Many corporate leaders and HR professionals have long viewed HIPAA compliance as a concern mainly for hospitals and doctors’ offices, assuming the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) had higher priorities.

A shift has happened in 2026. OCR is investigating employer-sponsored health plans.

On April 23rd, the U.S. Department of Health and Human Services (HHS) and OCR sent a clear message to the corporate world: employer‑sponsored health plans must comply with HIPAA or face investigations and fines. A settlement involving Star Group, L.P. Health Benefits Plan (SG Health Plan) is a case study on why employer-sponsored plans must treat HIPAA compliance with the same rigor as other covered entities.

This settlement has far reaching effects for employers nationwide. It is estimated that 60% of people under 65 in the United States have employer-sponsored health insurance.

This means that many non-healthcare entity employers have HIPAA responsibilities they were not aware of. Employers that offer health benefits, in their fiduciary capacity as an employer and plan sponsor, must ensure that the health plan complies with HIPAA.

Employer-sponsored group health plans, whether self-funded or insured, have always been considered covered entities under HIPAA. But this is the first OCR enforcement action against such a plan.

The Star Group Settlement: A Closer Look

OCR announced a $245,000 settlement with Star Group, L.P., a health benefits plan, after a ransomware attack compromised the protected health information (PHI) of 9,316 individuals.

Sensitive data stolen included Social Security numbers, claims, and benefits information.

OCR’s investigation into Star Group revealed two critical failures that are common among health plan sponsors:

1. Impermissible Disclosure: The plan allowed PHI to be accessed by unauthorized actors.
2. Failure to Conduct Risk Analysis: The plan had not performed an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic PHI (ePHI).

The Star Group settlement was included in an announcement of four separate ransomware investigations, totaling over $1.1 million in penalties. These investigations underscore a troubling trend.

As noted by OCR Director Paula M. Stannard:

“Hacking and ransomware are the most frequent type of large breach reported to OCR. Proactively implementing the HIPAA Security Rule before a breach or an OCR investigation not only is the law but also is a regulated entity’s best opportunity to prevent or mitigate the harmful effects of a successful cyberattack.”

Health Plans Are Soft Targets for Ransomware

Weaker Security

Ransomware is the dominant cyber threat to the healthcare sector, and cybercriminals realize that health plans often have a weaker security posture than other covered entities.

Valuable Data

Health plans hold a gold mine of data. Because they often cover family members, the number of records is a multiple of the number of covered employees. Moreover, a health plan’s database offers a full view of a person’s life – every prescription, every specialist visit, and every surgical procedure. For cybercriminals, this data is highly profitable on the dark web.

Furthermore, many health plan sponsors – the employers themselves – fail to recognize that the moment they establish a self-funded health plan, they create a “covered entity” under federal law. This entity is legally distinct from the company’s manufacturing or service operations, yet it is often managed by the same HR team and uses the same general corporate IT security, which may not meet the specific technical safeguards required by the HIPAA Security Rule.

The Sponsor Trap: Misunderstanding Legal Responsibility

One of the most dangerous myths in corporate benefits is that a Third-Party Administrator (TPA) or a broker assumes all HIPAA risk. The 2026 settlement with Consociate Health (Consociate), a business associate that paid $225,000 in the same enforcement group, shows that while vendors are liable, the Plan Sponsor cannot delegate its primary responsibility.

The “Plan Sponsor” is the employer that establishes and maintains the employee benefit plan. While the employer-as-employer is generally not covered by HIPAA, the employer-as-plan-sponsor is deeply entangled in HIPAA.

If a breach occurs at the plan level, the OCR will not just look at the TPA; it will also assess whether the health plan itself conducted its own risk analysis and whether the Plan Sponsor had a Business Associate Agreement (BAA) with the TPA.

The Cost of Risk Analysis Failure

The most common thread across the 2026 settlements, including Star Group, Consociate, Axia Women’s Health ($320,000), and Assured Imaging ($375,000), was the failure to conduct a “thorough and accurate risk analysis.”

Many organizations mistake a “gap analysis” or a simple IT audit for a HIPAA Risk Analysis. A true Risk Analysis, as required by 45 CFR § 164.308(a)(1)(ii)(A), must account for every “nook and cranny” where electronic PHI might be stored. For a health plan, this includes:

• Spreadsheets on HR laptops containing enrollment data.
• Emails sent to brokers regarding high-dollar claims.
• Data stored in the cloud by benefit consultants.
• Legacy files from previous plan years.

Without a documented risk analysis, an organization is strictly liable in the eyes of  OCR. You cannot manage a risk you haven’t identified, and OCR has made it clear that “we didn’t know the data was there” is not a valid legal defense.

Actionable Steps for Health Plan Sponsors in 2026

The Star Group enforcement action offers several key takeaways for health plan sponsors. To avoid the next HHS press release, focus on these essential steps:

1. Establish a HIPAA Firewall

Ensure there is a clear legal and physical separation between the company’s general business functions and the health plan’s functions. Protected health information must not be used to make decisions about an employee. Employees handling PHI must receive specific HIPAA training, rather than general data privacy training.

2. Conduct a Comprehensive Risk Analysis

Don’t wait for a ransomware attack to expose your vulnerabilities. Conduct a HIPAA-specific risk analysis aligned with the NIST framework. Document the findings and, more importantly, the steps you take to mitigate those risks.

3. Review and Refresh Business Associate Agreements (BAAs)

As seen in the Consociate settlement, business associates pose a major risk. Ensure you have current BAAs with every vendor, including brokers, TPAs, and wellness program providers. These agreements should include specific requirements for ransomware protection and timely breach notification.

4. Implement Technical Safeguards

OCR specifically recommends multi-factor authentication (MFA), encryption of data at rest and in transit, and regular reviews of information system activity. If your health plan portal or HR database doesn’t require MFA, you are essentially leaving the door open to ransomware criminals.

Each of these steps is easy to complete with the health plan edition of The HIPAA E-Tool^®. Its policies, forms, and procedures are specifically written for health plans, with clear explanations of the covered entities (e.g., health insurance issuers, HMOs, and group health plans) and business associates (e.g., third-party administrators and health insurance brokers) involved in health plans.

A New Standard of Care

The Star Group’s 2026 settlement marks a turning point. OCR is no longer merely “educating” the industry; its Risk Analysis Initiative targets employer-sponsored health plans as rigorously as other covered entities. For health plan sponsors, HIPAA compliance can no longer be a footnote in an HR manual.

The $245,000 paid by Star Group is just the tip of the iceberg. When you add the costs of a two-year Corrective Action Plan (CAP), legal fees for the investigation, credit monitoring for 9,000+ individuals, and the irreparable damage to employee trust, the total cost of non-compliance is staggering.

The key takeaway: HIPAA compliance is not optional for health plan sponsors. Protecting employees’ health data is essential to maintaining trust and fulfilling fiduciary duties.