On August 18, 2025, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with a New York-based public accounting, business advisory, and management consulting firm following a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The firm is a HIPAA business associate and receives financial information that also contains protected health information (PHI) from a HIPAA-covered entity.
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which require covered entities and business associates to safeguard protected health information (PHI). The Security Rule specifically mandates administrative, physical, and technical safeguards to protect electronic PHI (ePHI), including a risk analysis to assess potential threats to its confidentiality, integrity, and availability.
The settlement resolves an OCR investigation that began after the business associate submitted a breach report on February 16, 2020. The report stated that, on December 7, 2019, the organization had discovered ransomware on its network that affected the PHI of a covered entity client. OCR determined the business associate had failed to conduct an accurate and thorough risk analysis, as required under the HIPAA Security Rule.
Under the resolution agreement, the business associate agreed to pay a $175,000 monetary settlement and implement a corrective action plan, subject to OCR monitoring for two years. The plan requires the organization to take the following actions to ensure compliance with the HIPAA Security Rule:
- Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
- Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
- Develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Privacy and Security Rules; and
- Augment its existing HIPAA and security training program and provide annual training for all workforce members to whom the HIPAA policies and procedures apply, including workforce members with access to PHI.
Compliance Perspective
Issue
Under HIPAA, covered entities such as healthcare providers, health plans, and healthcare clearinghouses often rely on third parties—known as business associates—to perform essential services that involve PHI. Business associates are directly subject to HIPAA and must comply with key requirements, including conducting an accurate and thorough risk analysis to identify potential threats to ePHI. This risk analysis is a foundational element of the HIPAA Security Rule and is critical to developing a risk management strategy that helps prevent or mitigate cyberthreats such as ransomware and data breaches. The HIPAA Privacy Rule permits covered entities to disclose PHI to business associates only if the parties have a written contract or other arrangement in place that provides satisfactory assurances the business associate will appropriately safeguard the information. These contracts must specify the permitted uses and disclosures of PHI, require the business associate to implement security measures to prevent misuse, and obligate the business associate to support the covered entity’s compliance efforts. If a covered entity becomes aware of a material breach or violation by a business associate, it must take reasonable steps to address the issue, terminate the contract if necessary, and report the problem to HHS if termination is not feasible.
Discussion Points
- Review and update written HIPAA policies and procedures to ensure they clearly outline responsibilities related to risk analysis, data security, and oversight of business associates. Facilities should ensure that contracts or other written arrangements with business associates include the required provisions under HIPAA, such as the obligation to safeguard PHI and report security incidents. Policies should also address vendor evaluation, breach response protocols, and the steps to take if a business associate fails to comply with the agreement. Facilities may benefit from working with an external consultant to evaluate whether their existing documentation adequately addresses ransomware preparedness, breach response, and vendor risk management.
- Provide regular HIPAA training to all staff with access to PHI, emphasizing how risk analysis supports security and breach prevention. Training should also include guidance on when and how PHI can be shared with outside vendors, reinforcing the importance of only disclosing information in accordance with the organization’s policies and its contracts with business associates. Med-Net Academy offers courses to support HIPAA Security Rule compliance, including HIPAA Security Rule Facility Access Controls, which covers physical safeguards to protect ePHI, and HIPAA Security Rule Security Incident Procedures, which focuses on breach response, mitigation, documentation, and reporting obligations.
- Conduct periodic audits to verify that HIPAA-required risk analyses are being performed, documented, and used to inform security strategies. Include audits of business associate relationships, ensuring that contracts or written arrangements are in place, up to date, and enforced. Consider bringing in an outside consultant to conduct mock audits or focused reviews of high-risk areas, including business associate oversight, system access controls, and breach detection processes.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*