In Brief: OCR’s Recommendations for HIPAA Covered Health Care Providers

“Driven by industry. Targeted Solutions."®

In Brief: OCR’s Recommendations for HIPAA Covered Health Care Providers

On August 18, 2025, the Office for Civil Rights (“OCR”) announced a settlement with BST & Co. CPAs, LLP (“BST”) over alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. BST, a New York public accounting and consulting firm, serves as a HIPAA business associate by receiving financial data containing protected health information (“PHI”). The enforcement action brought by OCR stemmed from a ransomware attack discovered in December 2019, which impacted the PHI of BST’s covered entity client.

The HIPAA Security Rule sets forth certain national standards intended to protect the confidentiality, integrity, availability, and security of electronic protected health information (“ePHI”) by requiring administrative, physical, and technical safeguards. The HIPAA provisions include a risk analysis requirement which requires regulated organizations like BST to conduct an accurate and thorough assessment of potential risks to and vulnerabilities of ePHI. OCR’s investigation revealed that BST failed to conduct a sufficient risk analysis, a foundational requirement under the HIPAA Security Rule. To resolve the matter, BST agreed to pay $175,000 and implement a corrective action plan requiring, among other measures, a complete risk analysis, a risk management plan, revised policies and procedures, and increased workforce training.

In connection with this settlement, OCR reiterated several key recommendations for covered health care providers and other regulated entities to mitigate or prevent cyber-threats to ePHI. First, organizations should identify where ePHI resides within their systems and understand how it flows into, through, and out of their information systems. Regular and updated risk analyses are critical, and any identified risks and vulnerabilities must be addressed through targeted risk management strategies. OCR further emphasized the necessity of technical safeguards, including audit controls to monitor system activity, authentication protocols for user access, and encryption of ePHI both at rest and in transit. Beyond technical measures, OCR advises continuous review of system activity, incorporation of lessons learned from past incidents into the overall security management process, and workforce HIPAA training tailored to organizational roles and responsibilities.

To protect the confidentiality, integrity, availability, and security of ePHI, HIPAA compliance must be ongoing, systematic, and proactive. If you or your business may be affected, please contact Kessler Collins to assist you in navigating these challenges and protecting your interests.

Related Posts

Navigating the Corporate Transparency Act

Navigating the Corporate Transparency Act Effective January 1, 2024, the Corporate Transparency Act (“CTA”) requires “reporting companies” to report company information,... read more

The One Big Beautiful Bill Act and New Medicaid Work Requirements By Hannah Vandermeer

The One Big Beautiful Bill Act and New Medicaid Work Requirements By Hannah Vandermeer The House Spending Bill, also known as... read more

Fifth Circuit Court of Appeals Vacates Stay of CTA Preliminary Injunction, Barring Enforcement of the CTA and Reporting Rule

Federal Court Issues Injunction, Barring Enforcement of the Corporate Transparency Act   Fifth Circuit Court of Appeals Vacates Stay of CTA Preliminary... read more

Chandler Saul & Charmaine Voorhees Becken Named In Texas Top Women 2024 Magazine

CHANDLER SAUL AND CHARMAINE VOORHEES BECKEN NAMED IN TEXAS TOP WOMEN 2024 MAGAZINE DALLAS, TEXAS (February 23, 2024) – Kessler Collins,... read more

U.S. Department of Labor to Replace Biden-Era Worker Classification Test written by Max Hayashi

U.S. Department of Labor Announces Plan to Replace Biden-Era Worker Classification Test and Operate under more Business-Friendly Standards On May 2nd,... read more

Unpacking The “No Tax On Tips” Act

UNPACKING THE "NO TAX ON TIPS" ACT: TIPPING CULTURE AND WORKER WAGES The increasingly complex tax code may have an added... read more

Federal Judge Halts FTC’s Non-Compete Ban: What It Means For Employers

Federal Judge Halts FTC's Non-Compete Ban: What It Means For Employers   Dallas, TX – August 29, 2024 – A federal judge... read more

IP and Copyright: Who Owns What ChatGPT Writes? By Lexton Garrett

IP and Copyright: Who Owns What ChatGPT Writes? By Lexton Garrett With the recent rise of artificial intelligence technologies and the... read more

Kessler Collins Recognized by Chambers Spotlight for the Third Consecutive Year

Kessler Collins Recognized by Chambers Spotlight for the Third Consecutive Year Kessler Collins PC is proud to announce that, for the... read more

Flipping The Script On Second-rate Landlords

FLIPPING THE SCRIPT ON SECOND-RATE LANDLORDS CONSTRUCTIVE EVICTION JURISPRUDENCE IN TEXAS Read the full PDF Flipping_the_Script_on Second-rate_Landlords_Constructive_Eviction_Jurisprudence_in_Texas read more
Click to Call Now!