Another Day Another HIPAA Violation

Navigating HIPAA Compliance: A Costly Oversight at Health Fitness

The “Risk Analysis provision” of HIPAA requires a regulated organization to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by that organization. The Risk Analysis Initiative was created to focus select Office for Civil rights (OCR) investigations on compliance with the HIPAA Security Rule Risk Analysis provision to increase the number of completed Security Rule investigations involving potential violations of the Risk Analysis provision.

Health Fitness Pays $227,816 Settlement & 2 Year Corrective Action Plan

OCR received four breach reports over a 3-month period from Health Fitness, filed on behalf of multiple covered entities as their business associate. Health Fitness reported that ePHI became discoverable on the internet and was exposed to automated search devices (web crawlers) resulting from a software misconfiguration on the server housing the ePHI. Health Fitness discovered the breach on June 27, 2018. OCR’s investigation determined that Health Fitness had failed to conduct an accurate and thorough risk analysis, until January 19, 2024, to determine the potential risks and vulnerabilities to the ePHI held by Health Fitness.

Under the terms of the resolution agreement, Health Fitness agreed to implement a corrective action plan that OCR will monitor for two years and paid $227,816 to OCR. Under the corrective action plan, Health Fitness committed to take steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:

• Annually reviewing and updating as necessary its risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
• Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
• Implementing a process for evaluating environmental and operational changes that affect the security of ePHI; and
• Developing, maintaining, and revising, as necessary, certain written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules.

Is Your Healthcare Organization Really HIPAA Compliant?

In addition to training and education, OCR recommends health care providers, health plans, health care clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:

• Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
  • Integrate risk analysis and risk management into business processes regularly.  Get the free SRA tool from HealthIT.gov.
  • Ensure audit controls are in place to record and examine information system activity.
  • Implement regular review of information system activity.
• Use mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
  • Encrypt ePHI to guard against unauthorized access to ePHI.
  • Incorporate lessons learned from incidents into the overall security management process.

OCR states training should be provided specific to the organization and job responsibilities and on regular basis and reinforce workforce members’ critical role in protecting privacy and security.

HIPAA Training Online

The American Institute of Healthcare Compliance is a licensing/certification partner with CMS and offers various levels of HIPAA training online:

• HIPAA Privacy & Security Compliance Course
• HIPAA Privacy Officer Training
• HIPAA Staff – New Hire and Annual Training
• Right of Access & Release of Information

Additional Resources for Medical Practice Oversight

• Medical Practice Oversight 
• Managing Your Risk with HIPAA
• Using Exit Interviews With Healthcare Compliance