"Covered entities (CEs) and business associates (BAs) might be forgiven if the most recent HHS Office for Civil Rights (OCR) HIPAA enforcement action evoked little more than a yawn. Yes, the $175,000 payment isn't a particularly large amount, and the sole alleged violation is a retread. Actually, it's the 10th in OCR's Risk Analysis Initiative, and at least the 15th to have involved ransomware."
"But the settlement has some unusual aspects, RPP has learned-not the least of which is the BA at issue is an accounting firm, an apparent first for OCR. In addition, Community Care Physicians (CCP) of New York had nothing but nice things to say to RPP about BST & Co. CPAs LLP, the firm whose protected health information (PHI) was breached in 2019. The fact that the two never broke up offers a plethora of compliance lessons in an era where most believe it's a question of when not if a breach will happen, and so they're likely to face the same dilemma."
A $175,000 OCR HIPAA settlement arose from a 2019 protected health information breach involving ransomware and repeated risk-analysis shortcomings. The enforcement action is the 10th in OCR's Risk Analysis Initiative and at least the 15th tied to ransomware, demonstrating persistent vulnerabilities among covered entities and business associates. The business associate in this case was an accounting firm, an apparent first in OCR enforcement. Community Care Physicians of New York retained a positive relationship with the accounting firm despite the breach. The continued partnership underscores compliance dilemmas when breaches are widely viewed as a matter of when, not if.
Read at DataBreaches.Net
Unable to calculate read time
Collection
[
|
...
]