Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and Montiefore

RESOLUTION AGREEMENT

I. Recitals

1. Parties. The Parties to this Resolution Agreement (“Agreement”) are:

   1. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
   2. Montefiore Medical Center (“MMC”) is a covered entity, as defined at 45 C.F.R. § 160.103, and therefore is required to comply with the HIPAA Rules. MMC is a not-for-profit organization whose sole parent organization is Montefiore Health System, Inc. (MHS). MMC is located in the Bronx, New York, and provides patient care, teaching, research, community services and care management, primarily to residents of the Metropolitan New York area.

   HHS and MMC shall together be referred to herein as the “Parties.”

2. Factual Background and Covered Conduct.

   On July 22, 2015, HHS received notification from MMC regarding a breach of its unsecured electronic protected health information (“ePHI”). MMC reported that on May 15, 2015, MMC discovered that from January 1, 2013 through June 30, 2013, one of its employees inappropriately accessed patient account information, including the patient’s name, address, SSN, next of kin, and health insurance information, of 12,517 patients from its electronic medical record system and then sold certain patient information to an identity theft ring. On November 23, 2015, HHS notified MMC that it was initiating an investigation regarding MMC’s compliance with the HIPAA Rules.

   HHS’ investigation of MMC’s compliance with the HIPAA Rules indicated potential violations of the following provisions (“Covered Conduct”):

   1. (i) The requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI held by MMC. See 45 F.R. § 164.308(a)(1)(ii)(A).
   2. (ii) The requirement to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking See 45 C.F.R.164.308(a)(1)(ii)(D).
   3. (iii) The requirement to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use See 45 C.F.R.164.312(b).
3. No Admission. This Agreement is not an admission, concession or evidence of liability by MMC, or of any fact or any violation of law, rule, or regulation, including any violation of HIPAA Rules.
4. No Concession. This Agreement is not a concession by HHS that MMC is not in violation of the HIPAA Rules and not liable for civil money penalties
5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve OCRTransaction Number 15-216248 and any potential violations of the HIPAA Rules related to the Covered Conduct specified in paragraph I.2 of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.

II. Terms and Conditions

6. Payment. MMC has agreed to pay HHS the amount of $4,750,000 (“Resolution Amount”). MMC agrees to pay the Resolution Amount in one lump sum within 3 business days of the Effective Date.
7. Corrective Action Plan. MMC has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference. If MMC breaches the CAP and fails to cure the breach as set forth in the CAP, then MMC will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph II.8 of this Agreement.
8. Release by HHS. In consideration of and conditioned upon MMC’s performance of its obligations under this Agreement, HHS releases MMC from any actions it may have against MMC for any potential violations of the HIPAA Rules arising out of or related to the Covered Conduct identified in paragraph I.2 of this Agreement. HHS does not release MMC from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct or referred to in this paragraph. This release does not extend to actions that may be brought under Section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
9. Agreement by Released Parties. MMC shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. MMC waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
10. Binding on Successors. This Agreement is binding on MMC and its successors, heirs, transferees, and assigns.
11. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
12. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only, and by this instrument the Parties do not release any claims against or by any other person or entity.
13. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement shall be set forth in writing and signed by all Parties.
14. Execution of Agreement and Effective Date. The Agreement shall become effective (i.fu final and binding) upon the date of signing of this Agreement and the CAP by the last signatory ("Effective Date").
15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty ("CMP '') must be imposed within six years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, MMC agrees that the time between the Effective Date of this Agreement and the date the Agreement may be terminated by reason ofMMC's breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement . MMC waives and will not plead any statute of limitations, !aches, or similar defenses to any administrative action relating to the Covered Conduct identified in paragraph I.2 that is filed by HHS within thetime period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement.
16. Disclosure. HHS places no restriction on the publication of this Agreement.
17. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement .
18. Authorizations. The individual(s) signing this Agreement on behalf of MMC represent and warrant that they are authorized by MMC to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement.

For Montefiore Medical Center

/s/
Christopher Panczner
Senior Vice President and Chief Legal Officer
Montefiore Medical Center

Date: November 16, 2023

For the U.S. Department of Health and Human Services

/s/                  
Linda C. Colón, Regional Manager
Eastern and Caribbean Region
Office for Civil Rights

Date: November 17, 2023

Appendix A

Corrective Action Plan

Between the

U.S. Department of Health and Human Services

And

Montefiore Medical Center

I.          Preamble

Montefiore Medical Center (hereinafter known as “MMC”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”). Contemporaneously with this CAP, MMC is entering into a Resolution Agreement (“Agreement”) with HHS, and this CAP is incorporated by reference into the Resolution Agreement as Appendix A. MMC enters into this CAP as part of consideration for the release set forth in paragraph II.8 of the Agreement.

II.          Contact Persons and Submissions

1. Contact Persons

   MMC has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports:

   Christopher Panczner
   Senior Vice President and Chief Legal Officer
   Montefiore Medical Center
   111 East 210^th
   Street Bronx, NY 10467
   (718) 920-7787
   cpanczne@montefiore.org

   With copy to:

   Jennifer Fromkin
   Associate Vice President and Chief Privacy Officer
   Montefiore Medical Center
   111 East 210^th Street
   Bronx, NY 10467
   (718) 920-5613
   jfromkin@montefiore.org

   HHS has identified the following individual as its authorized representative and contact person with whom MMC is to report information regarding the implementation of this CAP:

   Linda C. Colón, Regional Manager
   Eastern and Caribbean Region
   Office for Civil Rights
   U.S. Department of Health and Human Services
   26 Federal Plaza
   New York, New York 10278
   Voice Phone (212) 264-4136
   Linda.Colon@HHS.gov

   MMC and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above.

2. Proof of Submissions

   Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including e-mail, certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt.

III.          Effective Date and Term of CAP

The Effective Date for this CAP shall be calculated in accordance with paragraph II.14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by MMC under this CAP shall begin on the Effective Date of this CAP and end two (2) years from the Effective Date unless HHS has notified MMC under Section VIII hereof of its determination that MMC breached this CAP. In the event of such a notification by HHS under Section VIII hereof, the Compliance Term shall not end until HHS notifies MMC that it has determined that the breach has been cured. After the Compliance Term ends, MMC shall still be obligated to submit the final Annual Report as required by Section VI and comply with the document retention requirement in Section VII. Nothing in this CAP is intended to eliminate or modify MMC’s obligation to comply with the document retention requirements in 45 C.F.R. § 164.316(b) and § 164.530(j).

IV.          Time

In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days.

V.          Corrective ActionObligations

MMC agrees to take the corrective action steps specified below.

1. Conduct Risk Analysis
   1. MMC shall conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of the MMC’s electronic protected health information (“ePHI”) (“Risk Analysis”). The Risk Analysis shall incorporate all MMC’s locations and facilities and must include an evaluation of the risks to the security of ePHI in electronic equipment, data systems, and programs and applications controlled, administered, owned, or shared by MMC in connection with the care provided to MMC patients at MMC’s locations and facilities, that contain, store, transmit, or receive ePHI. The Risk Analysis shall also include an assessment of MMC’s environmental controls.¹ Prior to conducting the Risk Analysis, MMC shall develop a complete inventory of all of its facilities, categories of electronic equipment, data systems, programs, and applications (“Inventory”) that contain or store ePHI, which will then be incorporated into its Risk Analysis. If applicable, MMC shall update the Inventory during the Risk Analysis and incorporate any changes to the Inventory into the Risk Analysis.
   2. Within ninety (90) days of the Effective Date, MMC shall submit to HHS the scope and methodology by which they propose to conduct the Risk Analysis described in paragraph V.A.1. Within fifteen (15) days of its receipt, HHS shall notify MMC whether the proposed scope and methodology is or is not consistent with 45 C.F.R. § 164.308 (a)(1)(ii)(A).
   3. MMC shall provide the Risk Analysis, consistent with paragraph V.A.l., to HHS within one hundred eighty (180) days of HHS’ approval of MMC’s methodology described inparagraph
      V.A.2 for HHS’ review. Within thirty (30) days of its receipt of MMC’s Risk Analysis, HHS will inform MMC’s Contact in writing as to whether HHS approves of the Risk Analysis or, if necessary to ensure compliance with 45 C.F.R. § 164.308(a)(1)(ii)(A), requires revisions tothe Risk Analysis. If HHS requires revisions to the Risk Analysis, HHS shall provide MMC Contact with a detailed, written explanation of such required revisions and with comments and recommendations in order for MMC to be able to prepare a revised Risk Analysis. Upon receiving notice of required revisions to the Risk Analysis from HHS and a description of any required changes to the Risk Analysis, MMC shall have sixty (60) days in which to revise its Risk Analysis accordingly and submit the revised Risk Analysis to HHS for review and approval. This submission and review process shall continue until HHS approves the Risk Analysis, within thirty (30) days of MMC’s resubmission.
2. Develop and Implement a Risk Management Plan
   1. MMC shall develop a written risk management plan or plans sufficient to address and mitigate any security risks and vulnerabilities identified in the Risk Analysis described in Section V.A above (“Risk Management Plan”). The Risk Management Plan shall include a process and timeline for the MMC’s implementation, evaluation, and revision of its risk remediation activities.
   2. Within sixty (60) days of HHS’ final approval of the Risk Analysis described in Section V.A above, MMC shall submit its Risk Management Plan to HHS for HHS’ review. Within thirty (30) days of its receipt of the Risk Management Plan, HHS will inform MMC’s Contact in writing as to whether HHS approves of the Risk Management Plan or, if necessary to ensure compliance with 45 C.F.R. § 164.308(a)(1)(ii)(B), requires revisions to the Risk Management Plan. If HHS requires revisions to the Risk Management Plan, HHS shall provide MMC’s Contact with detailed comments and recommendations in order for MMC to be able to prepare a revised Risk Management Plan. Upon receiving notice of required revisions to the Risk Management Plan from HHS and a description of any required changes to the Risk Management Plan, MMC shall have thirty (30) days in which to revise its Risk Management Plan accordingly, and submit the revised Risk Management Plan to HHS for review and approval. This submission and review process shall continue until HHS approves the Risk Management Plan, within thirty (30) days of MMC’s resubmission.
   3. Within thirty (30) days of HHS’ approval of the Risk Management Plan, MMC shall begin implementation of the Risk Management Plan and distribute the plan to workforce members involved with implementation of the

3. Implement Audit Controls

   Within thirty (30) days of HHS’ final approval of the Risk Management Plan described in Section V.B above, MMC shall develop a plan to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI based on the findings of the Risk Management Plan.

4. Policies and Procedures
   1. MMC shall review and, to the extent necessary, revise, its current Privacy and Security Rules Policies and Procedures (“Policies and Procedures”) based on the findings of the risk analysis and the implementation of the risk management plan, as required by Sections V.A. and V.B. above. MMC’s Policies and Procedures must comply with the HIPAA’s Privacy and Security Rules. MMC’s Policies and Procedures shall include, but not be limited to, the minimum content set forth in Section V.F.
   2. MMC shall provide the Policies and Procedures, consistent with paragraph 1 above, to HHS within 30 (thirty) days of HHS approval of the Risk Management Plan. Within thirty (30) days of its receipt of MMC’s Policies and Procedures, HHS will inform MMC’s Contact in writing as to whether HHS approves of the Policies and Procedures or whether any revisions are required. Upon receiving notice of any recommended changes to the Policies and Procedures from HHS, MMC shall have thirty (30) days to revise them accordingly and provide the revised Policies and Procedures to HHS for review and approval, and such approval shall be given within fifteen (15) days of MMC’s resubmission.
   3. MMC shall implement such Policies and Procedures within thirty (30) days of receipt of HHS’ final approval.
5. Distribution and Updating of Policies and Procedures
   1. MMC shall distribute the Policies and Procedures identified in Section V.D. to all members of the workforce who have access to protected health information (“PHI”) within thirty (30) days of HHS approval of such Policies and Procedures and to new members of the workforce within thirty (30) days of their beginning of service.
   2. MMC shall require a signed written or electronic initial compliance certification from all members of the workforce who have access to PHI stating that the workforce members have read, understand, and shall abide by such Policies and Procedures.
   3. MMC shall assess, update, and revise, as necessary, the Policies and Procedures at least annually (and more frequently if appropriate). MMC shall provide such revised Policies and Procedures to HHS for review and approval. Within thirty (30) days of receipt of MMC’s revised Policies and Procedures, HHS will inform MMC’s Contact in writing as to whether HHS approves of the Policies and Procedures or whether revisions are required. Upon receiving notice of any recommended changes to the Policies and Procedures from HHS, MMC shall have thirty (30) days to revise such Policies and Procedures accordingly and provide the revised Policies and Procedures to HHS for review and approval.
   4. Within thirty (30) days of the effective date of any approved substantive revisions, MMC shall distribute the revised Policies and Procedures to all members of its workforce who have access to PHI, and to new members as required by Section V.E.1, and shall require new compliance certifications.
   5. MMC shall apply appropriate sanctions if any workforce member who has access to PHI has not signed or provided the written or electronic certification required by paragraphs 2 and 3 of this Section within a reasonable time of receipt of the Policies and Procedures.

6. Minimum Content of the Policies and Procedures

   The Policies and Procedures shall include specific policies to address the following Privacy and Security Rule provisions (the “Covered Policies and Procedures”):

   1. Uses and Disclosures of PHI- 45 F.R. §164.502(a)
   2. Risk Analysis- 45 C.F.R. §164.308(a)(1)(ii)(A)
   3. Risk Management- 45 C.F.R. §164.308(a)(1)(ii)(B)
   4. Sanction Policy- 45 C.F.R. §164.308(a)(1)(ii)(B)
   5. Information System Activity Review- 45 F.R. §164.308(a)(1)(ii)(D)
   6. Workforce Security- 45 F.R. §164.308(a)(3)(i)
   7. Information Access Management- 45 F.R. §164.308(a)(4)(i)
   8. Security Awareness and Training- 45 C.F.R. §164.308(a)(5)(i)
   9. Evaluation- 45 C.F.R. § 164.308(a)(8)
   10. Audit Controls- 45 C.F.R. §164.312(b)

7. Reportable Events

   During the Compliance Term, MMC shall, upon receiving information that a workforce member may have failed to materially comply with the Covered Policies and Procedures, promptly investigate this matter. If MMC determines, after review and investigation, that a member of its workforce who has agreed to comply with Policies and Procedures under Section V.E.3, has failed to materially comply with the Covered Policies and Procedures, MMC shall notify in writing HHS within thirty (30) days. Such violations shall be known as Reportable Events. The report to HHS shall include the following information:

   1. A complete description of the event, including the relevant facts, the persons involved, and the provision(s) of the Covered Policies and Procedures implicated, if applicable; and
   2. A description of the actions taken and any further steps MMC plans to take to address the matter to mitigate any harm, and to prevent it from recurring, including application of appropriate sanctions against workforce members who failed to comply with the Covered Policies and Procedures.
8. Training
   1. MMC shall provide HHS with training materials addressing the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all workforce members who have access to PHI within thirty (30) days of HHS approval of the Risk Management Plan. Within thirty (30) days of receipt of the training materials, HHS will inform MMC’s Contact in writing as to whether HHS approves of the training materials or whether they require revisions.
   2. Upon receiving notice from HHS specifying any required changes, MMC shall make the required changes and provide revised training materials to HHS within thirty (30) days, and such approval shall be given within fifteen (15) days of MMC’s resubmission.
   3. Upon receiving approval from HHS, MMC shall provide training using the approved training materials for all workforce members who have access to PHI within sixty (60) days of HHS’ approval and at least every twelve (12) months thereafter. MMC shall also provide such training to each workforce member who has access to PHI within thirty (30) days of the commencement of such workforce member’s service. MMC shall not provide access to PHI to any new workforce member who fails to complete training within thirty (30) days of the commencement of such workforce member’s service unless access to PHI is otherwise required due to exigent circumstances.
   4. Each workforce member who is required to attend training shall certify, in writing or in electronic form, that she or he has received and understands the required training. The training certification shall specify the date on which training was received. All course materials shall be retained in compliance with Section VII below.
   5. MMC shall review the training annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, applicable issues discovered during internal or external audits or reviews, and any other relevant developments.
   6. MMC shall apply reasonable sanctions if any workforce member who has access to PHI has not signed or provided the written or electronic certification required by paragraph V.H.4 within a reasonable period of time after completion of such training.

VI.          Annual Reports

The one-year period beginning on the Effective Date and each subsequent one- year period during the course of the period of compliance obligations shall be referred to as “the Reporting Periods.” MMC also shall submit to HHS Annual Reports with respect to the status of implementations and findings regarding MMC’s compliance with this CAP for each of the two (2) annual Reporting Periods. MMC shall submit each Annual Report to HHS no later than sixty (60) days after the end of each corresponding Reporting Period. The Annual Report shall include:

1. With respect to the training obligations set forth under Section V.H, a schedule, topic outline, description of the training, length of training session(s), and copies of the training materials for the training programs attended in accordance with this CAP during the Reporting Period that is the subject of the report, to the extent that such training was conducted during the Reporting Period;
2. An attestation signed by an officer of MMC attesting that he or she has made a reasonable inquiry regarding training and believes to the best of his or her knowledge, that, upon such inquiry, all workforce members who have access to PHI have completed the initial training required by this CAP and have executed the training certifications required by V.H.4, except as otherwise described in the Annual Report, to the extent that such training was conducted during the Reporting Period;
3. An attestation signed by an officer of MMC attesting that the Policies and Procedures are being implemented and have been distributed to all appropriate members of the workforce, to the extent that such Policies and Procedures were distributed during the Reporting Period;
4. An attestation signed by an officer of MMC attesting that he or she has made a reasonable inquiry regarding training and believes to the best of his or her knowledge, that, upon such inquiry, MMC is obtaining and maintaining written or electronic training certifications from all persons that require training that they received training pursuant to the requirements set forth in this CAP, except as otherwise described in the Annual Report, to the extent that such training was conducted during the Reporting Period;
5. A summary of Reportable Events (defined in Section V.G) identified during the Reporting Period, if any, and the status of any corrective and preventative action relating to all such Reportable Events;
6. An attestation signed by an officer of MMC listing all MMC locations (including locations and mailing addresses) and attesting that he or she has made a reasonable inquiry regarding CAP obligations and believes that, upon such inquiry, each such location has complied with the obligations of this CAP; and
7. An attestation signed by an officer of MMC attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.

VII.          Document Retention

MMC shall maintain for inspection and copying, and shall provide to OCR, upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date.

VIII.          Breach Provisions

MMC is expected to fully and timely comply with all provisions contained in this CAP.

1. Timely Written Requests for Extensions

   MMC may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least five (5) days prior to the date such an act is required or due to be performed. The requirement may be waived by OCR only.

2. Notice of Breach of this CAP and Intent to Impose Civil Monetary 

   The  parties agree that a breach of this CAP by MMC constitutes a breach of the Agreement.   Upon a determination by HHS that MMC has breached this CAP, HHS may notify MMC of: (1) MMC's breach; and (2) HHS' intent to impose a civil money penalty ('CMP") pursuant  to 45 C.F.R. Part 160, or other remedies for  the Covered Conduct set forth in paragraph 12  of  the Agreement and any other conduct that constitutes a violation of the HIP AA Privacy, Security, or  Breach Notification Rules ("Notice of Breach and Intent to Impose CMP'').

3. MMC's 

   MMC shall have ninety (90) days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS' satisfaction, which shall not be unreasonably withheld, that:

   1. MMC is in compliance with the obligations of the CAP that HHS cited as the basis for the breach;
   2. The alleged breach has been cured; or
   3. The alleged breach cannot be cured within the ninety (90) calendar day period, but that: (a) MMC has pegun to take action to cure the breach; (b) l'v1l\1C is pursuing such action with due diligence; and (c) MMC has provided to HHS a reasonable timetable for curing the breach.

4. Imposition of CMP.

   If at the conclusion of the ninety (90) calendar day period, MMC fails to meet the requirements of Section VIII.C. of this CAP to HHS' satisfaction, HHS may proceed with the imposition of a CMP against MMC pursuant to 45 C.F.R. Part 160 for  any violations of the HIPAA Rules described  in the Covered Conduct set forth in paragraph I.2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules. HHS shall notify MMC in writing of its determination to proceed with the imposition of a CMP pursuant to 45 C.F.R. Part 160. 1\1:MC reserves all rights to dispute HHS' determination, in law and equity. HHS must offset any CMP amount levied under this section by the amounts already paid by MMC in lieu of CMPs under the Agreement. Any such offset will apply only to Covered Conduct up to and including the Effective Date.

Signatures

For Montefiore Medical Center

/s/

Christopher Panczner
Senior Vice President and Chief Legal Officer
Montefiore Medical Center

Date: November 16, 2023

For the U.S. Department of Health and Human Services

/s/

Linda C. Colón, Regional Manager
Eastern and Caribbean Region
Office for Civil Rights

Date: November 17, 2023

Endnotes

¹ Environmental controls may include fire suppression systems, water prevention systems (e.g., drainage, raised floors), power supply, climate control, etc.