Northeast Surgical Group Resolution Agreement and Corrective Action Plan

RESOLUTION AGREEMENT

I. Recitals

  1. Parties. The Parties to this Resolution Agreement (“Agreement”) are:
    1. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 Code of Federal Regulations (“C.F.R.”) Part 160 and Subparts A and E of Part 164, “the Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information 45 F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (“PHI”) (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).

    2. Northeast Surgical Group, P.C. (NESG) is a covered entity, as defined at 45 C.F.R. § 160.103, and therefore is required to comply with the HIPAA Rules.

    HHS and NESG shall together be referred to herein as the “Parties.”

  2. Factual Background and Covered Conduct. OCR initiated an investigation of NESG following the receipt of NESG’s breach report on March 6, 2023. NESG’s breach report stated that it experienced a ransomware breach in January 2023 affecting as many as 15,298 individuals, which represents its entire patient population.

    OCR’s investigation of NESG revealed the following Covered Conduct occurred:

    1. NESG fails to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its electronic PHI (ePHI). See 45 C.F.R. § 164.308(a)(1)(ii)(A).
  3. No Admission. This Agreement is not an admission of liability by NESG.
  4. No Concession. This Agreement is not a concession by HHS that NESG is not in violation of the HIPAA Rules and not liable for civil money penalties (“CMPs”).
  5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve OCR Transaction Number 23-519759 and any potential violations of the HIPAA Rules related to the Covered Conduct specified in paragraph I.2 of this Agreement. In consideration of the Parties’ interest in avoiding uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.

II. Terms and Conditions

  1. Payment. HHS has agreed to accept, and NESG has agreed to pay HHS, the amount of $10,000 (“Resolution Amount”). NESG agrees to pay the Resolution Amount in one lump sum on the Effective Date of this Agreement as defined in paragraph 14 pursuant to written instructions to be provided by HHS.
  2. Corrective Action Plan. NESG has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference. If NESG breaches the CAP and fails to cure the breach as set forth in the CAP, then NESG will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph II.8 of this Agreement.
  3. Release by HHS. In consideration and conditioned upon NESG’s performance of its obligations under this Agreement, HHS releases NESG from any actions it may have against NESG under the HIPAA Rules arising out of or related to the Covered Conduct identified in paragraph I.2 of this Agreement. HHS does not release NESG from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under Section 1177 of the Social Security Act, 42 United States Code (“U.S.C.”) § 1320d-6.
  4. Agreement by Released Parties. NESG shall not contest the validity of its obligations to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. NESG waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
  5. Binding on Successors. This Agreement is binding on NESG and its successors, heirs, transferees, and assigns.
  6. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
  7. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only, and by this instrument the Parties do not release any claims against any other person or entity.
  8. Effect of Agreement. This Agreement constitutes the complete agreement between the All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement shall be set forth in writing and signed by all Parties.
  9. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (“Effective Date”).
  10. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a CMP must be imposed within six years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, NESG agrees that the time between the Effective Date of this Agreement and the date the Agreement may be terminated by reason of NESG’s breach plus one year thereafter, will not be included in calculating the six-year statute of limitations applicable to the violations which are the subject of this Agreement. NESG waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct identified in paragraph I.2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement.
  11. Disclosure. HHS places no restriction on the publication of the Agreement.
  12. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement.
  13. Authorizations. The individual(s) signing this Agreement on behalf of NESG represents and warrants that they are authorized by NESG to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement.

For Northeast Surgical Group P.C.

/s/

Roy E. Hanks II, D.O.
Director of Robotic Surgery

Dated: 11/14/2024

For the United States Department of Health and Human Services

/s/

Andrea Oliver
Regional Manager, Rocky Mountain Region
Office for Civil Rights

Dated: 11/15/2024

Appendix A
CORRECTIVE ACTION PLAN
BETWEEN THE
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
AND
NORTHEAST SURGICAL GROUP, PC

I. Preamble

Northeast Surgical Group, PC (hereinafter known as “NESG”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”). Contemporaneously with this CAP, NESG is entering into the Resolution Agreement (“Agreement”) with HHS, and this CAP is incorporated by reference into the Agreement as Appendix A. NESG enters into this CAP as part of consideration for the release set forth in paragraph II.8 of the Agreement.

II. Contact Persons and Submissions

  1. Contact Persons.

    NESG has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports:

    Roy E. Hanks II, D.O.
    Northeast Surgical Group, PC 
    17375 Hall Road
    Macomb Township, Michigan 48044 Telephone: (586) 228-0550
    Email: reh@nesg.com

    HHS has identified the following individual as its authorized representative and contact person with whom NESG is to report information regarding the implementation of this CAP:

    Andrea Oliver, Regional Manager
    U.S. Department of Health and Human Services
    Office for Civil Rights – Rocky Mountain Region
    1961 Stout Street, Room 08.148
    Denver, Colorado 80294
    Telephone: (303) 844-7915
    Facsimile: (303) 844-2025
    Email: Andrea.Oliver@hhs.gov

    NESG and HHS agree to promptly notify each other of any changes to the contact persons or other information provided above.

  2. Proof of Submissions.

    Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, or hand delivery, provided that there is proof that such notification were received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt.

III. Effective Date and Term of CAP

The Effective Date for this CAP shall be calculated in accordance with paragraph II.14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by NESG under this CAP shall begin on the Effective Date of this CAP and end two (2) years from the Effective Date, unless HHS has notified NESG under Section VIII hereof of its determination that NESG breached this CAP. In the event of such notification by HHS under Section VIII hereof, the Compliance Term shall not end until HHS either (1) notifies NESG that it has determined the breach has been cured or (2) notifies NESG under Section VIII.D hereof that it will seek imposition of a CMP. After the Compliance Term ends, NESG shall still be obligated to submit the final Annual Report as required by Section VI and comply with the document retention requirement in Section VII. Nothing in this CAP is intended to eliminate or modify NESG’s obligation to comply with the documentation retention requirements in 45 Code of Federal Regulations (“C.F.R.”) §§ 164.316(b) and 164.530(j).

IV. Time

In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days.

V. Corrective Action Obligations

NESG agrees to the following:

  1. Scope and Methodology
    1. Within sixty (60) days of the Effective Date, NESG shall provide to HHS a Statement of Work (“SOW”) for the Risk Analysis outlined in B. below. Within sixty (60) days of its receipt of NESG’s Risk Analysis SOW, if HHS identifies deficiencies in the Risk Analysis SOW, HHS shall provide NESG with written technical assistance, as necessary, such as through suggested edits to the SOW, so that NESG may revise its SOW accordingly. Within thirty (30) days of HHS providing such written technical assistance, if any, the Parties shall meet and confer in good faith to determine the deadline by which NESG shall submit a revised SOW for HHS review. Within thirty (30) days of NESG submitting any such revised SOW, the Parties shall meet and confer in good faith to determine the deadline by which HHS shall review the revised SOW and provide NESG with written technical assistance, if any. This submission and review process shall continue until HHS approves the SOW.
  2. Risk Analysis
    1. NESG shall conduct an accurate and thorough Risk Analysis of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (“ePHI”) created, received, maintained, or transmitted by NESG or on its behalf. The Risk Analysis shall incorporate NESG’s facilities, whether owned or rented, and evaluate the risks to the ePHI on its electronic equipment, data systems, and applications controlled, administered, or owned by NESG that create, receive, maintain, or transmit ePHI. NESG’s Risk Analysis, shall include an updated inventory of all its categories of electronic equipment, data systems, and applications that create, receive, maintain, or transmit ePHI. Within one hundred twenty (120) days of HHS’s final approval of the Risk Analysis SOW under Section V.A., NESG shall submit the Risk Analysis to HHS for review and approval.
    2. Upon receiving HHS’s notice of any required revisions to the Risk Analysis, NESG shall have sixty (60) days in which to revise its Risk Analysis accordingly, and then shall continue to make such revisions until HHS approves the Risk Analysis.
    3. NESG shall review its Risk Analysis annually (or more frequently, if appropriate) and shall promptly conduct an evaluation, and update the Risk Analysis, as necessary, in response to environmental or operational changes affecting the security of ePHI throughout NESG. Following any updates to its Risk Analysis, NESG shall assess whether its existing security measures are sufficient to protect its ePHI and revise its Risk Management Plan, policies and procedures, training materials, and implement additional security measures as needed.
  3. Risk Management
    1. Within ninety (90) days of HHS’s final approval of the Risk Analysis conducted pursuant to Section V.A above, NESG shall provide HHS with a Risk Management Plan that addresses and mitigates the security risks and vulnerabilities identified in the Risk Analysis for HHS’s review and approval. The Risk Management Plan shall include a process and timeline for NESG’s implementation, evaluation, and revision of their risk mitigation activities.
    2. Upon receiving notice from HHS specifying any required revisions to the Risk Management Plan, NESG shall have sixty (60) days in which to revise its Risk Management Plan accordingly, and then shall continue to make such revisions until HHS approves the Risk Management Plan.
    3. NESG shall promptly implement the Risk Management Plan upon HHS’s final approval in accordance with NESG’s applicable administrative procedures.
  4. Policies and Procedures
    1. Security Management Process
      1. NESG shall, to the extent necessary, revise its current policies and procedures relating to Risk Analysis and the implementation of the Risk Management Plan, as required by Sections A and V.B, respectively. Further, NESG shall create and implement policies and procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports. Such policies and procedures must comply with the HIPAA Rules.
      2. Within thirty (30) days of HHS’s approval of NESG’s Risk Management Plan under Section V.B., NESG shall submit copies of the policies and procedures required by Section V.C.1.a to HHS for review and approval. Upon receiving any such notice of required revisions to such policies and procedures from HHS, NESG shall have sixty (60) days in which to revise the policies and procedures accordingly and submit the revised policies and procedures to HHS for review and approval. The submission and review process shall continue until HHS approves such policies and procedures.
      3. Within thirty (30) days of HHS’s approval of the revised policies and procedures required by Section V.C.1.a, NESG shall finalize and officially adopt them in accordance with its applicable administrative procedures.
  5. Training on Policies and Procedures
    1. Within ninety (90) days of HHS’s final approval of NESG’s revised HIPAA Policies and Procedures required in Section C.1.a., NESG shall forward copies of its proposed training materials on its revised policies and procedures for purposes of compliance with Section VI.B.3 below, to HHS for review and approval.
    2. Upon receiving any required revisions to the training materials from HHS, NESG shall have thirty (30) days in which to revise the training materials, and then submit the revised training materials to HHS for review and approval.
    3. Within sixty (60) days of HHS’s approval of the training materials, NESG shall ensure that: a) all workforce members who use or disclose PHI have received such training; b) these workforce members will continue to receive such training annually; and c) NESG will provide each of its new workforce members such training within fifteen (15) days of beginning work at Further, NESG shall obtain and maintain written or electronic training certifications from all persons who are required to attend training under this CAP.
    4. NESG shall review the training materials annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.

VI. Implementation Report and Annual Reports

  1. Implementation Report.

    Within one hundred and twenty (120) days after HHS approves the policies and procedures, as specified in Section V.C above, NESG shall submit a written report with the documentation described below to HHS for review and approval (“Implementation Report”). The Implementation Report shall include an attestation signed by the NESG Managing Partner attesting that:

    1. NESG is implementing the Risk Management Plan, and documentation indicating the date of implementation.
    2. NESG is implementing the policies and procedures in Section V.C., and the date of implementation.
    3. All NESG workforce members have participated in the training required in Section D.
    4. She/He has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
  2. Annual Reports. The one-year period after the Effective Date and each subsequent one- year period during the course of the Compliance Term shall be known as a “Reporting Period.” Within sixty (60) days after the close of each corresponding Reporting Period, NESG shall submit a report or reports to HHS regarding NESG’s compliance with this CAP for each corresponding Reporting Period (“Annual Report”). The Annual Report shall include:
    1. A copy of the schedule, topic outline, and training materials for the training programs provided during the Reporting Period that is the subject of the Annual Report;
    2. An attestation signed by the NESG Managing Partner attesting that:
      1. NESG is obtaining and maintaining written or electronic training certifications from all persons who are required to attend training under this CAP; and
      2. Any revision(s) to the policies and procedures required by Section C., were finalized and adopted within thirty (30) days of HHS’s approval of the revision(s), which shall include a statement affirming that NESG distributed the revised policies and procedures to all appropriate workforce members within sixty (60) days of HHS’s approval of the revision(s); and
    3. A summary of Reportable Events, if any, the status of any corrective action and preventative action(s) relating to all such Reportable Events, or an attestation signed by the NESG Managing Partner stating that no Reportable Events occurred during the Compliance Term.

VII. Document Retention

NESG shall maintain for inspection and copying, and shall provide to HHS, upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date.

VIII. Breach Provisions

NESG is expected to fully and timely comply with all provisions contained in this CAP.

  1. Timely Written Requests for Extensions

    NESG may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least five (5) days prior to the date such an act is required or due to be performed. This requirement may be waived by HHS only.

  2. Notice of Breach of this CAP and Intent to Impose Civil Monetary Penalty

    The parties agree that a breach of this CAP by NESG constitutes a breach of the Agreement. Upon a determination by HHS that NESG has breached this CAP, HHS may notify NESG’s Contact of: (1) NESG’s breach; and (2) HHS’s intent to impose a Civil Money Penalty (“CMP”) pursuant to 45 C.F.R. Part 160, or other remedies for the Covered Conduct set forth in paragraph I.5 of the Agreement and any other conduct that constitutes a violation of the HIPAA Privacy, Security, or Breach Notification Rules (“Notice of Breach and Intent to Impose CMP”).

  3. NESG’s Response

    NESG shall have thirty (30) days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’s satisfaction that:

    1. NESG is in compliance with the obligations of the CAP that HHS cited as the basis for the breach;
    2. The alleged breach has been cured; or
    3. The alleged breach cannot be cured within the thirty (30) day period, but that: (a) NESG has begun to take action to cure the breach; (b) NESG is pursuing such action with due diligence; and (c) NESG has provided to HHS a reasonable timetable for curing the breach.
  4. Imposition of CMP

    If at the conclusion of the thirty (30) day period, NESG fails to meet the requirements of Section VIII.C of this CAP to HHS’s satisfaction, HHS may proceed with the imposition of a CMP against NESG pursuant to 45 C.F.R. Part 160 for any violations of the HIPAA Rules applicable to the Covered Conduct set forth in paragraph I.2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules. HHS shall notify NESG’s Contact in writing of its determination to proceed with the imposition of a CMP pursuant to 45 C.F.R. Part 160. HHS must offset any CMP amount levied under this section by the amounts already paid by NESG in lieu of CMPs under this Resolution Agreement. Any such offset will apply only to Covered Conduct up to and including the Effective Date.

For Northeast Surgical Group, P.C.

/s/

Roy E. Hanks II, D.O.
Director of Robotic Surgery
Northeast Surgical Group, PC

Dated: 11/14/2024

For United States Department of Health and Human Services

/s/

Andrea Oliver
Regional Manager, Rocky Mountain Region
Office for Civil Rights

Dated: 11/15/2024

Content created by Office for Civil Rights (OCR)
Content last reviewed