An Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms

The accounting profession does not typically associate itself with HIPAA enforcement. Accountants think about tax compliance, audit standards, and financial regulations — not healthcare privacy law. The BST & Co. CPAs settlement is a reminder that for any firm that handles healthcare client data, that assumption is wrong.

What happened

BST & Co. CPAs, LLP is a New York public accounting, business advisory, and management consulting firm. BST is a HIPAA business associate and receives financial information that also contains protected health information from a HIPAA covered entity.

The settlement resolves an investigation of BST that OCR initiated after receiving a breach report that BST filed on February 16, 2020. The breach was a ransomware attack — malicious software that encrypted data on BST's systems, including PHI received from the firm's healthcare client.

OCR's investigation found what it finds in virtually every Risk Analysis Initiative case: BST had failed to conduct an accurate and thorough risk analysis covering the ePHI it held. Without that analysis, BST could not have known what vulnerabilities existed in the systems handling its healthcare client's patient data — and therefore could not have implemented controls to address them.

The settlement marks OCR's 15th ransomware enforcement action and 10th enforcement action in OCR's Risk Analysis Initiative.

Why professional services firms are business associates

The HIPAA definition of a business associate is broader than most professional services firms realize. A business associate is any person or entity that creates, receives, maintains, or transmits protected health information on behalf of a covered entity in the course of performing services for that covered entity.

This definition captures:

Accounting firms — that audit healthcare organizations and access patient financial data, or that provide tax advisory services to health plans that involve analysis of member financial information.

Law firms — that represent healthcare clients in litigation, regulatory matters, or transactions and in doing so access patient records or medical information.

IT consultants and managed service providers — that manage technology systems for healthcare organizations and have access to systems containing ePHI.

Management consultants — that analyze operational data for healthcare clients, including data that contains patient identifiers.

HR and benefits administrators — that manage healthcare employee benefit plans and process claims data.

The BST settlement confirms that accounting firms that handle PHI as part of their client service are not in a gray area. They are business associates. They are directly and fully subject to HIPAA's Security Rule. And when their systems are breached, OCR will investigate whether they conducted the required risk analysis.

The ransomware pattern

The BST breach is part of a consistent pattern in OCR's enforcement record. Ransomware attacks succeed because they find vulnerabilities — unpatched software, weak access controls, inadequate network segmentation — that a proper risk analysis would have identified and that a risk management plan would have required to be addressed.

Regardless of how the breach occurred — ransomware, phishing, unauthorized access — the common thread across OCR's enforcement actions is that the organization had not conducted a compliant risk analysis before the incident. The risk analysis is not just a regulatory checkbox. It is the foundation that everything else is built on. You cannot manage risks you have not identified.

For professional services firms, this pattern has a specific implication. The firm's primary security infrastructure is built to protect client financial data, legal documents, and business records — not patient health information. PHI that arrives as part of a healthcare client engagement may flow into systems that were never designed with HIPAA in mind, stored alongside non-PHI data, and protected by controls that meet the firm's own cybersecurity standards but not HIPAA's specific requirements.

A risk analysis that covers the firm's handling of PHI — separately from its general cybersecurity assessment — would identify exactly these gaps.

What professional services firms must do

The BST settlement is a clear signal to every professional services firm that serves the healthcare market. HIPAA is not someone else's compliance problem. Here is what your firm must do:

Identify all PHI in your possession. Conduct an inventory of every healthcare client engagement where PHI flows to your firm. What data do you receive? In what formats? Through what channels? Stored on what systems? The risk analysis cannot begin until you know what PHI you have.

Execute BAAs with every healthcare client. If your firm receives PHI from a healthcare client and does not have a signed BAA, you are in violation before any breach occurs. Audit your healthcare client agreements and execute BAAs retroactively if needed.

Conduct a HIPAA Security Rule risk analysis. This is a documented assessment of threats and vulnerabilities to the ePHI you hold — not your firm's general cybersecurity risk assessment. The HIPAA analysis must specifically cover all PHI, all systems that process it, and all relevant threats. Document the methodology, findings, and risk levels.

Implement Security Rule safeguards. Your risk analysis will identify gaps between your current controls and what HIPAA requires. Address those gaps with a documented risk management plan — access controls, encryption of PHI at rest and in transit, audit logging, incident response procedures.

Train your staff. Every employee who handles PHI from healthcare clients needs HIPAA training. The firm's standard data handling policies are not sufficient.