The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a settlement with Health Fitness Corporation (Health Fitness), an Illinois-based provider of wellness plans nationwide, over a potential HIPAA Security Rule violation.

OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules, which outline the obligations of covered entities—such as health plans, health care clearinghouses, and most health care providers—as well as business associates like Health Fitness. The HIPAA Security Rule establishes national standards for safeguarding electronic protected health information (ePHI) through administrative, physical, and technical measures that ensure its confidentiality, integrity, availability, and security. A key requirement of this rule, the “Risk Analysis provision,” mandates that regulated entities conduct a thorough assessment of potential risks and vulnerabilities to ePHI.

“Performing an accurate and comprehensive risk analysis is both a regulatory requirement and a crucial step in preventing or mitigating breaches of electronic protected health information,” stated OCR Acting Director Anthony Archeval. “Strong cybersecurity practices begin with understanding who has access to sensitive health information and ensuring it remains secure.”

This settlement marks the fifth enforcement action under OCR’s Risk Analysis Initiative, which aims to enhance compliance with the HIPAA Security Rule’s Risk Analysis provision. The initiative was developed to increase the number of Security Rule investigations related to risk analysis violations and to underscore the necessity for organizations to prioritize compliance with this fundamental requirement.

OCR launched its investigation into Health Fitness after receiving four separate breach reports from the company between October 15, 2018, and January 25, 2019. As a business associate, Health Fitness submitted these reports on behalf of multiple covered entities. The company disclosed that, beginning in August 2015, a software misconfiguration on a server exposed ePHI to internet search engines, making it accessible to web crawlers. The breach was discovered on June 27, 2018. Initially, Health Fitness estimated that 4,304 individuals were affected, though later assessments suggested the actual number may have been lower. OCR’s investigation concluded that Health Fitness had not conducted a thorough risk analysis until January 19, 2024, to assess potential risks and vulnerabilities related to the ePHI it maintained.

As part of the resolution agreement, Health Fitness agreed to a corrective action plan monitored by OCR for two years and paid a settlement amount of $227,816. The company has committed to improving its compliance with the HIPAA Security Rule and strengthening ePHI protections by:

  • Conducting an annual review and update of its risk analysis to identify potential threats to ePHI confidentiality, integrity, and availability;
  • Developing and implementing a risk management plan to mitigate identified security risks;
  • Establishing a process for evaluating environmental and operational changes that could impact ePHI security;
  • Creating and maintaining updated written policies and procedures in compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

The full resolution agreement and corrective action plan can be accessed at: https://www.hhs.gov/sites/default/files/health-fitness-ra-cap.pdf.

OCR advises health care providers, health plans, clearinghouses, and business associates to take proactive measures against cybersecurity threats, including:

  • Reviewing vendor and contractor relationships to ensure business associate agreements are in place and address breach/security obligations;
  • Integrating risk analysis and risk management into regular business operations;
  • Implementing audit controls to monitor and assess information system activity;
  • Conducting regular reviews of system activity;
  • Utilizing authentication mechanisms to ensure only authorized personnel access ePHI;
  • Encrypting ePHI to prevent unauthorized access;
  • Applying lessons learned from security incidents to enhance overall risk management;
  • Providing job-specific and routine security training to reinforce employees’ roles in protecting privacy and security.

By adhering to these best practices, organizations can strengthen their cybersecurity posture and better safeguard sensitive health information.