Illinois Business Associate Settles Alleged Risk Analysis Failure for $227,816
Health Fitness Corporation, an Illinois business associate, has agreed to settle an alleged HIPAA risk analysis failure with the HHS’ Office for Civil Rights (OCR). The agreement includes a $227,816 financial penalty, a corrective action plan, and two years of compliance monitoring.
One of the most common HIPAA violations identified by OCR in its audits and investigations is the failure to conduct a comprehensive and accurate risk analysis, as required by the administrative safeguards of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A). This implementation specification requires regulated entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information [ePHI] held by the covered entity or business associate.” Identified risks must then be subjected to a risk management process and be reduced to a reasonable and appropriate level. If a risk analysis is not completed, or if it is not comprehensive and accurate, risks and vulnerabilities to ePHI are likely to remain and could potentially be exploited to gain access to ePHI. Due to widespread noncompliance with this foundational Security Rule requirement, OCR launched a risk analysis compliance initiative.
The latest settlement is the fifth enforcement penalty to be imposed under the OCR risk analysis enforcement initiative. “Conducting an accurate and thorough risk analysis is not only required but is also the first step to prevent or mitigate breaches of electronic protected health information,” said OCR Acting Director Anthony Archeval. “Effective cybersecurity includes knowing who has access to electronic health information and ensuring that it is secure.”
Health Fitness Corporation (Health Fitness) is a provider of wellness plans to clients across the United States and a business associate under HIPAA. OCR launched an investigation after receiving several breach reports from Health Fitness on behalf of several clients over a 3-month period between October 15, 2018, and January 25, 2019. In each case, ePHI had been exposed on the Internet and could be viewed and copied by anyone. The exposed data had also been indexed by search engines, allowing the data to be found using specific search terms. The data was first exposed in August 2015 as a result of a software misconfiguration on the server where the ePHI was stored and was identified by Health Fitness on June 27, 2018. Health Fitness reported the breaches to OCR as affecting 4,304 individuals, although later stated that the number of individuals affected may be lower.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
OCR’s investigation determined that Health Fitness had not conducted an accurate and thorough risk analysis until January 19, 2024. Health Fitness was offered the opportunity to settle the alleged HIPAA violation informally and chose to do so. In addition to the financial penalty, Health Fitness has agreed to adopt a corrective action plan, which requires an annual review and update of its risk analysis, plus prompt updates in response to environmental and operational changes that affect the security of ePHI. Policies and procedures must be developed and implemented for evaluating environmental and operational changes.
A risk management plan must be developed and implemented to reduce risks to a reasonable and appropriate level, and policies and procedures related to the HIPAA risk analysis and risk management implementation specifications must be developed, maintained, and revised as necessary, and distributed to the workforce. Health Fitness must report any compliance failures to OCR promptly and submit implementation reports and annual reports to OCR, and will be monitored for compliance for two years. This is the third HIPAA penalty to be imposed by OCR under the Trump administration, bringing the total funds raised up to $1,927,816.
