While healthcare providers are keenly aware of the need to report HIPAA (“Health Insurance Portability and Accountability Act of 1996”) data breaches, many do not consider that once reported, data breaches often lead to an investigation of the provider’s entire HIPAA compliance program, and significant penalties for noncompliance.
On March 21, 2025, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced a settlement with Health Fitness Corporation (“Health Fitness”), a HIPAA business associate that reported several data breaches involving 4,304 individuals.
While investigating Health Fitness, OCR found that the company had failed to conduct a HIPAA risk assessment for several years. The HIPAA Security Rule requires that covered entities and business associates implement adequate safeguards, including regular risk assessments, to protect the privacy and security of electronic Protected Health Information (“ePHI”).
Under the settlement agreement, Health Fitness agreed to pay $227,816 in penalties, and to implement a corrective action plan that included:
- Annually reviewing and updating its HIPAA risk assessment;
- Developing and implementing a HIPAA risk management plan;
- Developing and revising, as necessary, written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules.
In announcing the settlement agreement, OCR emphasized that this marked the fifth enforcement action under OCR’s Risk Analysis Initiative to investigate compliance with the risk analysis provisions of the HIPAA Security Rule. OCR’s Acting Director stated: “Conducting an accurate and thorough risk analysis is not only required but is also the first step to prevent or mitigate breaches of electronic protected health information.”
To mitigate the risk of cybersecurity threats, OCR recommends that HIPAA covered entities and business associates:
- Review all vendor and contractor relationships to ensure business associate agreements are in place;
- Integrate HIPAA risk analysis and risk management into business processes;
- Implement regular review of information system activity, with appropriate audit controls;
- Use encryption and authentication measures to ensure that only authorized users are accessing ePHI;
- Provide training on a regular basis to reinforce workforce members’ critical role in protecting HIPAA privacy and security.
OCR’s announcement is a clear warning to all providers and businesses subject to HIPAA that the time for compliance is now, and not after a data breach, when failure to maintain and regularly monitor a HIPAA compliance program may result in substantial penalties. Note, in addition to breaches which must be reported, the OCR also investigates complaints of violations, which can be filed online with relative ease.
Importantly, HIPAA compliance is not one size fits all, and certain program elements are scalable to the resources of the provider. However, all organizations, no matter how big or small, must have and maintain a compliance program consistent with the minimum requirements of the regulations.
If you are facing an OCR investigation and would like guidance in responding to allegations of noncompliance, or if you have questions about HIPAA compliance in general, please contact partner Christopher J. Churchill, partner Katherine B. Kravitz, or any member of Barley Snyder’s Health Care or Senior Living industry groups.
