The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement on March 21, 2025, with a healthcare business associate based in Illinois that provides wellness plans nationwide. The settlement resolves potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.
OCR initiated an investigation after receiving four breach reports from the business associate between October 15, 2018, and January 25, 2019. The reports were submitted on behalf of multiple covered entities, as required under the business associate relationship. The breaches involved unsecured electronic protected health information (ePHI) that had been exposed to internet indexing due to a server software misconfiguration.
According to the reports, the business associate discovered the exposure on June 27, 2018. Initially, it estimated that approximately 4,304 individuals were affected, though that number was later revised downward. The investigation found that the business associate had not conducted an accurate and thorough risk analysis to assess potential risks and vulnerabilities to ePHI until January 19, 2024.
As part of the resolution agreement, the business associate agreed to pay $227,816 and to implement a corrective action plan monitored by OCR for two years. The plan includes:
- Annually reviewing and updating as necessary its risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
- Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
- Implementing a process for evaluating environmental and operational changes that affect the security of ePHI; and
- Developing, maintaining, and revising, as necessary, certain written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules.
OCR recommends that healthcare providers, health plans, healthcare clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Integrate risk analysis and risk management into business processes regularly.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Use mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
- Encrypt ePHI to guard against unauthorized access to ePHI.
- Incorporate lessons learned from incidents into the overall security management process.
- Provide training specific to organization and job responsibilities and on regular basis and reinforce workforce members’ critical role in protecting privacy and security.
Compliance Perspective
Issue
OCR enforces the HIPAA Privacy, Security, and Breach Notification rules, which establish the standards covered entities and business associates must follow to protect the privacy and security of protected health information (PHI). OCR recommends that organizations take steps to mitigate or prevent cyber threats by identifying where ePHI is stored and transmitted, integrating risk analysis and risk management into business processes, maintaining audit controls, regularly reviewing system activity, authenticating access to ePHI, encrypting data where appropriate, incorporating lessons learned from incidents, and providing workforce training tailored to specific job responsibilities. Additionally, covered entities should review all vendor and contractor relationships to ensure that business associate agreements are in place, updated as necessary, and contain the required provisions concerning PHI protection, breach notification, and security obligations.
Discussion Points
- Review and update policies and procedures related to HIPAA, PHI, and the Privacy and Security rules. Ensure they address how to prevent, detect, and respond to security incidents, including safeguards against unauthorized access and malicious software. Verify that business associate agreements are in place with all applicable vendors and contractors, and confirm that the agreements include required HIPAA terms related to breach reporting, permissible uses of PHI, and security responsibilities.
- Train appropriate staff on the HIPAA Security Rule, risk assessments, and threat awareness, including phishing, malware, and unauthorized access to PHI. Provide training upon hire, annually, and whenever new threats or technologies are introduced.
- Conduct periodic audits to confirm compliance with HIPAA policies and procedures, verify staff adherence to data security measures, and ensure ongoing risk analysis is performed and documented.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*