Skip to main content

HIPAA Risk Analysis Failures Keep OCR’s Crosshairs on Business Associates

August 25, 2025
Image: [image credit]
Photo 133406131 / Cybersecurity © Stevanovicigor | Dreamstime.com

Jasmine Harris, Contributing Editor

The recent enforcement action against BST & Co. CPAs, LLP underscores a sharpened federal focus on business associates that fall short of HIPAA Security Rule compliance, especially when ransomware is involved. The $175,000 settlement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) marks the agency’s 15th ransomware-related HIPAA action and the 10th to fall under its ongoing Risk Analysis Initiative.

The message is not subtle: failure to conduct a rigorous, up-to-date risk analysis is no longer a procedural oversight. It is a regulatory liability, one that business associates can no longer afford to ignore.

Business Associates as Security Laggards

OCR’s investigation into BST began following a 2019 ransomware incident that compromised protected health information (PHI) of at least one covered entity client. The breach triggered a standard post-incident investigation, which revealed that BST had not conducted an accurate and thorough risk analysis—a baseline requirement under the HIPAA Security Rule.

Business associates, though often outside direct clinical delivery, play critical roles in handling electronic protected health information (ePHI). Yet these organizations frequently underestimate their risk exposure. A 2023 report from HIMSS found that only 54% of business associates conduct annual security risk assessments, compared to 77% of covered entities. This disparity has created a blind spot in HIPAA compliance, and a growing vulnerability in the broader healthcare data ecosystem.

OCR’s enforcement pattern reflects this concern. Over the past three years, an increasing share of settlements and corrective action plans have involved business associates whose internal security programs were outdated, incomplete, or functionally nonexistent. The agency’s Risk Analysis Initiative explicitly targets this weakness, and organizations like BST are now finding themselves unprepared for the scrutiny.

Risk Analysis: A Procedural Form, or a Strategic Function?

The OCR’s resolution agreement with BST outlines a series of familiar remediation steps: comprehensive risk analysis, a documented risk management plan, updated policies and procedures, and workforce training. What’s notable is how routine these requirements are. None represent advanced or emerging best practices. They are foundational elements of HIPAA compliance, and yet they are still not universally implemented.

This gap between expectation and execution points to a deeper problem: many business associates continue to treat HIPAA as a compliance exercise, not a security strategy. The risk analysis is often performed episodically, delegated to external consultants, or conducted using outdated frameworks. Once completed, its results are shelved rather than operationalized into ongoing risk management.

But ransomware doesn’t wait for audits. Cybercriminals exploit the very inertia that HIPAA was designed to interrupt. A 2024 analysis by the U.S. Government Accountability Office (GAO) found that most healthcare ransomware incidents exploited unpatched systems, misconfigured networks, or outdated access controls, all threats that a meaningful risk analysis would flag.

The lesson for business associates is clear: risk analysis must be continuous, embedded, and linked to actual mitigation—not just documentation.

Regulatory Pressure and Industry Implications

OCR’s action against BST reflects a larger shift in regulatory posture. Settlements are no longer reserved for egregious or high-profile breaches. Instead, the agency is building a pattern of enforcement that holds even mid-sized vendors accountable for basic security hygiene.

At the same time, HHS is signaling that HIPAA enforcement is no longer just reactive. It is becoming a forward-facing regulatory mechanism aimed at improving systemic resilience across healthcare data environments. This evolution aligns with broader cybersecurity efforts from agencies such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST), which have emphasized continuous risk assessment and stakeholder collaboration.

This also creates significant implications for covered entities. Under HIPAA’s chain-of-trust model, health systems and payers that contract with noncompliant business associates are still responsible for ensuring those partners meet security standards. As enforcement tightens, due diligence expectations will rise accordingly. Vendor risk management must now include documented review of HIPAA risk analyses, formal audits, and continuous security attestation.

From Breach Response to Breach Prevention

While BST’s settlement is modest compared to some multi-million-dollar enforcement actions, it reinforces a powerful regulatory trend: breach prevention is no longer the presumed result of HIPAA compliance. It’s now the bar for proving it.

That pivot, from documenting compliance to demonstrating prevention, is subtle but consequential. It forces healthcare organizations to translate risk awareness into risk reduction. This includes not only annual audits and training updates, but also architectural changes in how PHI systems are monitored, segmented, and protected.

For business associates, especially those in financial consulting, claims processing, and software development, the signal from OCR is especially pointed: HIPAA responsibilities are not contingent on proximity to clinical care. They are universal. Ransomware actors do not differentiate between covered entities and business associates, and neither will regulators.

Building Compliance Competence as a Strategic Advantage

The healthcare sector’s cybersecurity posture remains fragmented. Sophisticated hospital systems coexist with lightly regulated subcontractors. But as regulatory enforcement becomes more assertive, organizations that treat compliance as a strategic discipline, not a checklist, will fare best.

Investing in comprehensive, continuously updated risk analysis not only meets OCR expectations but can also drive operational efficiency. Identifying redundant systems, legacy vulnerabilities, and policy gaps often reveals opportunities for modernization, consolidation, and cost savings.

More importantly, compliance competence builds trust with partners, patients, and regulators alike. In an environment where healthcare ransomware attacks are growing in both frequency and severity, transparency and preparedness are becoming key differentiators.

The OCR’s enforcement action against BST is a template. Healthcare vendors and partners should take note: compliance failures are no longer private matters, and OCR is no longer waiting for catastrophic breaches before stepping in.