National

HHS Reaches $175,000 Settlement With New York Accounting Firm Over HIPAA Violations

- by Maryann Pugh
HIPAA

WASHINGTON, D.C. — The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) this week reached a $175,000 settlement with BST & Co. CPAs, LLP, a New York-based public accounting and consulting firm, over potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

The case stems from a December 2019 ransomware attack that exposed protected health information (PHI) belonging to a client of BST, which operates as a HIPAA business associate. The firm reported the incident in February 2020, prompting OCR to launch an investigation. Regulators determined that BST had not conducted the required risk analysis to evaluate threats to the confidentiality, integrity, and availability of electronic PHI (ePHI).

READ:  Pennsylvania Attorney General Reaches $130,000 Settlement With Rosado Group Over Deceptive Auto Sales Practices

OCR Director Paula M. Stannard emphasized that such risk assessments are a cornerstone of HIPAA compliance. “A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it,” Stannard said. “Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”

As part of the settlement, BST will adopt a two-year corrective action plan overseen by OCR. The firm has agreed to:

  • Conduct a comprehensive risk analysis of its systems,
  • Develop and implement a risk management plan,
  • Establish updated written policies and procedures aligned with HIPAA requirements, and
  • Enhance its HIPAA and cybersecurity training program with mandatory annual sessions for employees handling PHI.
READ:  HHS Reinstates Federal Task Force on Childhood Vaccine Safety

The OCR also urged health care providers, health plans, clearinghouses, and business associates to strengthen their cyber defenses. Recommendations include regular risk analyses, audit controls, encryption of ePHI, user authentication mechanisms, and ongoing workforce training.

The settlement highlights the increasing regulatory focus on cyber risks in healthcare, where ransomware and other attacks pose a persistent threat to sensitive medical data.

For the latest news on everything happening in Chester County and the surrounding area, be sure to follow MyChesCo on Google News and MSN.