On March 21, 2025, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with Health Fitness Corporation. OCR was investigating Health Fitness for a potential HIPAA Security Rule violation that may have led to several breaches that compromised patient information. The settlement marks the fifth case resolved under the OCR’s Risk Analysis Initiative.
The OCR launched its Risk Analysis Initiative to focus investigations on compliance with the provision, as it is the foundation for effectively protecting electronic protected health information (ePHI), and to highlight the criticality of risk analysis.
Risk Analysis Failures Risked Patient Privacy
Between October 15, 2018, and January 25, 2019, Health Fitness Corporation, a HIPAA business associate, filed four breach reports with OCR. Starting in August 2015, ePHI was exposed on the internet due to a misconfiguration in the software on the server storing the sensitive data.
While the exposure started in August 2015, Health Fitness did not discover it until June 2018. Initial reports estimated that the incident compromised 4,304 patients, but it was later thought to have affected less.
Health Fitness Settles with OCR
After Health Fitness filed the breach reports, OCR launched an investigation into potential compliance failures. OCR found that Health Fitness failed to conduct an accurate and thorough risk analysis until January 19, 2024.
“Conducting an accurate and thorough risk analysis is not only required but is also the first step to prevent or mitigate breaches of electronic protected health information,” said OCR Acting Director Anthony Archeval. “Effective cybersecurity includes knowing who has access to electronic health information and ensuring that it is secure.”
To resolve the investigation, Health Fitness agreed to pay $227,816 and implement a corrective action plan (CAP). Under the CAP, Health Fitness will:
- Review and update its risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI
- Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis
- Implement a process for evaluating environmental and operational changes that affect the security of ePHI
- Develop, maintain, and revise certain written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules
Meeting HIPAA Security Risk Analysis Requirements
Compliancy Group enables healthcare organizations to conduct a security risk analysis with easy-to-use software, the Guard. By answering a series of questions, the Guard helps organizations assess their overall security posture and prioritize corrective actions based on the likelihood of occurrence and the severity of the threat. Find out how Compliancy Group can help you meet your risk analysis needs!
