Pramote Lertnitivanit/istock via
OCR settles HIPAA risk analysis investigation
OCR announced a settlement with a healthcare business associate, citing HIPAA risk analysis deficiencies.
The HHS Office for Civil Rights announced a settlement with Health Fitness Corporation, an Illinois-based healthcare business associate, over potential HIPAA risk analysis gaps. The case marked the fifth settlement under OCR's risk analysis initiative.
According to OCR, Health Fitness filed four data breach reports with OCR on behalf of multiple covered entities between Oct. 15, 2018 and Jan. 25, 2019. Health Fitness filed the report after discovering that beginning in August 2015, electronic protected health information (ePHI) was exposed to web crawlers due to a software misconfiguration on the server storing the ePHI.
Although the information was discoverable on the internet as early as 2015, Health First discovered the breach in June 2018. Initial reports indicated that the breach had impacted 4,304 individuals, but the company later estimated that the total number could be lower.
OCR launched an investigation after receiving the breach reports and determined that Health Fitness had failed to conduct a thorough risk analysis, as required by HIPAA. The HIPAA risk analysis provision requires covered entities and business associates to conduct a thorough assessment of the potential risks to the confidentiality, integrity and availability of ePHI.
"Conducting an accurate and thorough risk analysis is not only required but is also the first step to prevent or mitigate breaches of electronic protected health information," said OCR Acting Director Anthony Archeval.
"Effective cybersecurity includes knowing who has access to electronic health information and ensuring that it is secure."
OCR started its risk analysis initiative to highlight the importance of these provisions and encourage compliance. OCR recommended that all covered entities integrate regular risk analysis and risk management processes into their businesses and review all vendor relationships to ensure that business associate agreements are in place.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
