Factual Background and Covered Conduct. On September 27, 2010, the HHS Office for Civil Rights received notification from “New York-Presbyterian Hospital and Columbia University Medical Center” regarding a breach of its unsecured electronic protected health information (ePHI). On November 5, 2010, HHS notified NYP of HHS’ investigation regarding NYP’s compliance with the Privacy and Security Rules promulgated by HHS pursuant to the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.L. 104-191, 110 Stat. 1936. HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”):
Factual Background and Covered Conduct. On June 2, 2017, Respondent made a submission pursuant to OIG's Self Disclosure Protocol (Protocol), and OIG accepted Respondent into the Protocol on July 24, 2017. The OIG contends that Respondent knowingly presented to Medicare, Tricare, and VA claims for items or services that Respondent knew or should have known were not provided as claimed and were false or fraudulent. Specifically, the OIG contends that, in certain cases of three or more concurrent neurosurgical procedures performed at University Hospital Shreveport during the period November 1, 201 1 through January 3, 2017, Respondent submitted claims for physician services by teaching surgeons when those services were supervisory services to the hospital rather than a physician service to individual patients. The OIG contends that the conduct described in this Paragraph (hereinafter referred to as the "Covered Conduct") subjects Respondent to civil monetary penalties, assessments, and exclusion under 42 U.S.C. §§ 1 320a-7a and 1320a-7(b)(7).
Factual Background and Covered Conduct. In February 2014, the HHS Office for Civil Rights (OCR) received separate notifications from each of the six nursing homes regarding a breach of unsecured electronic protected health information (ePHI) at CHCS. On April 17, 2014, OCR notified CHCS of OCR’s investigation regarding CHCS’s compliance with the HIPAA Rules. OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):
Factual Background and Covered Conduct. Between August 23, 2013 and November 1, 2013, Advocate submitted three breach notification reports to HHS. Each breach report pertained to a separate and distinct incident involving Advocate Health and Hospitals Corporation d/b/a Advocate Medical Group (“AMG”), an Advocate subsidiary: On August 23, 2013, Advocate notified HHS regarding a breach of Advocate's unsecured electronic protected health information ("ePHI"). Advocate reported that four desktop computers containing the ePHI of approximately 4,029,530 individuals (later amended to 3,994,175) had been stolen from an AMG administrative office building, located on Touhy Avenue in Park Ridge, Illinois ("Touhy Support Center"), during the early morning hours of July 15, 2013. On August 29, 2013, HHS notified Advocate that HHS was opening an investigation into those aspects of Advocate's compliance with the HIPAA Rules implicated by Advocate's breach report. On September 13, 2013, Advocate notified HHS regarding another breach of Advocate's unsecured ePHI. This breach involved Blackhawk Consulting Group (`Blackhawk"), a business associate of Advocate, which provides billing services to AMG. Advocate reported that, at some point between June 30, 2013 and August 15, 2013, the ePHI of 2,027 AMG patients had been potentially compromised when an unauthorized third party accessed Blackhawk's network. On October 29, 2013, HHS notified Advocate that it was opening an investigation into Advocate's compliance with the HIPAA Rules implicated by Advocate's second breach report. On November 1, 2013, HHS received notification from Advocate regarding a third breach of Advocate's unsecured ePHI. Advocate reported that an unencrypted laptop containing the ePHI of approximately 2,237 individuals was stolen from an AMG workforce member's vehicle. On January 8, 2014, HHS notified Advocate that it was commencing an investigation regarding Advocate's compliance with the HIPAA Rules implicated by Advocate's third breach report. HHS’ investigations of the above breach reports indicated that the following conduct appears to have occurred, which shall be defined as “Covered Conduct” for purposes of this Agreement:
Factual Background and Covered Conduct. On March 21, 2013, the HHS Office for Civil Rights (“OCR”) received notification from UMMC regarding a breach of unsecured electronic protected health information (“ePHI”) affecting 500 or more individuals at UMMC’s University Hospital. On October 25, 2013, HHS notified UMMC of its investigation regarding UM’s compliance with the Privacy, Security, and Breach Notification Rules.
Factual Background and Covered Conduct. On January 27, 2013, the HHS Office for Civil Rights received a complaint against NYP alleging that on April 28, 2011, NYP impermissibly disclosed protected health information (PHI) to a film crew and other staff of “NY Med,” a television program being filmed in the hospital. On May 29, 2013, HHS notified NYP of HHS’ investigation regarding NYP’s compliance with the Privacy Rule promulgated by HHS pursuant to the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.L. 104-191, 110 Stat. 1936. HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”):
Factual Background and Covered Conduct. On November 27, 2013, HHS received notification from UW Medicine regarding a breach of its unsecured electronic protected health information (e-PHI). On December 26, 2013, HHS notified UW Medicine of this investigation regarding UW Medicine’s compliance with the Privacy, Security, and Breach Notification Rules. HHS’s investigation indicated that the following conduct occurred (“Covered Conduct”).
Factual Background and Covered Conduct. On August 29, 2012, HHS received notification from CCG regarding a breach involving unsecured electronic protected health information (ePHI). CCG reported that, on July 19, 2012, a laptop bag was stolen from an employee’s car in Indianapolis, Indiana. According to the report, the laptop bag contained the employee’s computer, which did not contain ePHI, and computer server backup media, which contained the ePHI of approximately 55,000 individuals. During the course of its investigation, OCR learned that a CCG workforce member left the computer server backup media, which was unencrypted, unattended in the passenger section of the workforce member’s car, where it was then stolen by a third party who broke a window to obtain access to the inside of the car. OCR’s investigation indicated that the following covered conduct occurred:
Factual Background and Covered Conduct. On April 15, 2010, the HHS Office for Civil Rights (OCR) received notification from AHP regarding a breach of its unsecured electronic protected health information (EPHI). On May 19, 2010, OCR notified AHP of OCR’s investigation regarding AHP’s compliance with the Privacy, Security, and Breach Notification Rules. OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):
Factual Background and Covered Conduct. On December 9, 2011, HHS received notification from Skagit County regarding a breach of its unsecured electronic protected health information (ePHI). On May 25, 2012, HHS notified Skagit County of its investigation regarding Skagit County’s compliance with the Privacy, Security, and Breach Notification Rules. HHS’s investigation indicated that the following conduct occurred (“Covered Conduct”).
