Skip to content
a pair of glasses on a notebook

Is Your Employer Health Plan Next for A HIPAA Corrective Action Plan?

Published
May 8, 2026
By
Stephen Mehaffey
Share

Key Takeaways

  • HHS and SG Health Plan reached a $245,000 settlement and two-year corrective action plan after a data breach exposed unauthorized access to protected health information.
  • The enforcement action targeted the employer-sponsored group health plan directly, not the third-party administrator or physician practice, signaling that OCR holds plan sponsors accountable.
  • The primary violation was the plan's failure to conduct a comprehensive risk analysis as required by the HIPAA Security Rule.
  • Employers that sponsor fully insured plans are not exempt from HIPAA obligations and should designate privacy and security officials, train their workforce, and manage business associate agreements.
  • This case is part of OCR's broader Risk Analysis Initiative, which has produced multiple enforcement actions and combined settlements approaching $1 million since October 2024.
  • All employers sponsoring group health plans should revisit their HIPAA obligations, regardless of plan size or funding method.

What Happened with the SG Health Plan Settlement?

This past January, the Department of Health and Human Services, Office for Civil Rights (HHS), and Star Group, L.P. Health Benefits Plan (SG Health Plan) entered into a $245,000 settlement and a two-year corrective action plan for various violations of HIPAA. This case is unusual since it was brought directly against an employer-sponsored group health plan rather than a physician practice. While most employers would find the payment of such a settlement unpalatable, they would also find the camping of HHS on their doorstep for two years equally unnerving.

The case arose following the filing of a breach incident notification with plan participants, after the plan experienced a data breach that granted unauthorized access to protected health information. The unauthorized access was the result of SG Health Plan primarily failing to perform a comprehensive risk analysis.

Why Was the Employer Health Plan Held Responsible?

Too often, we are told nonchalantly that my broker or third-party administrator addresses all HIPAA concerns. In this instance, it was the health plan that paid the price of the settlement and the plan sponsor that has HHS as a two-year tenant. These steps are just the beginning of the journey towards :

  • Does your risk analysis evaluate the risks of electronic Protected Health Information (ePHI) on all your electronic equipment, data systems, and applications controlled, administered, or owned by your health plan that contain, store, transmit, or receive ePHI?
  • Have you reviewed the current security measures and levels of risk to your ePHI associated with your network infrastructure, vulnerability scanning, logging and alerts, and patch management?

What Should Fully Insured Plan Sponsors Do?

If you are an employer that sponsors a fully insured health plan, you may be quick to say that you take a “hands-off” approach to accessing or managing PHI. However, this simple answer does not satisfy your HIPAA obligations. For instance:

  • Have you provided workforce training on maintaining the minimum necessary standard?
  • Do you have a designated privacy and security official for the plan?
  • Are you managing your Business Associate Agreements with your plan vendors, such as your COBRA administrator?
  • Has the plan conducted a risk analysis to ensure that there is no access to ePHI?

How Should Employers Revisit HIPAA Compliance?

Regardless of the size of your company’s health plan or the method of funding, now is the time to revisit HIPAA compliance. Start with a comprehensive risk analysis that inventories every system containing ePHI and evaluates your current security controls.

Review your business associate agreements, confirm your privacy and security officials are designated, and verify that your workforce training is current. Don’t find yourself the subject of a corrective action plan. Contact your EisnerAmper advisor to discuss your health plan's HIPAA compliance posture and identify gaps before a regulator does.

 

What's on Your Mind?

a black and white logo

Stephen Mehaffey

Stephen Mehaffey is an Associate Director in the firm’s Tax Services Group and has over 25 years of accounting experience. 

View Profile

Start a conversation with Stephen

Explore More Insights

a close-up of a stethoscope on a table
Article

QSEHRA and Medicare: Avoiding MSP and Section 111 Pitfalls

Read More
a group of people in an office
Article

Roth Catch-Up Contributions – A Practical Deep Dive

Read More
a glass jar with coins inside
Article

Don’t Let Your Retirement Savings Disappear: Understanding Lost & Missing Participants

Read More
Article

New Defined Contribution Retirement Plan Rules for 2025-2026: What Employers Need to Know

Read More
a person working on a computer
Article

Cash Balance Plans – A Small Business Owner’s Guide to Optimal Tax Strategy and Retirement Savings

Read More
diagram
Article

Understanding Pension Fraud and How to Prevent It

Read More
a building with a parking lot
Article

Safe Harbor 401(k) Profit Sharing Plans – A Small Business Owner’s Guide to Optimal Tax Strategy and Retirement Savings

Read More
a person eating a meal at a table
Article

Can Your Cafeteria Plan Pass the Test?

Read More
a pen on a piece of paper
Article

New Executive Order Expands 401(k) Investment Opportunities

  • Tax Legislation
Read More
a wooden dock on a body of water
Article

Solo 401(k) 2026 Mandatory Roth Requirements for FICA Wages

Read More
a group of people sitting around a table
Article

COBRA Takes Another Bite

Read More
a person using a phone
Article

Is This the End of the Employer Shared Responsibility Payment Under the Affordable Care Act?

  • Tax
Read More
View All Insights

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.

Subscribe