The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), reached a settlement with Health Fitness Corporation, a wellness provider in Illinois. This settlement resolves potential violations of the HIPAA Security Rule.
OCR began investigating Health Fitness after the company submitted four breach reports over a three-month period. These reports were made on behalf of several covered entities, as Health Fitness was acting as their business associate.
The breaches occurred because of a software misconfiguration on a server that caused electronic PHI (ePHI) to be exposed online and accessible through search engines starting around August 2015. Health Fitness discovered the issue on June 27, 2018. Initially, they reported the breach affected around 4,304 individuals but later believed the number might be lower.
OCR found that Health Fitness failed to conduct a proper risk analysis to identify potential security issues with its ePHI until January 19, 2024.
As part of the settlement, Health Fitness agreed to a two-year corrective action plan, which OCR will oversee, and paid $227,816.
Under the plan, Health Fitness must:
- Review and update its risk analysis each year.
- Create and follow a risk management plan to fix any identified security issues.
- Implement a process to review changes in its environment that could affect ePHI security.
- Maintain and update written policies and procedures to comply with HIPAA’s Privacy, Security, and Breach Notification Rules.
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted in 1996 that establishes national standards to protect sensitive patient health information from being disclosed without the patient’s knowledge or consent. HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses—referred to as covered entities—as well as their business associates. The law includes provisions to ensure the confidentiality, integrity, and availability of protected health information (PHI), both in paper and electronic form. HIPAA also gives individuals rights over their health information, including rights to access and request corrections. Compliance with HIPAA is enforced by the U.S. Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR).
You can read the full agreement and plan here: Resolution Agreement and Corrective Action Plan (PDF)
1
