OCR Settles HIPAA Security Rule Investigation with Health Fitness Corporation

On March 21, 2025, the U.S. Department for Health and Human Services’ Office for Civil Rights (OCR) announced that it reached a $227,816 settlement with the Illinois-based Health Fitness Corporation following several breaches of unsecured electronic protected health information (ePHI), affecting over 4,000 individuals across the country. The investigation alleged that Health Fitness, acting as a business associate, failed to conduct a risk analysis until January 2024, several years after the ePHI breach was exposed online due to a server misconfiguration in June of 2018. The settlement marks the fifth action under OCR’s Risk Analysis Initiative, a campaign emphasizing the critical role of accurate risk analyses under HIPAA Security Rule compliance. As part of the resolution, Health Fitness has agreed to a two-year corrective action plan wherein they will be required to conduct annual risk analyses, implement enhanced risk analysis procedures, and update their policies. The OCR’s Risk Analysis Initiative is a focused effort that prioritizes the critical role cybersecurity plays in protecting patient information under HIPAA’s risk analysis requirements.