The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has reached a settlement with BST & Co. CPAs, LLP, a New York-based accounting and business advisory firm. The settlement, amounting to $175,000, addresses potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule that followed a ransomware attack affecting the firm’s electronic protected health information (ePHI).
BST & Co. reported the ransomware breach to OCR on February 16, 2020, indicating that the incident occurred on December 7, 2019. The attack compromised sensitive patient data belonging to one of its covered entity clients. An investigation revealed that BST had not conducted a comprehensive risk analysis as required by HIPAA, which is essential for identifying and mitigating vulnerabilities in ePHI systems.
According to Paula M. Stannard, OCR Director, “A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it.” She emphasized that an accurate risk analysis is a foundational step in preventing cyberattacks and breaches.
Settlement Details and Future Compliance
Under the settlement agreement, BST has committed to pay $175,000 and to implement a robust corrective action plan that will be monitored by OCR over a two-year period. This plan includes several key initiatives:
– Conducting a full risk analysis to evaluate threats and vulnerabilities to its ePHI.
– Developing a risk management strategy to mitigate identified risks.
– Establishing and updating security policies and procedures to ensure compliance with HIPAA.
– Expanding HIPAA and cybersecurity training programs, including mandatory annual training for all employees handling PHI.
These actions aim to strengthen the firm’s security posture and ensure compliance with HIPAA requirements.
Broader Implications and Recommendations
The settlement highlights OCR’s ongoing commitment to enforcing HIPAA compliance, particularly in light of increasing cybersecurity threats within the healthcare sector. The ransomware incident affecting BST underscores the critical need for organizations to conduct thorough security risk assessments to protect sensitive patient information.
In conjunction with the settlement announcement, OCR has encouraged all HIPAA-covered entities and business associates to adopt enhanced cybersecurity practices. Recommended measures include:
– Mapping where ePHI is stored, transmitted, and accessed within organizational systems.
– Regularly conducting and updating risk analyses, followed by actionable risk management steps.
– Implementing audit controls and reviewing system activity routinely.
– Employing user authentication protocols and encryption to secure ePHI, both in transit and at rest.
– Integrating lessons learned from past breaches into broader security strategies.
– Providing ongoing, role-based HIPAA security training tailored to workforce-specific needs.
As cybersecurity threats continue to evolve, the importance of robust security measures and compliance with federal regulations cannot be overstated. Organizations must prioritize the safeguarding of protected health information to prevent breaches and protect patient trust.