On March 21, 2025, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with Health Fitness Corporation (Health Fitness), a wellness plan provider based in Illinois, for a potential violation of the HIPAA Security Rule.
What happened
The investigation stemmed from four breach reports that Health Fitness submitted between October 15, 2018, and January 25, 2019, on behalf of multiple covered entities as their business associate. As a result, the company agreed to pay $227,816 and implement a corrective action plan monitored by OCR for two years. The settlement is the fifth enforcement action under OCR’s Risk Analysis Initiative, which focuses on ensuring compliance with HIPAA’s Security Rule Risk Analysis provision. Acting OCR Director Anthony Archeval emphasized the need for conducting thorough risk analyses as a fundamental cybersecurity measure.
The backstory
Between October 15, 2018, and January 25, 2019, Health Fitness reported four separate incidents where electronic protected health information (ePHI) was exposed online due to a server misconfiguration, allowing unauthorized access via internet search engines. These breaches, which began around August 2015 and were discovered by Health Fitness on June 27, 2018, potentially affected approximately 4,304 individuals. Health Fitness failed to perform the required risk analysis until January 19, 2024. This six-year delay in assessing potential risks and vulnerabilities to ePHI constituted a severe compliance failure.
In the know: The Security Rule
Health Fitness Corporation violated the HIPAA Security Rule, specifically the Risk Analysis provision outlined in 45 CFR § 164.308(a)(1)(ii)(A). The provision requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI. By failing to identify and mitigate security risks in a timely manner, Health Fitness did not comply with the foundational administrative safeguards of the HIPAA Security Rule.
What was said
According to OCR Acting Director Anthony Archeval, “Conducting an accurate and thorough risk analysis is not only required but is also the first step to prevent or mitigate breaches of electronic protected health information. Effective cybersecurity includes knowing who has access to electronic health information and ensuring that it is secure.”
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
Who must comply with HIPAA?
- Covered entities: Healthcare providers, health plans, and healthcare clearinghouses must comply with HIPAA.
- Business associates: Entities that handle PHI on behalf of covered entities, such as billing services or IT providers, must also comply.
- Business associate subcontractors: These are entities that handle PHI on behalf of business associates.
What is the HIPAA Privacy Rule?
The Privacy Rule governs the use and disclosure of PHI. It sets conditions for when PHI can be used or disclosed by covered entities.
Exceptions include using PHI within a facility, de-identifying data sets, and disclosures to business associates.
What is the HIPAA Security Rule?
The Security Rule sets national standards for protecting ePHI from internal and external threats.
What is the Breach Notification Rule?
This rule requires healthcare organizations to report breaches in the security or confidentiality of PHI.
Breaches include intentional or unintentional access, use, disclosure, modification, or destruction of PHI that compromises its security or privacy.
Kirsten Peremore
