The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) has reached a settlement with Health Fitness Corporation, an Illinois-based company that provides wellness plans nationwide. This resolution addresses potential violations of the HIPAA Security Rule.
OCR oversees the enforcement of the HIPAA Privacy, Security, and Breach Notification Rules. These rules require entities such as health plans, healthcare clearinghouses, most healthcare providers, and business associates like Health Fitness to safeguard protected health information (PHI). The HIPAA Security Rule mandates national standards for securing electronic PHI (ePHI), including conducting thorough risk analyses to identify potential vulnerabilities.
"Conducting an accurate and thorough risk analysis is not only required but is also the first step to prevent or mitigate breaches of electronic protected health information," stated OCR Acting Director Anthony Archeval. "Effective cybersecurity includes knowing who has access to electronic health information and ensuring that it is secure."
This settlement marks the fifth enforcement action under OCR’s Risk Analysis Initiative. This initiative emphasizes compliance with the HIPAA Security Rule Risk Analysis provision, aiming to increase completed investigations into potential violations and underscore the importance of adherence.
The investigation into Health Fitness was prompted by four reports submitted between October 2018 and January 2019 regarding breaches of unsecured PHI. These reports were filed by Health Fitness on behalf of multiple covered entities. It was found that ePHI had been exposed online due to a server misconfiguration from August 2015 until its discovery in June 2018. Initially reported as affecting approximately 4,304 individuals, this number was later estimated to be lower.
Health Fitness has agreed to implement a corrective action plan monitored by OCR over two years and paid $227,816 as part of the settlement. Measures include annual reviews of risk analyses, development of a risk management plan, evaluation processes for environmental changes affecting ePHI security, and revisions to comply with HIPAA rules.
OCR suggests several steps for entities covered by HIPAA to mitigate cyber threats: ensuring vendor agreements address breach obligations; integrating risk management into business processes; implementing audit controls; regularly reviewing system activity; using authentication mechanisms; encrypting ePHI; incorporating incident lessons into security management; and providing regular workforce training on privacy and security responsibilities.
For further details about the resolution agreement or if you believe your health information privacy rights have been violated, visit OCR's website or their social media handle @HHSOCR.
