Theresa Defino reports:
Covered entities (CEs) and business associates (BAs) might be forgiven if the most recent HHS Office for Civil Rights (OCR) HIPAA enforcement action evoked little more than a yawn. Yes, the $175,000 payment isn’t a particularly large amount, and the sole alleged violation is a retread. Actually, it’s the 10th in OCR’s Risk Analysis Initiative, and at least the 15th to have involved ransomware.
But the settlement has some unusual aspects, RPP has learned—not the least of which is the BA at issue is an accounting firm, an apparent first for OCR. In addition, Community Care Physicians (CCP) of New York had nothing but nice things to say to RPP about BST & Co. CPAs LLP, the firm whose protected health information (PHI) was breached in 2019. The fact that the two never broke up offers a plethora of compliance lessons in an era where most believe it’s a question of when not if a breach will happen, and so they’re likely to face the same dilemma.
Read more at JDSupra
This article originally appeared in Report on Patient Privacy 25, no. 9 (September, 2025)