OCR Settles HIPAA Security Rule Investigation with Health Fitness
On March 21, the HHS’ Office for Civil Rights (OCR) announced a settlement with Health Fitness Corporation, an Illinois-based provider of wellness plans nationwide. The settlement resolved a potential HIPAA violation discovered after Health Fitness reported breaches on behalf of multiple covered entities as their business associate.
Health Fitness revealed that a software misconfiguration exposed electronic protected health information (ePHI) online, making it accessible to automated web crawlers. The issue began around August 2015 and was discovered on June 27, 2018. OCR’s investigation determined that Health Fitness failed to conduct an accurate and thorough risk analysis until January 19, 2024, violating the HIPAA Security Rule’s Risk Analysis provision.
“Conducting an accurate and thorough risk analysis is not only required but is also the first step to prevent or mitigate breaches of electronic protected health information,” said OCR Acting Director Anthony Archeval. “Effective cybersecurity includes knowing who has access to electronic health information and ensuring that it is secure.”
What is the OCR’s Risk Analysis Initiative?
The OCR’s Risk Analysis Initiative was created to focus select investigations on compliance with the HIPAA Security Rule Risk Analysis provision, a key requirement that is the foundation for effective cybersecurity and the protection of ePHI. It aims to increase the number of completed Security Rule investigations and reinforce the importance of proactive cybersecurity measures.
This latest settlement marks the fifth enforcement action under the initiative. Health Fitness will implement a two-year, OCR-monitored corrective action plan and pay $227,816 in fines as part of the resolution agreement.
Lessons for HIPAA-Covered Entities and Business Associates
To enhance cybersecurity and maintain HIPAA compliance, covered entities and business associates should:
- Review and confirm that business associate agreements (BAAs) are in place and address breach/security obligations. A vendor risk assessment lets you understand the capabilities, security protocols, compliance efforts, and potential risks of working with a specific vendor.
- Integrate Risk Analysis and management into business processes regularly.
- Implement regular review of information system activity.
- Review system activity regularly to detect and respond to potential threats.
- Authenticate and control access to ensure only authorized users access ePHI.
- Encrypt ePHI to guard against unauthorized access.
- Apply incident lessons from past security incidents to strengthen defenses. Disaster, Recovery, and Testing Planning isn’t just a HIPAA requirement – it’s also an essential business practice.
- Provide regular HIPAA training to educate workforce members on privacy and security responsibilities.
This enforcement action underscores the critical need for HIPAA-covered entities and their business associates to conduct thorough risk analyses. Organizations can avoid costly settlements and protect sensitive patient data by prioritizing cybersecurity and HIPAA compliance.
Are Your Vendors HIPAA Compliant?
Ensure your business associates comply with HIPAA. Our Vendor Risk Assessment can help establish strategies to address risks associated with third-party vendors by uncovering vulnerabilities that could compromise data confidentiality.
