By: Christopher Parrella, Esq., CPC, CHC, CPCO
Parrella Health Law, Boston, MA.
A Health Care Provider Defense and Compliance Firm
When it comes to HIPAA, intent doesn’t matter—execution does. In its latest enforcement action, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $100,000 settlement with Health Fitness Corporation (HFC), a Minnesota-based provider of wellness and fitness services, for alleged violations of the HIPAA Security Rule.
The case stems from a 2016 data breach involving the electronic protected health information (ePHI) of nearly 500 individuals. An investigation by OCR revealed that HFC failed to CONDUCT a thorough risk analysis, a basic yet critical requirement under HIPAA. HFC also failed to implement policies and procedures to regularly review records of information system activity—such as audit logs and access reports—until after the breach had occurred.
In plain English: the company didn’t know who was accessing what data and when. That’s a recipe for disaster.
OCR Director Melanie Fontes Rainer didn’t mince words: “We remind health care providers that they must have appropriate safeguards in place to protect the privacy and security of health information.” This settlement underscores that even smaller breaches will trigger enforcement, especially if foundational safeguards aren’t in place.
The takeaway is simple and stark: If your organization touches ePHI, you need to perform a current, accurate, and thorough risk assessment.
You need audit controls in place to monitor access to systems containing ePHI. You must document and periodically review those safeguards. And yes, OCR will follow up—even years later.
Along with the monetary settlement, HFC agreed to a two-year corrective action plan, including the implementation of revised HIPAA policies and comprehensive staff training. OCR also reserved the right to monitor HFC’s compliance going forward.
This case should light a fire under every healthcare business owner, IT lead, and compliance officer. HIPAA is not a set-it-and-forget-it regulation. It’s a living, breathing set of expectations that demands real investment and continuous oversight.
Questions about your HIPAA compliance or how to avoid being the next OCR headline? Contact Parrella Health Law at 857.328.0382 or email Chris directly at cparrella@parrellahealthlaw.com. Thank you
Christopher A. Parrella, Esq., CPC, CHC, CPCO, is a leading healthcare defense and compliance attorney at Parrella Health Law in Boston. With extensive experience in healthcare law, he provides robust legal support in areas including regulatory compliance, audits, healthcare fraud defense, and reimbursement disputes. Christopher emphasizes client-centered advocacy, offering one-on-one consultations for personalized guidance. His proactive approach helps clients navigate complex healthcare regulations, ensuring compliant operations and defending against government investigations, audits, and overpayment demands.
Leave a Reply