Solara Medical Supplies, LLC Resolution Agreement and Corrective Action Plan

RESOLUTION AGREEMENT

I.     Recitals

1. Parties. The Parties to this Resolution Agreement (“Agreement”) are:
   1. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
   2. Solara Medical Supplies, LLC (“Solara”) is a Covered Entity as defined at 45 C.F.R. § 160.103, and therefore is required to comply with the HIPAA Rules. Solara is a supplier and direct-to-patient distributer of continuous glucose monitors (“CGM”), insulin pumps, and other supplies to patients with diabetes.
2. Factual Background and Covered Conduct.
   On November 13, 2019, Solara reported to HHS that an unauthorized third party gained access to eight employee email accounts as a result of a targeted phishing attack from April to June 2019, and that the compromised email accounts contained electronic protected health information (ePHI). It was determined that 114,007 individuals were potentially affected by this breach. The ePHI involved in this breach included names, addresses, dates of birth, driver’s license numbers, Social Security numbers, credit and debit card information, bank account numbers, driver’s license, state ID, passport information, patient account login information, billing and claims information, Medicare ID, Medicaid ID, diagnosis and conditions information, medication, treatment information, medical information, and health insurance information. Not all potentially affected individuals’ impacted data included all types of the foregoing information.
   
   On January 17, 2020, Solara reported another breach to HHS that resulted when notification letters relating to the phishing incident were sent to wrong mailing addresses, resulting in the disclosure of the protected health information consisting of demographic information of 1,531 individuals.  The “Covered Conduct” as that term is defined in this Agreement is applicable solely to Solara, as a legal entity and Covered Entity. 
   
   HHS’s investigation of both breach incidents indicated potential violations of the following provisions of the HIPAA Rules (“Covered Conduct”):
   1. The impermissible disclosure of the ePHI of 114,007 individuals whose information was maintained in Solara’s compromised email accounts and of the PHI consisting of demographic information belonging to 1,531 individuals that was disclosed as a result of the mis-mailing of notification letters. (See 45 C.F.R. § 164.502(a)).
   2. The requirement to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by Solara. (See 45 C.F.R. § 164.308(a)(1)(ii)(A)).
   3. The requirement to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). (See 45 C.F.R. § 164.308(a)(1)(ii)(B)).
   4. Following its discovery of a breach of PHI on June 28, 2019, Solara did not provide timely notification to each individual whose unsecured PHI had been or was reasonably believed by Solara to have been, accessed, acquired, used, or disclosed as a result of such breach, without unreasonable delay and in no case later than60 calendar days after discovery of the breach. (See 45 C.F.R. § 164.404).
   5. Following its discovery of a breach of PHI involving more than 500 residents of a State or jurisdiction on June 28, 2019, Solara did not provide timely notification to prominent media outlets serving the State or jurisdiction that unsecured PHI has been or is reasonably believed by Solara to have been, accessed, acquired, used, or disclosed as a result of such breach without unreasonable delay and in no case later than60 calendar days after the discovery of the breach. (See 45 C.F.R. § 164.406).
   6. Following its discovery of a breach of PHI involving more than 500 individuals, Solara did not provide timely notification to the HHS Secretary without unreasonable delay and in no case later than60 calendar days after the discovery of the breach. (See 45 C.F.R. § 164.408).
3. No Admission. This Agreement is not an admission, concession or evidence of liability by Solara, or of any fact or any violation of law, rule, or regulation, including any violation of HIPAA Rules.
4. No Concession. This Agreement is not a concession by HHS that Solara is not in violation of the HIPAA Rules and not liable for civil money penalties (“CMPs”).
5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve HHS 
   Transaction Numbers: 20-364379 and 20-371035 and any potential violations of the HIPAA Rules related to the Covered Conduct associated with the compliance review and investigation specified in paragraph I.2 of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.

II.     Terms and Conditions

6. Payment. HHS has agreed to accept, and Solara has agreed to pay HHS, the amount of $3,000,000 (“Resolution Amount”). Solara agrees to pay the Resolution Amount within ten (10) days of the Effective Date of this Agreement as defined in paragraph II.14 pursuant to written instructions to be provided by HHS.
7. Corrective Action Plan. Solara has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference. If Solara breaches the CAP and fails to cure the breach as set forth in the CAP, then Solara will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph II.8 of this Agreement.
8. Release by HHS. In consideration of and conditioned upon Solara’s performance of its obligations under this Agreement, HHS releases Solara from any actions it may have against Solara under the HIPAA Rules arising out of or related to the Covered Conduct associated with the compliance review identified in paragraph I.2 of this Agreement. HHS does not release Solara from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct associated with the compliance review and referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
9. Agreement by Released Parties. Solara shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. Solara waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
10. Binding on Successors. This Agreement is binding on Solara and its successors, heirs, transferees, and assigns.
11. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
12. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only, and by this instrument the Parties do not release any claims against or by any other person or entity.
13. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement shall be set forth in writing and signed by all Parties.
14. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (“Effective Date”).
15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a CMP must be imposed within six (6) years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, Solara agrees that the time between the Effective Date of this Agreement (as set forth in Paragraph 14) and the date the Agreement may be terminated by reason of Solara’s breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement. Solara waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct associated with the compliance review identified in paragraph I.2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement.
16. Disclosure. HHS places no restriction on the publication of the Agreement.
17. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement.
18. Authorizations. The individual(s) signing this Agreement on behalf of Solara represent and warrant that they are authorized by Solara to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement.

For Solara Medical Supplies, LLC

/s/
Wendy Russalesi, Chief Compliance Officer

Dated: 12/11/2024

For the United States Department of Health and Human Services

/s/
Michael Leoz, Regional Manager
Office for Civil Rights, Pacific Region

Dated: 12/11/2024

APPENDIX A

CORRECTIVE ACTION PLAN

BETWEEN THE

U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES

AND

SOLARA MEDICAL SUPPLIES, LLC

I.     Preamble

Solara Medical Supplies, LLC (Solara) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”). Contemporaneously with this CAP, Solara is entering into a Resolution Agreement (“Agreement”) with HHS, and this CAP is incorporated by reference into the Resolution Agreement as Appendix A. Solara enters into this CAP as part of consideration for the release set forth in paragraph II.8 of the Agreement.

II.    Contact Persons and Submissions

A.    Contact Persons

Solara has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports:

Wendy Russalesi, Chief Compliance Officer 
Solara Medical Supplies, LLC
2084 Otay Lakes Rd #102
Chula Vista, CA 91913

HHS has identified the following individual as its authorized representative and contact person with whom Solara is to report information regarding the implementation of this CAP:

Annette Tagliaferro, Investigator
Department of Health and Human Services
Office for Civil Rights
90 7th Street, Suite 4-100
San Francisco, California 94103-6705

Solara and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above.

B.    Proof of Submissions. Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including e-mail, certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt.

III.    Effective Date and Term of CAP

The Effective Date for this CAP shall be calculated in accordance with paragraph II.14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by Solara under this CAP shall begin on the Effective Date of this CAP and end two (2) years from the Effective Date, unless HHS has notified Solara under Section VIII hereof of its determination that Solara breached this CAP.  In the event of such notification by HHS under Section VIII hereof, the Compliance Term shall not end until HHS notifies Solara that it has been determined that the breach has been cured.  After the Compliance Term ends, Solara shall still be obligated to: (a) submit the final Annual Report as required by section VI; and (b) comply with the document retention requirement in section VII. Nothing in this CAP is intended to eliminate or modify Solara’s obligation to comply with the document retention requirements in 45 C.F.R. § 164.316(b) and § 164.530(j).

IV.    Time

In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days.

V.  Corrective Action Obligations.

Solara agrees to the following:

A.    Conduct a Risk Analysis

1. Solara shall conduct and complete an accurate, thorough, enterprise-wide analysis of risks and vulnerabilities that incorporates all risks to Solara’s ePHI related to electronic equipment, data systems, programs, and applications, including any that may receive or access ePHI from systems, programs, and applications controlled, administered, owned, or shared by Solara’s affiliates. As part of this process, Solara shall develop a complete inventory of all electronic equipment, data systems, media, off-site data storage facilities, and applications that contain or store ePHI, which will then be incorporated in its Risk Analysis.

2. Within ninety (90) days of the Effective Date, Solara shall submit to HHS the scope and methodology by which it proposes to conduct the Risk Analysis. Within fifteen (15) days of its receipt, HHS shall notify Solara in writing whether the proposed scope and methodology is or is not consistent with 45 C.F.R. § 164.308 (a)(l)(ii)(A). Solara shall provide the Risk Analysis, consistent with paragraph V.A.l., to HHS within one hundred eighty (180) days of HHS’s approval of the scope and methodology described in paragraph V.A.2 for HHS’s review.

3. Upon submission by Solara, HHS shall review and recommend changes to the aforementioned risk analysis within thirty (30) days. If HHS requires revisions to the Risk Analysis, HHS shall provide Solara with a detailed, written explanation of such required revisions and with comments and recommendations in order for Solara to be able to prepare a revised Risk Analysis. Upon receiving HHS’s recommended changes, Solara shall have sixty (60) calendar days to submit a revised risk analysis. This process will continue until HHS provides final approval of the risk analysis, within thirty (30) days of Solara’s resubmission.

B.    Develop and Implement a Risk Management Plan

1. Solara shall develop an enterprise-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities identified in the Risk Analysis specified in section V.A.1. above. The Risk Management Plan shall include a process and timeline for Solara’s implementation, evaluation, and revision of its risk remediation activities.

2. Within Sixty (60) days of HHS’s final approval of the Risk Analysis described in section V.A.1 above, Solara shall submit a Risk Management Plan to HHS for HHS’s review and approval. Within thirty (30) days of its receipt of the Risk Management Plan, HHS shall approve, or, if necessary, require revisions to Solara’s Risk Management Plan.  If HHS requires revisions to the Risk Management Plan, HHS shall provide Solara’s Contact with detailed comments and recommendations in order for Solara to be able to prepare a revised Risk Management Plan.

3. Upon receiving HHS’s notice of required revisions, if any, Solara shall have sixty (60) days to revise the Risk Management Plan accordingly and forward for review and approval. This submission and review process shall continue until HHS approves the Risk Management Plan, which approval shall be provided within thirty (30) days of Solara’s resubmission.

4. Within sixty (60) days of HHS’s approval of the Risk Management Plan, Solara shall finalize and officially adopt the Risk Management Plan in accordance with its applicable administrative procedures.

C.     Policies and Procedures

1. As necessary and if not already provided to HHS, Solara shall develop, maintain, and revise its written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information (45 C.F.R. Part 160 and Subparts A, C, D and E of Part 164, the “Privacy Rule”, “Security Rule”, and “Breach Notification Rule”). Solara’s policies and procedures shall include, but not be limited to, the minimum content set forth in section V.E.

2. As necessary and if not already provided to HHS, Solara shall provide such policies and procedures to HHS within (60) days of receipt of HHS’s approval of the Risk Management Plan required by paragraph V.B.1. above.

3. Upon receiving HHS’s written notice of required revisions, if any, Solara shall have sixty (60) days to revise the policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval. This process shall continue until HHS approves the policies and procedures which approval shall be given within fifteen (15) days of Solara’s resubmission.

4. Within thirty (30) days of HHS’s approval of the policies and procedures, Solara shall implement such policies and procedures.

5. Solara shall assess, update, and revise the policies and procedures, as needed. Solara shall provide such revised policies and procedures to HHS for review and approval, which approval shall be given within fifteen (15) days of HHS’s receipt. Within thirty (30) days of the effective date of any approved substantive revisions, Solara shall distribute such revised policies and procedures to all Solara workforce members and shall require new compliance certifications.

D.     Distribution of Policies and Procedures

1. Solara shall distribute the policies and procedures identified in section V.C. to all members of its workforce who have access to PHI within thirty (30) days of HHS’s approval of such policies and to new workforce members within thirty (30) days of their beginning of service.

2. Solara shall provide to HHS evidence of such distribution of the policies and procedures identified in Section V.D. to all members of the workforce.

3. Solara shall not provide access to PHI to any Solara workforce member if that workforce member has not received such Policies and Procedures.

E.    Minimum Content of the Policies and Procedures

The Policies and Procedures shall include measures to address the following Privacy, Security and Breach Notification Rule Provisions (the “Covered Policies and Procedures”):

1. Uses and Disclosures of PHI (45 C.F.R. § 164.502(a))
2. Risk Analysis (45 C.F.R. § 164.308(a)(1)(ii)(A))
3. Risk Management (45 C.F.R. § 164.308(a)(1)(ii)(B))
4. Information System Activity Review (45 C.F.R. § 164.308(a)(1)(ii)(D))
5. Person or Entity Authentication (45 C.F.R. § 164.312(d))
6. Encryption (45 C.F.R. § 164.312(e)(2)(ii))
7. Notification to Individuals (45 C.F.R. § 164.404(a))
8. Notification to the Media (45 C.F.R. § 164.406)
9. Notification to the Secretary (45 C.F.R. § 164.408)

F.    Training

1. As necessary given the requirements above, within thirty (30) days of HHS’s final approval of the policies and procedures required by section V.C. of this CAP, Solara shall augment its existing HIPAA and Security Training Program (“Training Program”). The Training Program shall include general instruction on compliance with Solara’s HIPAA policies and procedures and will be provided to those Solara workforce members to whom the policies and procedures apply, including all Solara workforce members who have access to PHI. Solara shall submit its proposed training materials on the policies and procedures to HHS for its review and approval. HHS shall approve, or, if necessary, require revisions which will be explained in writing to Solara’s Training Program within fifteen (15) days of its receipt of Solara’s Training Program.

2. Upon receiving HHS’s written notice of required revisions, if any, Solara shall have sixty (60) days to revise the Training Program accordingly and forward to HHS for review and approval. This process shall continue until HHS approves the Training Program, which HHS will do within fifteen (15) days of receipt of Solara’s submission or resubmission.

3. Within sixty (60) days after receiving HHS's final approval of the Training Program and as required by Solara’s policies and procedures, Solara shall provide training to all appropriate Solara workforce members within thirty (30) days of their beginning of service and in accordance with Solara’s applicable administrative procedures for training.

4. Solara shall provide to HHS evidence of such training. The training evidence shall specify the date training was received. All training materials shall be retained in compliance with Section VII of this CAP.Solara shall review the training at least annually, and where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other developments.

G.    Reportable Events

1. During the Compliance Term, Solara shall, upon sanctioning a Solara workforce Member as required by its policies and procedures for a failure to comply with the Covered Policies and Procedures, Solara shall notify in writing HHS within thirty (30) days. Such violations shall be known as Reportable Events. The report to HHS shall include the following:

a.     A complete description of the event, including the relevant facts, the persons involved, and the applicable provision(s) of the Covered Policies and Procedures implicated; and

b.     A description of the actions taken and any further steps Solara plans to take to address the matter to mitigate any harm, and to prevent it from recurring, including application of any appropriate sanctions against workforce members who failed to comply with the Covered Policies and Procedures.

2. If no Reportable Events occur during the Compliance term, Solara shall so inform HHS in the Annual Report as specified in Section VI below.

VI.    Implementation Report and Annual Reports

A.    Implementation Report. Within one hundred and twenty (120) days after receiving HHS’s approval of training materials consistent with Section V above, Solara shall submit a written report with the documentation described below to HHS summarizing the status of its implementation of this CAP for review and approval. The report, known as the “Implementation Report” shall include:

1. An attestation signed by an owner or officer of Solara attesting that the policies and procedures required by Section V of this CAP: (a) have been adopted; (b) are being implemented; and (c) have been distributed to all appropriate Solara workforce members;

2. A copy of all training materials used for the training required by this CAP, a description of the training, including a summary of the topics covered, the length of the session(s) and a schedule of when the training session(s) were held;

3. An attestation signed by an owner or officer of Solara attesting that they have made a reasonable inquiry regarding training and believes to the best of their knowledge, that, upon such inquiry, all members of Solara’s workforce have completed the initial training required by this CAP;

4. An attestation signed by an owner or officer of Solara listing all Solara locations (including mailing addresses), the corresponding name under which each location is doing business, the corresponding phone numbers and fax numbers, and attesting that they have made a reasonable inquiry regarding CAP obligations and believes that, upon such inquiry, each such location has complied with the obligations of this CAP; and

5. An attestation signed by an owner or officer of Solara stating that they have reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.

B.    Annual Reports. The one (1) year period beginning on the Effective Date and each subsequent one (1) year period during the course of the period of compliance obligations shall be referred to as “the Reporting Periods.” Solara also shall submit to HHS Annual Reports with respect to the status of and findings regarding Solara’s compliance with this CAP for each Reporting Period. Solara shall submit each Annual Report to HHS no later than sixty (60) days after the end of each corresponding Reporting Period. The Annual Report shall include:

1. A schedule, topic outline, and copies of the training materials for the training programs attended in accordance with this CAP during the Reporting Period that is the subject of the report;

2. An attestation signed by an owner or officer of Solara attesting that they have made a reasonable inquiry regarding training and believes that, upon such inquiry, to the best of their knowledge, it is obtaining and maintaining written training certifications from all persons that require training that they received training pursuant to the requirements set forth in this CAP;

3. A summary of Reportable Events (defined in Section V.G.1) identified during the Reporting Period and the status of any corrective and preventative action relating to all such Reportable Events;

4. An attestation signed by an owner or officer of Solara attesting that they have reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.

VII.    Document Retention

Solara shall maintain for inspection and copying, and shall provide to HHS upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date.

VIII.    Breach Provisions

Solara is expected to fully and timely comply with all provisions contained in this CAP.

A.    Timely Written Requests for Extensions

Solara may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least five days prior to the date such an act is required or due to be performed. This requirement may be waived by HHS only.

B.    Notice of Breach of this CAP and Intent to Impose Civil Monetary Penalty.The parties agree that a breach of this CAP by Solara constitutes a breach of the Agreement. Upon a determination by HHS that Solara has breached this CAP, HHS may notify Solara of: (1) Solara’s breach; and (2) HHS’s intent to impose a CMP pursuant to 45 C.F.R. Part 160, or other remedies for the Covered Conduct associated with the compliance review set forth in paragraph I.2 of the Agreement and any other conduct that constitutes a violation of the HIPAA Privacy, Security, or Breach Notification Rules (“Notice of Breach and Intent to Impose CMP”).

C.    Solara’s Response. Solara shall have sixty (60) days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’s satisfaction that:

1. Solara is in compliance with the obligations of the CAP that HHS cited as the basis for the breach;

2. The alleged breach has been cured; or

3.The alleged breach cannot be cured within the sixty (60) day period, but that: (a) Solara has begun to take action to cure the breach; (b) Solara is pursuing such action with due diligence; and (c) Solara has provided to HHS a reasonable timetable for curing the breach.

D.    Imposition of CMP. If at the conclusion of the sixty (60) day period, Solara fails to meet the requirements of Section VIII.C. of this CAP to HHS’s satisfaction, HHS may proceed with the imposition of a CMP against Solara pursuant to 45 C.F.R. Part 160 for any violations of the Covered Conduct associated with the compliance review set forth in paragraph I.2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules. HHS shall notify Solara in writing of its determination to proceed with the imposition of a CMP pursuant to 45 C.F.R. Part 160.  Solara reserves all rights to dispute HHS’s determination, in law and equity.  HHS will offset any CMP amount levied under this section by the amounts already paid by Solara in lieu of CMPs under the Agreement.  Any such offset apply only to Covered Conduct up to and including the Effective Date.

For Solara Medical Supplies, LLC

/s/
Wendy Russalesi, Chief Compliance Officer

Dated: 12/11/2024

For the United States Department of Health and Human Services

/s/
Michael Leoz, Regional Manager
Office for Civil Rights, Pacific Region

Dated: 12/11/2024