The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced a HIPAA enforcement action against an employer-sponsored group health plan. The action resulted in a payment to HHS of $245,000 and a two-year corrective action plan. While HIPAA enforcement is common in the healthcare sector, actions directly against employer-sponsored group health plans are not as common. This case, coupled with DOL guidance for ERISA fiduciaries concerning cybersecurity, underscores a growing regulatory focus not only on traditional healthcare entities, but also on the plans and ecosystems maintained by employers under ERISA.

The Incident: Ransomware, Unauthorized Access, and Plan Data

According to the breach notification sent to affected individuals, the plan sponsor experienced a security incident back in 2021 involving encryption of systems and unauthorized access to sensitive data. The data included names and Social Security numbers, along with dates of birth, health insurance and plan-related information, and claims data. Notably, the compromised data included group health plan information, not merely employment records—placing the incident squarely within HIPAA’s scope.

OCR’s Enforcement: A Focus on Risk Analysis Failures

OCR’s resolution agreement centers on a familiar but critical theme: allegations of a failure to conduct an adequate risk analysis, as required under the HIPAA Security Rule. Importantly, this enforcement action is part of OCR’s broader Risk Analysis Initiative, which has produced many enforcement actions targeting organizations the OCR alleges:

  • Failed to identify where ePHI resides
  • Did not assess vulnerabilities to that data
  • Lacked documented risk analysis processes

OCR has repeatedly emphasized that risk analysis is the foundation of HIPAA compliance—and this enforcement action confirms that this expectation applies equally to employer-sponsored health plans.

Why This Case Matters

Being one of the few taken by the OCR against employer sponsored group health plans, this case signals a willingness by OCR to look beyond providers and insurers and into ERISA plan structures. For plan sponsors, this case is a reminder that the plan—not the employer in its employment capacity—is the HIPAA covered entity, and regulators will not hesitate to hold the plan accountable.

This case also intersects with the Department of Labor’s (DOL) cybersecurity guidance for ERISA plans. DOL has made clear that plan fiduciaries have an obligation to:

  • Prudently select and monitor service providers, including their cybersecurity practices
  • Ensure protection of plan data
  • Assess risks to participant information and plan assets

In practical terms, this means:

  • A HIPAA risk analysis is not just a compliance exercise
  • It is also part of a fiduciary obligation under ERISA

Key Takeaways: Conducting an Effective HIPAA Risk Analysis

OCR enforcement trends—including this case—point to consistent gaps in how organizations approach risk analysis. Plan sponsors should ensure their process includes:

  1. Data Mapping. To understand the threats and vulnerabilities to plan data, plans need to know where the data resides. This could be accomplished through a mapping exercise that identifies all locations of ePHI, including:
    • Internal systems
    • Third-party administrators (TPAs)
    • Cloud platforms and other vendors
  2. Threat and Vulnerability Assessment. Once the plan knows the kind of data it maintains and where it is, it can assess threats and vulnerabilities. This includes evaluating:
    • External threats (e.g., ransomware, phishing)
    • Internal risks (e.g., access controls, workforce practices)
  3. Likelihood and Impact Analysis. Not all threats and vulnerabilities are the same, and plans can analyze them by looking at:
    • Probability of exploitation (Likelihood of a threat materializing)
    • Potential harm to participants and the plan (Impact on individuals and the plan, if it does)
  4. Vendor Risk Integration. Risk resides not only with the plan and plan sponsor, but also with the vendors that provide services to the plan – third party claims administrators, brokers, wellness programs, claims advocates, enrollment platforms, and other entities providing services to the plan. DOL fiduciary expectations for vendor cybersecurity also must be taken into account.
  5. Risk Management (Beyond Identification). Once risks have been identified, whether from the plan sponsor, business associates, or other sources, OCR expects organizations to:
    • Act on identified risks
    • Implement security measures proportionate to findings
  6. Documentation and Repeatability. Plans need to document and maintain the written, defensible analyses they engage in under HIPAA. That process should be updated regularly—not just after incidents.
  7. Remember HIPAA permits flexibility – not all plans are the same. Section 164.302(b) of the Security Rule provides guidance plans should keep in mind in connection with HIPAA compliance:

(1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.

(2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors:

(i) The size, complexity, and capabilities of the covered entity or business associate.

(ii) The covered entity’s or the business associate’s technical infrastructure, hardware, and software security capabilities.

(iii) The costs of security measures.

(iv) The probability and criticality of potential risks to electronic protected health information.

For plan sponsors, the message is straightforward: If your group health plan handles protected health information—and it does—then a robust, well-documented, and actively managed risk analysis is not optional. It is both a regulatory requirement and a fiduciary imperative.