OCR Announces Fifth Settlement Under Its Risk Analysis Initiative

Background

On March 21, 2025, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced a settlement with Health Fitness Corporation (“Health Fitness”), a company that provides wellness plans to clients across the United States in the capacity as a HIPAA business associate. The settlement marks the fifth enforcement action under OCR’s Risk Analysis Initiative, which aims to promote compliance with, and investigate potential violations of, the Risk Analysis provision of the HIPAA Security Rule.

The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, availability, and security of electronic Protected Health Information (“ePHI”). Under the Risk Analysis provision, a covered entity or business associate must conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by that organization. Failure to satisfy this requirement may result in OCR enforcement.

Investigation and Settlement

The Health Fitness settlement resolves OCR’s investigation of the company after it reported to OCR four data breaches involving ePHI within a three-month period, spanning October 15, 2018, to January 25, 2019. Health Fitness filed breach reports on behalf of multiple covered entities as their business associate. Specifically, OCR reported that ePHI became discoverable on the internet and was exposed to automated search devices (i.e., web crawlers) resulting from software misconfiguration on a server that housed the ePHI. Health Fitness informed OCR that it discovered the breach on June 27, 2018. The company initially reported that more than 4,304 individuals were affected but later estimated that the number may be lower.

While investigating Health Fitness, OCR determined that Health Fitness had failed to conduct an accurate and thorough risk analysis for several years (until January 19, 2024), to determine the potential risks and vulnerabilities to ePHI it held. According to OCR, this violated the Risk Analysis provision of the HIPAA Security Rule.

Under the resolution agreement, Health Fitness agreed to pay $227,816 to OCR. Health Fitness must also implement a corrective action plan that OCR will monitor for two years. The corrective action plan requires Health Fitness to take steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:

• Annually reviewing and updating, as necessary, its risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
• Developing and implementing a risk management plan;
• Implementing a process for evaluating environmental and operational changes that affect the security of ePHI; and
• Developing, maintaining, and revising, as necessary, certain written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules.

Takeaways

In a press release announcing the settlement, OCR offered guidance to stakeholders on “steps to mitigate or prevent cyber-threats.” Specifically, OCR recommends that covered entities and business associates:

• Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
• Integrate risk analysis and risk management into business processes regularly.
• Ensure audit controls are in place to record and examine information system activity.
• Implement regular review of information system activity.
• Use mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
• Encrypt ePHI to guard against unauthorized access to ePHI.
• Incorporate lessons learned from incidents into the overall security management process.
• Provide training specific to organization and job responsibilities and on regular basis and reinforce workforce members’ critical role in protecting privacy and security.

By proactively implementing such measures, companies will be better positioned to ensure compliance with the HIPAA Security Rule. The Health Fitness settlement also underscores the importance of reviewing its risk assessment after discovery of a data breach. Although Health Fitness filed breach reports, OCR indicated that the company continued to violate the Risk Analysis provision by failing to perform an adequate risk assessment until January 2024. The settlement should remind companies of the criticality of good compliance hygiene after discovering a breach and during an OCR investigation. For more information, please contact AGG Healthcare attorneys Madison Pool or Cody Davis.