A lot of people think any mention of health information anywhere violates HIPAA. That’s not how it works. Your mom can post on Facebook about that thing that the doctor helped you with that one time all she wants because HIPAA only applies to healthcare providers, health plans, and their business partners. But if your doctor did the same thing? That’s a HIPAA violation.
A New York CPA firm just paid $175,000 to settle a HIPAA violation, and their case helps explain exactly who needs to worry about healthcare privacy laws.1
Who HIPAA Actually Covers
Covered Entities: These are the obvious ones – hospitals, doctors, health insurance companies, and healthcare clearinghouses. If you’re directly providing healthcare or paying for it, you’re covered.
Business Associates: When you handle protected health information (PHI) for a covered entity, you become a business associate. Same rules apply to you as the healthcare provider. This would include subcontracting for a business associate.
What about everyone else? No one else is covered by HIPAA. You, your mom, your neighbor, that random guy on Twitter or LinkedIn – they can talk about your health issues all they want. Of course, it may not be civil. And, there might be legitimate questions about who may have violated HIPAA to give them the information, but they aren’t covered.
When Your Business Becomes a Business Associate
BST & Co. CPAs provides tax services to Community Care Physicians. In doing that work, BST handles financial information that contains PHI. That makes them a business associate, subject to HIPAA’s security requirements.
You become a business associate when you handle PHI for a covered entity, regardless of your industry. The regulation defines specific business associate functions and services:2
Business Associate Functions: Claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management, and repricing.
Business Associate Services: Legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial services.
BST falls into this framework as an accounting firm providing financial services that involve handling PHI.
What Went Wrong at BST
BST knew they were a business associate. They had to know because Community Care was obligated to include certain terms in their contract.3 And BST is who reported the breach to OCR. The problem was they never conducted the required risk analysis.
On December 7, 2019, BST discovered ransomware had infected their network. The malware had been there since December 4, affecting systems for three days. The breach exposed PHI for 170,000 individuals.
OCR’s investigation found BST had failed to conduct an accurate and thorough risk analysis to identify potential vulnerabilities to the PHI they handled. That’s a foundational requirement under HIPAA’s Security Rule.
What BST Has to Do Now
The settlement requires BST to implement a comprehensive corrective action plan over two years:
Risk Analysis: Map out where PHI exists in their systems, identify vulnerabilities, and document everything. This has to be updated annually and whenever systems change.
Risk Management Plan: Develop specific steps to address identified vulnerabilities with timelines for implementation.
Written Policies: Create procedures that match how the business actually operates, not generic templates.
Staff Training: Annual training that covers specific job responsibilities, not just general HIPAA awareness.
Ongoing Monitoring: Regular review of system activity, audit logs, and security incidents.
OCR’s Recommendations for Everyone
The settlement announcement included OCR’s recommendations for preventing cyber threats. These make sense whether you’re already a business associate or thinking about working with healthcare clients:
Know Where Health Information Lives: Identify how PHI enters, flows through, and leaves your information systems. You can’t protect what you don’t know about.
Conduct Regular Risk Analysis: Periodically assess and update your risk analysis. Document the security measures you implement to address identified risks.
Implement Audit Controls: Record and examine information system activity. Regular review of system activity helps catch problems early.
Authenticate Users: Use mechanisms to verify users seeking access to PHI. Not everyone needs access to everything.
Encrypt When Appropriate: Protect PHI in transit and at rest to guard against unauthorized access.
Learn from Incidents: Incorporate lessons learned from security incidents into your overall security management process.
Provide Specific Training: Give workforce members regular training that addresses their actual job duties, not just general awareness.
Before You Sign That Healthcare Client
If you’re considering working with healthcare providers, understand what you’re getting into. Ask these questions:
- Will you be handling any information that identifies patients and relates to their health, treatment, or payment?
- Does the healthcare provider have a business associate agreement ready?
- Do you have the technical and administrative safeguards HIPAA requires?
- Can you conduct and maintain the required risk analysis?
Don’t wait until after you sign the contract to figure out your HIPAA obligations. The requirements are extensive, and OCR expects business associates to know what they’re doing.
The Real Lesson
BST’s $175,000 settlement shows that knowing you’re subject to HIPAA isn’t enough. You have to actually implement the required security measures.
This was OCR’s 15th ransomware enforcement action and their 10th focused specifically on inadequate risk analysis. The pattern is clear: Organizations that skip foundational security steps get hit harder when incidents occur.
If you’re already a business associate, make sure you’re actually doing the required work. If you’re thinking about becoming one, understand the obligations before you commit.
This post provides general information about HIPAA requirements and does not constitute legal advice. If you handle or plan to handle protected health information, consult with qualified legal counsel about your specific compliance obligations.
Footnotes
- Office for Civil Rights (OCR), HHS’ Office for Civil Rights Settles HIPAA Ransomware Security Rule Investigation with BST & Co. CPAs, LLP, (Aug. 18, 2025), https://www.hhs.gov/press-room/hhs-ocr-bst-hipaa-settlement.html. ↩︎
- 45 CFR § 160.103 – Definitions., LII / Legal Information Institute, https://www.law.cornell.edu/cfr/text/45/160.103 (last visited Aug. 19, 2025). ↩︎
- 45 CFR § 164.504 – Uses and Disclosures: Organizational Requirements., LII / Legal Information Institute, https://www.law.cornell.edu/cfr/text/45/164.504 (last visited Aug. 19, 2025). ↩︎
