HIPAA Violations: Business Associates Are Fully Accountable

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights recently announced a settlement with BST & Co. CPAs, LLP, an accounting and consulting firm based in New York, after a ransomware attack compromised the protected health information of more than 10,000 patients from one of its covered entity clients.

Photo: https://pl.freepik.com/

OCR found that BST failed to:

✅ Conduct an accurate and thorough risk analysis of potential risks to ePHI.

✅ Implement sufficient risk management measures to reduce those risks.

✅ Establish adequate policies and hasztag#procedures required under the HIPAA Security Rule .

As a result, BST agreed to:

✅ Pay $175,000 in a financial settlement.

✅ Enter into a two-year Corrective Action Plan requiring it to conduct risk analyses, update security policies, and provide regular compliance reports to OCR.

This case reinforces that HIPAA is not just for covered entities (like hospitals, health plans, or clearinghouses). Business Associates — including consulting firms, accounting firms, IT service providers, SaaS, PaaS, and IaaS vendors — must also comply.

If a BA processes PHI, it operates under a Business Associate Agreement (BAA) and is directly responsible for:

✅ Following the HIPAA Security and Privacy Rules.

✅ Conducting ongoing risk analyses.

✅ Implementing administrative, technical, and physical safeguards to protect PHI.

OCR stressed that risk analysis is the cornerstone of HIPAA compliance. Similar to GDPR, HIPAA requires organizations to:

✅ Identify where PHI is stored and transmitted.

✅ Evaluate threats and vulnerabilities.

✅ Determine likelihood and impact of potential risks.

✅ Implement measures to reduce risks to reasonable and appropriate levels.

If you are a Business Associate handling PHI, you cannot ignore HIPAA obligations.

Link 1 HHS statement

Link 2 SOC2 and HIPAA compliance article and video

Link 3

Author: Sebastian Burgemejster