Breaches involving unsecured protected health information have led to a $227,816 fine for wellness plan provider Health Fitness. The fine is part of a settlement that will see the firm undertake a corrective action plan that is monitored for two years.

The US Department of Health and Human Services’ (HHS’s) Office for Civil Rights (OCR) announced the settlement with Health Fitness Corporation, a company that provides wellness plans to clients across the country, to resolve a potential violation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

The rule requires administrative, physical, and technical safeguards to ensure confidentiality, availability, and security of health information.

Under the terms of the resolution agreement, Health Fitness agreed to implement a corrective action plan that OCR will monitor for two years and has paid a penalty of $227,816 to OCR. In addition, Health Fitness committed to take steps to ensure compliance with the HIPAA Security Rule and better protect the security of electronic, protected health information (ePHI).

OCR enforces the HIPAA Privacy, Security and Breach Notification Rules, which set forth the requirements that covered entities (health plans, healthcare clearinghouses, and most healthcare providers), and business associates – such as Health Fitness – must follow to protect the privacy and security of ePHI. 

The HIPAA Security Rule establishes national standards to protect and secure the US healthcare system by requiring administrative, physical, and technical safeguards to ensure the confidentiality, integrity, availability, and security of electronic PHI (ePHI). 

The Risk Analysis provision of this rule requires a regulated organization to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by that organization.

Risk analysis

The settlement resolves OCR’s investigation of Health Fitness, which OCR initiated after receiving four self-reports from Health Fitness over a three-month period of breaches of unsecured protected health information. 

Health Fitness filed the breach reports on behalf of multiple covered entities as their business associate. 

The wellness firm reported that, beginning approximately in August 2015, ePHI became discoverable on the internet and was exposed to automated search devices (web crawlers) resulting from a software misconfiguration on the server housing the ePHI.

Health Fitness discovered the breach in June 2018, initially reporting that approximately 4,304 individuals were affected and later estimated that the number of individuals affected may be lower. OCR’s investigation determined that Health Fitness had failed to conduct an accurate and thorough risk analysis until January 2024 to determine the potential risks and vulnerabilities to the ePHI it held.

“Conducting an accurate and thorough risk analysis is not only required but is also the first step to prevent or mitigate breaches of electronic protected health information,” said Anthony Archeval OCR Acting Director. “Effective cybersecurity includes knowing who has access to electronic health information and ensuring that it is secure.”

Corrective action plan

In addition to agreeing to pay the fine and to hire a compliance monitor, Health Fitness committed to take steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI by doing the following:

• Annually reviewing and updating as necessary its risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
• Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
• Implementing a process for evaluating environmental and operational changes that affect the security of ePHI.
• Developing, maintaining, and revising, as necessary, certain written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules.

Mitigating cyber threats

In its announcement about this resolution with Health Fitness, OCR took the opportunity to outline steps healthcare providers, health plans, healthcare HHS’s recommendations for clearinghouses, and business associates that are covered by HIPAA should take to mitigate or prevent cyber threats. The helpful recommendations could serve as a cyber-threat good hygiene checklist for all healthcare organizations, if not all highly regulated ones.

The recommendations include:

• Reviewing all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and addressing breach/security incident obligations.
• Integrating risk analysis and risk management into business processes regularly.
• Ensuring audit controls are in place to record and examine information system activity.
• Implementing regular review of information system activity.
• Using mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
• Encrypting ePHI to guard against unauthorized access to ePHI.
• Incorporating lessons learned from incidents into the overall security management process.
• Providing training specific to organization and job responsibilities and on a regular basis, and reinforcing workforce members’ critical role in protecting privacy and security.

OCR noted that this settlement marks the fifth enforcement action in its Risk Analysis Initiative. 

That enforcement initiative was created to focus select investigations on compliance with the HIPAA Security Rule Risk Analysis provision, the foundation for effective cybersecurity and the protection of ePHI; to increase the number of completed Security Rule investigations involving potential violations of the Risk Analysis provision; and to highlight the critical need for organizations to prioritize compliance with this HIPAA Security Rule requirement.