USR Holdings, LLC Resolution Agreement and Corrective Action Plan

RESOLUTION AGREEMENT

I. Recitals

1. Parties. The Parties to this Resolution Agreement (“Agreement”) are:
   1. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
   2. USR Holdings, LLC (“USR”), which meets the definition of “business associate” under 45 C.F.R. § 160.103 and therefore is required to comply with the HIPAA Rules. USR conducts its operations from two physical addresses: (i) Corporate Office, 10521 SW Village Drive, Ste. 202, Port St. Lucie, FL 34987,¹ and (ii) Call Center, 1100 Park Central Blvd South, Ste. 2600B, Pompano Beach, FL 33064 (collectively, the “USR Facilities”).
   3. HHS and USR shall together be referred to herein as the “Parties.”

2. Factual Background and Covered Conduct

   On February 8, 2019, a business associate, USR Holdings, LLC (USR), filed a breach report with OCR on behalf of three covered entities stating that from December 8, 2018, through January 9, 2019, it discovered that, from August 23, 2018 through December 8, 2018, a database containing the electronic protected health information (ePHI) of 2,903 individuals was accessed by unauthorized third party individuals who were able to delete ePHI in the database. HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”):

   1. USR impermissibly disclosed the ePHI of 2,903 individuals, when unauthorized individuals impermissibly accessed the database and deleted ePHI. See 45 C.F.R. § 164.502(a).
   2. USR has not conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI it holds. See 45 C.F.R. § 308(a)(1)(ii)(A).
   3. USR had not implemented procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports, at the time of the breach. See 45 C.F.R. § 164.308(a)(1)(ii)(D).
   4. USR did not establish and implement procedures to create and maintain retrievable exact copies of ePHI. See 45 C.F.R. § 164.308(a)(7)(ii)(A).

    

3. No Admission. This Agreement is not an admission to the Covered Conduct or acknowledgment of liability by USR.
4. No Concession. This Agreement is not a concession by HHS that USR is not in violation of the HIPAA Rules and not liable for civil money penalties.
5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve HHS transaction Number: 04-19-332481 and any violations of the HIPAA Rules related to the Covered Conduct specified in paragraph I.2 of this Agreement.  In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.

II. Terms and Conditions

6. Payment. In consideration of the release and other obligations from HHS as set forth in Agreement, HHS has agreed to accept, and USR has agreed to pay HHS, the amount $337,750 (“Resolution Amount”) in resolution of the alleged violations and Covered Conduct as set forth in this Agreement. USR agrees to pay the Resolution Amount in one lump sum within thirty (30) days of the Effective Date of this Agreement as defined in paragraph II.14 by automated clearing house transaction pursuant to written instructions to be provided by HHS.
7. Corrective Action Plan. USR has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference. If USR breaches the CAP, and fails to cure the breach as set forth in the CAP, then USR will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph II.8 of this Agreement and USR will not be subject to the agreement and waiver set forth in paragraph II.9 of this Agreement.
8. Release by HHS. In consideration of and conditioned upon USR’s performance of its obligations under this Agreement, HHS releases USR from any actions it may have against USR under the HIPAA Rules arising out of or related to the Covered Conduct identified in paragraph I.2 of this Agreement.  HHS does not release USR from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct and referred to in this paragraph.  This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
9. Agreement by Released Parties. Subject to paragraph II.7, USR shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. USR waive all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
10. Binding on Successors. This Agreement is binding on USR and its successors, heirs, transferees, and assigns.
11. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
12. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only and by this instrument the Parties do not release any claims against or by any other person or entity.
13. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties.  All material representations, understandings, and promises of the Parties are contained in this Agreement.  Any modifications to this Agreement shall be set forth in writing and signed by all Parties. 
14. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (Effective Date).
15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty (“CMP”) must be imposed within six years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, USR agrees that the time between the Effective Date of this Agreement and the date the Agreement may be terminated by reason of USR’s breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement.  USR waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct identified in paragraph I.2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement.
16. Disclosure. HHS places no restriction on the publication of the Agreement.  In addition, HHS may be required to disclose material related to this Agreement to any person upon request consistent with the applicable provisions of the Freedom of Information Act, 5 U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5.
17. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement. 
18. Authorizations. The individual(s) signing this Agreement on behalf of USR represents and warrants that they are authorized to execute this Agreement and bind USR, as set forth in paragraph I.1.b.  The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement.

For USR Holdings, LLC

/s/

Laurel McGinnis, Director of Corporate Compliance
USR Holdings, LLC

Dated: 12/4/2024

For U.S. Department of Health and Human Services

/s/

Barbara Stampul
Regional Manager, Southeast Region
Office for Civil Rights

Dated: 12/4/2024

Appendix A

CORRECTIVE ACTION PLAN
BETWEEN THE
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
AND
USR HOLDINGS, LLC

I. Preamble

USR Holdings, LLC (“USR”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”). Contemporaneously with this CAP, USR is entering into the Agreement with HHS, and this CAP is incorporated by reference into the Agreement as Appendix A.  USR enters into this CAP as part of consideration for the release set forth in paragraph II.8 of the Agreement.  Capitalized terms without definition in this CAP shall have the same meaning assigned to them under the Agreement.

II. Contact Persons and Submissions

1. Contact Persons

   The contact person for USR regarding the implementation of this CAP and for receipt and submission of notifications and reports (“USR Contact”) is:

   Laurel McGinnis, Director of Compliance Officer
   USR Holdings, LLC
   2000 Port St. Lucie Blvd.
   Port St. Lucie, FL 34952

   HHS has identified the following individual as its authorized representative and contact person with whom USR is to report information regarding the implementation of this CAP:

   Ms. Barbara Stampul, Regional Manager
   Office for Civil Rights, Southeast Region
   Department of Health and Human Services
   Sam Nunn Federal Building, Suite 16T70
   61 Forsyth Street, S.W.
   Atlanta, GA  30303

   USR and HHS agree to promptly notify each other of any changes in the contact person or the other information provided above.

2. Proof of Submissions. Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, electronic mail, or hand delivery, provided that there is proof that such notification was received. The receiving party will acknowledge receipt of any electronic mail.  For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt.

III.       Effective Date and Term of CAP

The Effective Date for this CAP shall be calculated in accordance with paragraph II.14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by USR under this CAP shall begin on the Effective Date of this CAP and end two (2) years from the Effective Date, unless HHS has notified USR under Section VIII hereof of its determination that USR breached this CAP.  In the event of such a notification by HHS under Section VIII hereof, the Compliance Term shall not end until HHS notifies USR that it has determined that the breach has been cured.  After the Compliance Term ends, USR shall still be obligated to: (a) submit the final Annual Report as required by section VI; and (b) comply with the document retention requirement in section VII. Nothing in this CAP is intended to eliminate or modify USR’s obligation to comply with the document retention requirements in 45 C.F.R. §§ 164.316(b) and 164.530(j).

IV. Time

In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days.

V. Corrective Action Obligations

USR agrees to the following:

1. Risk Analysis and Risk Management
   1. USR shall conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of USR’s electronic protected health information (ePHI) (“Risk Analysis”). The Risk Analysis shall incorporate all USR Facilities and must include an evaluation of the risks to the security of ePHI in electronic equipment, information systems, devices and media, and applications controlled, administered or owned by USR, that contain, store, transmit, or receive ePHI. The Risk Analysis shall also include an assessment of the risks to ePHI security in the physical environment. 
   2. Within thirty (30) calendar days of the Effective Date, USR shall submit to HHS the scope and methodology by which it proposes to conduct the Risk Analysis. USR may submit the scope and methodology employed in a previously conducted risk analysis for HHS’s review and feedback or it may furnish a scope and methodology proposed by a third-party consultant. The scope of the Risk Analysis must include a complete inventory of all of USR’s facilities, categories of electronic equipment, information systems, devices and media, and applications that create receive, maintain or transmit PHI.
   3. Within thirty (30) days of its receipt, HHS shall provide USR with written technical assistance, feedback and recommendations, as necessary, so that USR may revise its scope and methodology to comply with the requirements of Section V.A.1. of the CAP. Within thirty (30) days of HHS providing such written technical assistance, if any, USR will revise and resubmit its scope and methodology to incorporate any technical assistance provided. This submission and review process shall continue until HHS approves of the scope and methodology.
   4. Within ninety (90) days of HHS’s approval of the scope and methodology of the Risk Analysis, USR shall conduct the Risk Analysis, consistent with Section V.A.1., and, subject to reasonable time for third-party preparation of a written report, shall furnish a draft report of the Risk Analysis to HHS for review. Within thirty (30) days of its receipt of USR’s draft Risk Analysis, HHS will provide USR with technical assistance, if any, for the submitted Risk Analysis in order to comply with the requirements of Section V.A.1. of the CAP. Upon receiving any recommended changes to the draft Risk Analysis, USR shall have thirty (30) days to revise the Risk Analysis and provide the revised Risk Analysis to HHS for review. This process shall continue until HHS determines the Risk Analysis has been completed in accordance with Section V.A.1. of the CAP.
   5. Within ninety (90) days of HHS’s approval of its Risk Analysis, USR shall develop a risk management plan sufficient to address and mitigate any security risks and vulnerabilities identified in the Risk Analysis described in section V.A. above (“Risk Management Plan”). The Risk Management Plan shall include a process and timeline for USR’s implementation, evaluation, and revision of risk remediation activities identified in the Risk Analysis, which may include the revision or development of new policies and procedures and the provision of workforce training.
   6. Within thirty (30) days of its receipt of USR’s submitted Risk Management Plan, HHS shall approve, or, if necessary, require revisions to USR’s Risk Management Plan to comply with the requirements of the Section V.A.5. of the CAP. Upon receiving HHS’s notice of required revisions, if any, USR shall have thirty (30) days to revise the Risk Management Plan accordingly and forward to HHS for review and approval. This process shall continue until HHS approves the Risk Management Plan.
   7. Within thirty (30) days of HHS’s approval of the Risk Management Plan, USR shall finalize and officially adopt the Risk Management Plan in accordance with its applicable administrative procedures.
   8. USR shall review its Risk Analysis annually. USR shall promptly update the Risk Analysis in response to environmental or operational changes affecting the security of ePHI, including the acquisition of new facilities. Following an update to the risk analysis, USR shall assess whether its existing security measures are sufficient to protect its ePHI, and revise its risk management plan, policies and procedures, and training materials, as needed.

2. Implement Process for Evaluating Environmental and Operational Changes

   Within one hundred twenty (120) days of the Effective Date, USR shall develop a process to evaluate any environmental or operational changes that affect the security of USR ePHI. HHS shall review and recommend changes to the process. Upon receiving HHS’ recommended changes, USR shall have sixty (60) days to provide a revised process to HHS for review and approval. USR shall implement its process, including distributing to workforce members with responsibility for performing such evaluations within ninety (90) days of HHS’ approval.

3. Policies and Procedures
   1. Based on the findings and recommendations of the Risk Analysis set forth in Section V.A.1-4, and the Risk Management Plan set forth in Section V.A.5-7, USR shall review and revise, and as necessary, develop, written policies and procedures to:
      1. implement security measures sufficient to reduce the risks and vulnerabilities identified in its Risk Analysis to a reasonable and appropriate level to comply with the Security Rule; and
      2. to comply with the Federal standards that govern the privacy and security of individually identifiable health information (45 C.F.R. Part 160 and Subparts A, C, D and E of Part 164, the “Privacy Rule”, “Security Rule”, and “Breach Notification Rule”, collectively the “HIPAA Rules.”) and ensure that USR’s policies and procedures include the minimum content set forth in section V.D.
   2. Within thirty (30) days of HHS’s approval of the Risk Management Plan identified in Section V.A. 5-7, USR shall provide relevant policies and procedures, consistent with paragraph 1 above, if any, to HHS for review and approval. Within thirty (30) days of its receipt, HHS shall provide USR with written technical assistance, feedback and recommendations, as necessary, so that USR may revise identified policies and procedures to comply with the recommendations of the Risk Analysis and Risk Management Plan. Within thirty (30) days of HHS providing such written technical assistance, if any, USR will revise and resubmit such policies and procedures to incorporate any technical assistance provided. This submission and review process shall continue until HHS approves of such policies and procedures.

4. Minimum Content of the Policies and Procedures

   The Risk Analysis and Risk Management Plan shall include a review of Policies and Procedures relating to the following provisions, standards, implementation specifications and obligations (“Covered Policies and Procedures”):

   Privacy Rule Provisions:

   1. Uses and Disclosures of PHI - 45 C.F.R. § 164.502(a)

   Security Rule Provisions:

   1. Administrative Safeguards, including all required and addressable implementation specifications – 45 C.F.R. § 164.308(a) and (b).
   2. Physical Safeguards, including all required and addressable implementation specifications – 45 C.F.R. § 164.310.
   3. Technical Safeguards, including all required and addressable implementation specifications – 45 C.F.R. § 164.312.
   4. Policies and Procedures and documentation requirements. – 45 C.F.R. § 164.316.

   Breach Notification Rule Provisions:

   1. Notification by a business associate, including all required and addressable implementation specifications – 45 C.F.R. §164.410.
5. Distribution and Updating of Policies and Procedures
   1. Within thirty (30) days of HHS’s approval of policies and procedures under Section V.C., USR shall distribute such updated policies and procedures to all members of the workforce and to new members of the workforce within fifteen (15) days of the beginning of service.
   2. USR shall require, at the time of distribution of the policies and procedures, a signed written or electronic initial compliance confirmation from all members of the workforce, indicating that the workforce members have read, understand, and shall abide by such policies and procedures.
   3. USR shall assess, update, and revise, as necessary, the policies and procedures. USR shall provide any revised Policies and Procedures to HHS for review and approval. Within 30 days of the effective date of any approved substantive revisions by HHS, USR shall distribute such revised policies and procedures to all members of its workforce and shall require new compliance certifications.
   4. USR shall not provide any member of its workforce with access to PHI if that workforce member has not signed or provided the written or electronic confirmation required by paragraphs 2 and 3 of this section.
6. Reportable Events
   1. During the Compliance Term, USR shall, upon learning that a workforce member likely failed to materially comply with the Covered Policies and Procedures described in Section V.D., promptly investigate this matter. If USR, after review and investigation, determines that a member of its workforce has failed to materially comply with Covered Policies and Procedures in a manner implicating the Covered Conduct, USR shall report such events to HHS as provided in Section VI.B.4. Such violations shall be known as Reportable Events. The report to HHS shall include the following:
      1. A complete description of the event, including the relevant facts, the persons involved, and the applicable provision(s) of USR’s Covered Policies and Procedures; and
      2. A description of the actions taken and any further steps USR plans to take to address the matter, to mitigate any harm, and to prevent it from recurring, including application of any appropriate sanctions against workforce members who failed to materially comply with its Covered Policies and Procedures.
   2. If no Reportable Events occur during the Compliance Term, USR shall so inform HHS in the Implementation Report as specified in Section VI below

VI. Implementation Report and Annual Reports

1. Implementation Report. Within sixty (60) days after HHS approves the policies and procedures required by section V.D. above, USR shall submit a written report with the documentation described below to HHS for review and approval ("Implementation Report"). The Implementation Report shall include:
   1. An attestation signed by an owner or officer of USR attesting that the policies and procedures are being implemented, have been distributed to all appropriate members of the workforce, and that USR has obtained all of the compliance certifications required by Sections V.F.2 and V.F.3;
   2. An attestation signed by an owner or officer of USR listing all USR locations (including locations and mailing addresses), the corresponding name under which each location is doing business, the corresponding phone numbers and fax numbers, and an attestation that each location has complied with the obligations of this CAP; and
   3. An attestation signed by an owner or officer of USR stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
2. Annual Reports. The one-year period beginning on the Effective Date and each subsequent one-year period during the course of the period of compliance obligations shall be referred to as "the Reporting Periods." USR shall submit to HHS Annual Reports with respect to the status of and findings regarding USR’s compliance with this CAP for each of the two Reporting Periods. USR shall submit each Annual Report to HHS no later than 60 days after the end of each corresponding Reporting Period. The Annual Report shall include:
   1. An attestation signed by an owner or officer of USR attesting that the policies and procedures required by Section V of this CAP: (a) have been adopted; (b) are being implemented; and (c) have been distributed to all workforce members;
   2. A summary of Reportable Events (defined in Section V.G.1) identified during the Reporting Period and the status of any corrective and preventative action relating to all such Reportable Events;
   3. An attestation signed by an owner or officer of USR attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.

VII.     Document Retention

USR shall maintain for inspection and copying, and shall provide to HHS, upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date.  

VIII.    Breach Provisions

USR is expected to fully and timely comply with all provisions contained in this CAP.

1. Timely Written Requests for Extensions.  USR may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP.  A “timely written request” is defined as a request in writing received by HHS at least five (5) days prior to the date such an act is required or due to be performed. This requirement may be waived by HHS only.
2. Notice of Breach of this CAP and Intent to Impose CMP. The Parties agree that a breach of this CAP by USR constitutes a breach of the Agreement.  Upon a determination by HHS that USR has breached this CAP, HHS may notify USR Contact of: (1) USR’s breach and the specific basis(es) for such position; and (2) HHS’ intent to impose a CMP pursuant to 45 C.F.R. Part 160, for the Covered Conduct set forth in paragraph I.2 of the Agreement and any other conduct that constitutes a violation of the HIPAA Privacy, Security, or Breach Notification Rules (“Notice of Breach and Intent to Impose CMP”).
3. USR’s Response.  If USR is named in a Notice of Breach and Intent to Impose CMP, USR shall have thirty (30) days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’ satisfaction that:
   1. USR is in compliance with the obligations of the CAP that HHS cited as the basis for the breach;
   2. The alleged breach has been cured; or
   3. The alleged breach cannot be cured within the thirty (30) day period, but that USR: (a) has begun to take action to cure the breach; (b) is pursuing such action with due diligence; and (c) has provided to HHS a reasonable timetable for curing the

4. Imposition of CMP. If at the conclusion of the thirty (30) day period, USR fails to meet the requirements of section IX.C. of this CAP to HHS’ satisfaction, HHS may proceed with the imposition of a CMP against USR pursuant to the rights and obligations set forth in 45 C.F.R. Part 160 for any violations of the HIPAA Rules applicable to the Covered Conduct set forth in paragraph I.2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules. HHS shall notify USR Contact in writing of its determination to proceed with the imposition of a CMP pursuant to 45 C.F.R. §§ 160.312(a)(3)(i) and (ii).  Upon receipt of such notice from HHS, USR’s obligations under this CAP shall terminate and USR shall have no further obligations under the CAP notwithstanding any other provision herein.

   USR reserves all rights to dispute HHS's determination, in law and equity. HHS must offset any CMP amount levied under this section by the amounts already paid by USR in lieu of CMPs under the Resolution Agreement. Any such offset will apply only to Covered Conduct up to and including the Effective Date. 

For USR Holdings, LLC

/s/
Laurel McGinnis, Director of Corporate Compliance
USR Holdings, LLC

Dated: 12/4/2024

For U.S. Department of Health and Human Services

/s/
Barbara Stampul
Regional Manager, Southeast Region
Office for Civil Rights

Dated: 12/4/2024

Endnotes

¹ At the time of the Covered Conduct, USR’s corporate office was located at 2000 Port St. Lucie Blvd., Port St. Lucie.  That office has moved to the address listed above.