If you thought HIPAA only applied to big hospitals and medical groups swimming in patient data, think again. In this episode, we uncover how just one record with PHI can infect your organization with full-blown HIPAA responsibilities — no vaccine required. We dive into a juicy enforcement case featuring a CPA firm that got hit with a ransomware attack and a $175K HIPAA oopsie, all because someone skipped their security risk analysis. Spoiler: ignorance is not immunity.
In this episode:
OCR Tags CPA Firm for HIPAA Failures – Ep 524
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Recent updates to HHS FAQs:
[03:00]OCR Tags CPA Firm for HIPAA Failures
[06:09]Settlement Marks OCR’s 15th Ransomware Enforcement Action and 10th Enforcement Action in OCR’s Risk Analysis Initiative
This one is interesting because not only is it with a BA but it is with a CPA firm BA. BST is actually a full-service regional CPA and advisory firm based in New York’s Capital Region. Their website shows they’ve got around 100+ professionals, including CPAs, valuation experts, and consultants. They cover areas like:
- Accounting, audit, and tax
- Business & asset valuations
- Forensic accounting & litigation support
- Outsourced accounting and HR services
So, definitely not a “two guys in a strip mall office” situation — more like a well-established professional firm that most of us would expect to be able to handle these requirements properly. That makes OCR’s point even sharper: size and sophistication don’t excuse skipping the basics like a risk analysis.
The basic details of the situation:
- Ransomware incident: occurred back in December 2019 (so OCR is still working these old cases and the new ones).
- 170,000 patients impacted – that’s not a stray spreadsheet, that’s a serious exposure.
- Settlement terms: $175,000 payment + a 2-year corrective action plan (CAP) with risk analysis, risk management, policies, training, and monitoring.
OCR Director Paula Stannard’s quote for this one:
“A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it. Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”
The “foundational step” point is the one we most often find people don’t get. They just do the safeguards but never worry about how to apply them or if there should be more than what they are doing.
HIPAA Is Contagious: Just a Touch of PHI and You’re In
[11:39] The settlement says BST was receiving PHI for tax prep and planning. It is not clear why that was necessary, since many CPA firms manage healthcare clients without ever touching PHI.Some CPA firms make it their mission to avoid PHI completely, and they succeed. Either BST didn’t draw that line, or the settlement leaves out details about why PHI was involved.
That brings us to the real point this settlement highlights.
- When business associates ignore or downplay HIPAA, the risk ripples outward to their clients.
- In this case, lawsuits name both the CPA firm and Community Care Physicians, showing how a BA’s failure drags the covered entity into legal battles too.
- Those ripples can grow into a tsunami, especially when the BA is part of a client’s critical supply chain.
- This settlement is a reminder that HIPAA obligations travel through the supply chain, and ignoring them creates shared liability.
When we talk with groups about managing their business associates, we stress that it is not enough to just sign a BAA and move on. You also need to look closely at the SLA and the terms of the BAA. Those agreements should give you the right to vet your BA’s HIPAA compliance program as much as needed. And, just as important, they should make clear that if the BA fails like we see in this case, the BA is on the hook for the costs of the breach and for any related legal issues.
This case is a reminder that HIPAA doesn’t just apply to hospitals and doctors. Business associates of every size and industry are in the line of fire too. When a CPA firm gets pulled into a ransomware settlement, it shows how contagious HIPAA really is. The ripples from a BA failure can turn into a tsunami, dragging their clients along with them. So whether you are a covered entity or a business associate, take the risk analysis seriously, know what’s in your contracts, and make sure you are not the weak link in someone else’s supply chain.
If this episode gave you the sudden urge to check your risk analysis (or finally do one), you’re not alone — and that instinct might just save your bacon. Today’s tale made one thing crystal clear: HIPAA doesn’t care if you’re a CPA, an MSP, or the llama groomer down the street. One PHI-laced file and boom, you’ve got the compliance cooties. Skipping a proper risk analysis is like skipping pants on a Zoom call — risky, and eventually, someone will notice. And trusting vendors without asking the hard questions? That’s how regulatory horror stories are born. HIPAA isn’t just contagious… it’s persistent. Mask up with policy, training, and documentation before it’s your turn in the OCR spotlight.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
