The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has reached a settlement with BST & Co. CPAs, LLP, a New York-based accounting and business advisory firm, over violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The firm has agreed to pay $175,000 following a ransomware incident that compromised protected health information (PHI) of one of its clients.
The issue arose when BST reported a security breach on February 16, 2020. The attack occurred on December 7, 2019, when ransomware infiltrated part of its network, affecting client PHI. An investigation by the OCR unveiled that BST had not conducted the required comprehensive risk analysis to identify vulnerabilities in its electronic protected health information (ePHI) systems.
Investigation Findings
OCR’s investigation revealed that BST did not perform an “accurate and thorough” assessment of potential security risks as mandated by HIPAA’s Security Rule. According to Paula M. Stannard, OCR Director, “A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it.” She emphasized that completing a thorough risk analysis is fundamental for developing a risk management plan, crucial for mitigating cyberattacks.
The breach highlights the importance of security compliance within healthcare and the financial sectors, as organizations increasingly face sophisticated cyber threats. The OCR’s enforcement actions serve as a reminder of the critical need for businesses to protect sensitive health data.
Settlement Terms and Future Compliance
As part of the resolution agreement, BST will implement a comprehensive corrective action plan and remain under OCR monitoring for two years. This plan includes several key components:
– Conducting a full risk analysis to evaluate threats and vulnerabilities to ePHI.
– Developing and executing a risk management strategy to mitigate identified risks.
– Establishing and maintaining updated HIPAA-compliant security policies and procedures.
– Expanding HIPAA and cybersecurity training programs, including mandatory annual training for all employees handling PHI.
In light of the settlement, OCR has urged all HIPAA-covered entities and business associates to enhance their cybersecurity practices. Recommended actions include mapping where ePHI is stored, conducting periodic risk analyses, implementing audit controls, and using encryption to secure data both in transit and at rest.
The settlement with BST & Co. underscores OCR’s commitment to enforcing HIPAA compliance, particularly as the healthcare sector experiences an increase in cybersecurity threats. Organizations must recognize the consequences of insufficient security risk assessments and take proactive measures to protect sensitive patient data.
