HIPAA compliance still matters in 2025.

Yesterday, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (“BST”), a New York public accounting and management consulting firm, concerning a potential violation of the HIPAA Security Rule.

BST is a HIPAA business associate and receives financial information that also contains protected health information (PHI) from its HIPAA covered entity customers.

The settlement requires BST to pay $175,000 and implement corrective actions.

The Risk Analysis Initiative

Risk analysis is fundamental to HIPAA compliance. Today, risk analysis is at the heart of HIPAA enforcement.

This settlement with BCS marks OCR’s 15th Ransomware Enforcement Action and 10th Enforcement Action in OCR’s Risk Analysis Initiative. 

The OCR Risk Analysis Initiative began in November 2024. OCR is focused on enforcing and promoting risk analysis and risk management as required under the HIPAA Security Rule.

OCR’s enforcement emphasizes the need for covered entities and business associates to conduct accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).

According to OCR director Paula Stannard on August 18, 2025:

“A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it. Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”

Ransomware Leads to a Breach

The settlement resolves OCR’s investigation of BST that began BST filed a breach report on February 16, 2020. BST reported that on December 7, 2019, it had discovered that part of its network was infected with ransomware, affecting the PHI of its covered entity client.

OCR’s investigation found that BST had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by BST.

Under the terms of the resolution agreement, BST agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $175,000 to OCR.

Under the corrective action plan, BST has agreed to take a number of steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:

• Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
• Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
• Develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Privacy and Security Rules; and
• Augment its existing HIPAA and security training program and provide annual training for all workforce members to whom the HIPAA policies and procedures apply, including workforce members with access to PHI.

The HIPAA E-Tool^® Solves Risk Analysis

The HIPAA E-Tool^® is the fastest and most cost-effective way to complete a HIPAA risk analysis that meets OCR’s requirements.

The Security Rule Checklist in the E-Tool guides you through the Security Rule safeguards in a logical, easy-to-understand way. It also guides you on how to create an inventory of PHI locations, track business associate agreements, workforce training, and helps you make decisions about threats and vulnerabilities. With interactive fillable forms you can save and archive, it puts all of your work in one place where you can revise, improve and complete the process in your own time.

The E-Tool creates a risk management plan drawn from your answers, and documents everything you’ve done so you can prove your compliance if investigated or audited.