With apologies to John Donne, ask not for whom the bells tolls, HIPAA business associates, it tolls for thee!  While it has been the law for some time that business associates could be held directly liable for breaches, enforcement actions against them have been few and far between.  But a sizable settlement announced on September 23, 2020 by the Office for Civil Rights at the U.S. Department of Health and Human Services (HHS OCR) reminds us that business associates are going to be held to the same standards (and subjected to the same penalties) as HIPAA covered entities.

This $2.3 million settlement involved CHSPSC LLC, which provides IT and health information management to hospitals and physician clinics owned by Community Health Systems, Inc., in Franklin, Tennessee.  In April 2014, the FBI notified CHSPSC that it had traced a cyberhacking group’s advanced persistent threat to CHSPSC’s information system. Despite this notice, the hackers continued to access and exfiltrate the PHI of 6,121,158 individuals until August 2014. The hackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network.  OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.   In addition to the monetary settlement, CHSPSC has agreed to a corrective action plan that includes two years of monitoring.