On March 21, 2025, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $227,816 settlement with Health Fitness Corporation (Health Fitness), an Illinois company and HIPAA business associate providing wellness plans to clients nationwide. OCR and Health Fitness entered into a resolution agreement in late December 2024, prior to the change in the presidential administration.
Emphasis on risk analysis
In 2018, Health Fitness discovered that a software misconfiguration had caused electronic protected health information (ePHI) stored on its server to become discoverable on the internet and exposed to automated search devices (web crawlers), dating back to 2015. After Health Fitness provided breach notification to OCR in 2018 on behalf of multiple covered entities as their business associate, OCR conducted an investigation and determined that Health Fitness had failed to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
This marks OCR’s fifth enforcement action under its Risk Analysis Initiative, an initiative created to emphasize the importance of conducting risk analyses and to increase the number of completed investigations involving potential violations of the HIPAA Security Rule. Because OCR and Health Fitness settled the investigation in late 2024, it remains unclear whether the Risk Analysis Initiative will continue to be an area of focus for the current administration.
Health Fitness’s corrective action plan
In addition to the financial settlement, Health Fitness also agreed to implement a two (2)-year corrective action plan (CAP), which will be monitored by OCR. Under the CAP, Health Fitness will take steps to safeguard its ePHI, including by:
- Evaluating and updating its risk analysis annually;
- Developing a risk management plan to account for and mitigate security risks and vulnerabilities identified in its risk analysis;
- Implementing a process for evaluating changes to its environment and operations that affect the security of ePHI; and
- Developing, maintaining, and updating, as necessary, its policies and procedures to ensure compliance with HIPAA.
Takeaways for HIPAA-regulated entities
The Health Fitness settlement serves as an important reminder to HIPAA-regulated entities to implement security processes and controls to ensure that the entity safeguards the ePHI it stores, accesses, and discloses.
In addition, it serves as another example of how the HIPAA breach resolution process may take time. Health Fitness reported the breaches to OCR in 2018 and 2019 and did not enter into a settlement with OCR until 2024, approximately six (6) years later. In the event that a HIPAA-regulated entity must provide breach notification to OCR, it should keep in mind that OCR compliance investigations and, as applicable, related resolution processes, often take time and may result in a multi-year process.
Though OCR HIPAA enforcement priorities under the new administration are yet to be seen, the Health Fitness settlement emphasizes the need for HIPAA-regulated entities to conduct accurate and thorough risk analyses to maintain a robust HIPAA compliance program.