shall provide LACHP with a detailed, written explanation of such required revisions and with comments and recommendations in order for LACHP to be able to prepare a revised Risk Analysis. Upon receiving HHS’s recommended changes, LACHP shall have thirty (30) calendar days to submit a revised risk analysis. This process will continue until HHS provides final approval of the risk analysis.
5. LACHP shall annually conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by LACHP, affiliates that are owned, controlled, or managed by LACHP; and document the security measures LACHP implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level. Subsequent risk analyses and corresponding management plans shall be submitted for review by HHS in the same manner as described in this section until the conclusion of the CAP. Revisions to policies and procedures in this section shall be made pursuant to Section V.D.5 below.
Develop and Implement a Risk Management Plan
1. LACHP shall develop an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the Risk Analysis specified in section V.A.1. above (the “Risk Management Plan”). The Risk Management Plan shall include a process and timeline for LACHP’s implementation, evaluation, and revision of its risk remediation activities.
2. Within sixty (60) days of HHS’s final approval of the Risk Analysis described in section V.A.1 above, LACHP shall submit a Risk Management Plan to HHS for HHS’s review and approval. HHS shall approve, or, if necessary, require revisions to LACHP’s Risk Management Plan.
3. Upon receiving HHS’s notice of required revisions, if any, LACHP shall have sixty (60) days to revise the Risk Management Plan accordingly and forward for review and approval. This process shall continue until HHS approves the Risk Management Plan.
4. Within sixty (60) days of HHS’s approval of the Risk Management Plan, LACHP shall finalize and officially adopt the Risk Management Plan in accordance with its applicable administrative procedures.
Evaluation Report
1. If during the Compliance Term LACHP has applied environmental or operational changes materially affecting the security of its ePHI, LACHP shall submit a written report (“Evaluation Report”) with documentation describing and evidencing to HHS the environmental or operational change and LACHP’s evaluation of such change pursuant to 45 C.F.R. § 164.308(a)(8) and consistent with LACHP’s policies and procedures.
Policies and Procedures
1. LACHP shall develop, maintain, and revise, as necessary, its written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information (45 C.F.R. Part 160 and Subparts A, C, and E of Part 164, the “Privacy Rule” and “Security Rule”). LACHP’s policies and procedures shall include, but not be limited to, the minimum content set forth in section V.F.
2. LACHP shall provide such policies and procedures to HHS within sixty (60) days of receipt of HHS’s approval of the Risk Management Plan required by paragraph V.B.1. above.
3. Upon receiving HHS’s notice of required revisions, if any, LACHP shall have sixty (60) days to revise the policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval. This process shall continue until HHS approves the policies and procedures.
4. Within thirty (30) days of HHS’s approval of the policies and procedures, LACHP shall implement such policies and procedures.
Distribution of Policies and Procedures
1. LACHP shall distribute the policies and procedures identified in section V.D.1. to all members of the workforce who have access to PHI within thirty (30) days of HHS’s approval of such policies and to new workforce members within thirty (30) days of their beginning of service.
2. LACHP shall require, at the time of distribution of such policies and procedures, a signed written or electronic initial compliance certification from all workforce members stating that such workforce members have read, understand, and shall abide by such policies and procedures.
3. LACHP shall not provide access to PHI to any workforce member if that workforce member has not signed or provided the written or electronic certification required by paragraph 2 of this section.
Minimum Content of the Policies and Procedures
The Policies and Procedures shall include measures to address the following Privacy and Security Rule Provisions:

Privacy Rule Provisions
1. Uses and Disclosures of PHI 45 C.F.R. § 164.502(a)
Security Rule Provisions
1. Risk Analysis 45 C.F.R. § 164.308(a)(1)(ii)(A)
2. Risk Management 45 C.F.R. § 164.308(a)(1)(ii)(B)
Training
1. Within thirty (30) days of HHS's final approval of the policies and procedures required by section V.D. of this CAP, LACHP shall augment its existing HIPAA and Security Training Program (“Training Program”) for all LACHP workforce members who have access to PHI. The Training Program shall include general instruction on compliance with LACHP’s HIPAA policies and procedures. LACHP shall submit its proposed training materials on the policies and procedures to HHS for its review and approval. HHS shall approve, or, if necessary, require revisions to LACHP’s Training Program.
2. Upon receiving HHS’s notice of required revisions, if any, LACHP shall have sixty (60) days to revise the Training Program accordingly and forward to HHS for review and approval. This process shall continue until HHS approves the Training Program.
3. Within sixty (60) days after receiving HHS's final approval of the Training Program and at least every 12 months thereafter, LACHP shall provide training to all appropriate workforce members who have access to PHI within thirty (30) days of their beginning of service and in accordance with LACHP’s applicable administrative procedures for training.
4. Notwithstanding LACHP’s obligation to train its workforce members on revised policies and procedures in section V.A.5. above, after providing the training required by section V.G.3, LACHP shall provide annual retraining on LACHP’s HIPAA policies and procedures to all appropriate workforce members for the duration of the Compliance Term of this CAP.
5. Each workforce member who is required to attend training shall certify, in electronic or written form, that he or she has received the training. The training certification shall specify the date training was received. All training materials shall be retained in compliance with Section VII of this CAP.
Reportable Events
1. During the Compliance Term, LACHP shall, upon learning that a workforce member failed to comply with its HIPAA policies and procedures or the Privacy, Security or Breach Notification Rules (HIPAA Rules), promptly investigate the matter. If LACHP determines, after review and investigation, that a workforce member has materially failed to comply with its policies and procedures or the HIPAA Rules, LACHP shall report the event to HHS within 30 days. Such violations shall be known as Reportable Events. The report to HHS shall include the following:
  1. A complete description of the event, including the relevant facts, the persons involved, and the applicable provision(s) of LACHP’s Privacy, Security and Breach Notification policies and procedures implicated; and
  2. A description of the actions taken and any further steps LACHP plans to take to address the matter to mitigate any harm, and to prevent it from recurring, including application of any appropriate sanctions against workforce members who failed to comply with its HIPAA policies and procedures or the HIPAA Rules.
2. If no Reportable Events occur during the Compliance term, LACHP shall so inform HHS in the Annual Report as specified in Section VI below.

VI. Implementation Report and Annual Reports

Implementation Report. Within one hundred twenty (120) days after receiving HHS’s approval of the Risk Management Plan, Process, policies and procedures, and training materials consistent with Section V above, LACHP shall submit a written report with the documentation described below to HHS summarizing the status of its implementation of this CAP for review and approval. The report, known as the “Implementation Report” shall include:
1. An attestation signed by an officer of LACHP attesting that the policies and procedures required by Section V of this CAP: (a) have been adopted; (b) are being implemented; and (c) have been distributed to all appropriate workforce members;
2. An attestation signed by an officer of LACHP attesting that LACHP is implementing its written process to regularly evaluate any environmental or operational changes that affect the security of LACHP’s ePHI pursuant to 45 C.F.R. § 164.308(a)(8);
3. A copy of all training materials used for the training required by this CAP, a description of the training, including a summary of the topics covered, the length of the session(s) and a schedule of when the training session(s) were held;
4. An attestation signed by an officer of LACHP attesting that he or she has made a reasonable inquiry regarding training and believes that, upon such inquiry, all members of the workforce have completed the initial training required by this CAP and have executed the training certifications required by Section V.G.5;
5. An attestation signed by an officer of LACHP listing all LACHP locations (including mailing addresses), the corresponding name under which each location is doing business, the corresponding phone numbers and fax numbers, and attesting that he or she has made a reasonable inquiry regarding CAP obligations and believes that, upon such inquiry, each location has complied with the obligations of this CAP; and
6. An attestation signed by an officer of LACHP stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
Annual Reports. The one (1) year period beginning on the Effective Date and each subsequent one (1) year period during the course of the period of compliance obligations shall be referred to as “the Reporting Periods.” LACHP also shall submit to HHS Annual Reports with respect to the status of and findings regarding LACHP’s compliance with this CAP for each of the three Reporting Periods. LACHP shall submit each Annual Report to HHS no later than sixty (60) days after the end of each corresponding Reporting Period. The Annual Report shall include:
1. A schedule, topic outline, and copies of the training materials for the training programs attended in accordance with this CAP during the Reporting Period that is the subject of the report;
2. An attestation signed by an officer of LACHP attesting that he or she has made a reasonable inquiry regarding training and believes that, upon such inquiry, LACHP is obtaining and maintaining written training certifications from all persons that require training that they received training pursuant to the requirements set forth in this CAP;
3. A summary of the annual review of LACHP’s Risk Analysis, as required by section V.A.4. above, and revisions, if any, to LACHP’s Risk Management Plan, Policies and Procedures, training materials, and implemented security measures as required by V.A.5. above.
4. A copy of any and all Evaluation Report(s) as required by V.C. above.
5. A summary/description of all material engagements between LACHP and third-party consultants or advisors, including, but not limited to, any outside financial audits, compliance program engagements, or reimbursement consulting, if different from what was submitted as part of the Implementation Report;
6. A summary of Reportable Events (defined in Section V.H.1) identified during the Reporting Period and the status of any corrective and preventative action relating to all such Reportable Events;
7. An attestation signed by an officer of LACHP attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.

VII. Document Retention

LACHP shall maintain for inspection and copying, and shall provide to HHS upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date.

VIII. Breach Provisions

LACHP is expected to fully and timely comply with all provisions contained in this CAP.

Timely Written Requests for Extensions. LACHP may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least five days prior to the date such an act is required or due to be performed. This requirement may be waived by OCR only.
Notice of Breach of this CAP and Intent to Impose Civil Monetary Penalty. The parties agree that a breach of this CAP by LACHP constitutes a breach of the Agreement. Upon a determination by HHS that LACHP has breached this CAP, HHS may notify LACHP of: (1) LACHP’s breach and the specific basis for such position; and (2) HHS’s intent to impose a CMP pursuant to 45 C.F.R. Part 160, or other remedies for the Covered Conduct associated with the compliance review set forth in paragraph I.2 of the Agreement and any other conduct that constitutes a violation of the HIPAA Privacy, Security, or Breach Notification Rules (“Notice of Breach and Intent to Impose CMP”).
LACHP’s Response. LACHP shall have thirty (30) days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’s satisfaction that:
1. LACHP is in compliance with the obligations of the CAP that HHS cited as the basis for the breach;
2. The alleged breach has been cured; or
3. The alleged breach cannot be cured within the thirty (30) day period, but that: (a) LACHP has begun to take action to cure the breach; (b) LACHP is pursuing such action with due diligence; and (c) LACHP has provided to HHS a reasonable timetable for curing the breach.
Imposition of CMP. If at the conclusion of the thirty (30) day period, LACHP fails to meet the requirements of Section VIII.C. of this CAP to HHS’s satisfaction, HHS may proceed with the imposition of a CMP against LACHP pursuant to 45 C.F.R. Part 160 for any violations of the Covered Conduct associated with the compliance review set forth in paragraph I.2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules. HHS shall notify LACHP in writing of its determination to proceed with the imposition of a CMP pursuant to 45 C.F.R. Part 160.
Upon receipt of such notice from HHS, LACHP’s obligations under the CAP shall terminate and LACHP shall have no further obligations under the CAP. In addition, the following provisions shall apply:
1. If HHS elects to proceed with imposing a CMP under this section VIII.D, LACHP shall, with the exception of LACHP’s waiver and agreement in Section II, Paragraph 15 of the Resolution Agreement to not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct associated with the compliance review identified in Section I, Paragraph 2 of the Resolution Agreement that is filed by HHS within the time period set forth in the Resolution Agreement, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of the Resolution Agreement, retain all of its defenses, rights, challenges, and appeals under the law, including, without limitation, those specified under 45 C.F.R. Part 160, Subparts C through E, with respect to any determination by HHS that LACHP has violated the Privacy Rule or the Security Rule and with respect to the imposition of any CMP.
2. HHS must offset any CMP amount levied under this section by the amounts already paid by LACHP in lieu of CMPs under this Resolution Agreement. Any such offset will apply only to Covered Conduct up to and including the Effective Date.

VIII. Signatures