Another HIPAA Settlement

HIPAA Settlement

Recently, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced a settlement with Comstar, LLC (“Comstar”), a Massachusetts company that provides billing, collection, and related services to non-profit and municipal emergency ambulance services, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an OCR investigation concerning a ransomware breach that affected 585,621 individuals.

Office for Civil Rights

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates – such as Comstar – must follow to protect the privacy and security of protected health information (PHI). The Risk Analysis provision of the Security Rule requires a regulated organization to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by that organization.

“Assessing the potential risks and vulnerabilities to electronic protected health information is effective cybersecurity, and a HIPAA Security Rule requirement,” said Acting OCR Director Anthony Archeval. “Failure to conduct a HIPAA risk analysis can cause health care entities to be more susceptible to cyberattacks.”

The HIPPA Investigation

OCR initiated an investigation after receiving Comstar’s breach report, dated May 26, 2022, that an unknown actor had gained unauthorized access to Comstar’s network servers on March 19, 2022. Comstar did not detect the intrusion until March 26, 2022. Ransomware was used to encrypt Comstar’s network servers and the ePHI of approximately 585,621 individuals was affected. At the time of the breach, Comstar was a business associate of over 70 HIPAA covered entities. The type of ePHI impacted was clinical, including medical assessments and medication administration information. OCR’s investigation determined that Comstar failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI that it holds.

The Settlement

Under the terms of the settlement, Comstar agreed to implement a corrective action plan that OCR will monitor for two years, and paid OCR $75,000. The corrective action plan requires Comstar to take definitive steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:

  • Conduct a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that Comstar holds;
  • Develop a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis;
  • Review and revise, as necessary, its written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules; and
  • Train its workforce members who have access to PHI on its HIPAA policies and procedures.

Tips for Preventing Cyber-Threats

OCR recommends that health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:

  • Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
  • Integrate risk analysis and risk management into the organization’s business processes.
  • Ensure that audit controls are in place to record and examine information system activity.
  • Implement regular reviews of information system activity.
  • Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
  • Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
  • Incorporate lessons learned from incidents into the organization’s overall security management process.
  • Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hhs-hipaa-agreement-comstar/index.html

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of individuals’ protected health information. Please see OCR’s guidance and webinar on the HIPAA Security Rule Risk Analysis requirement. Guidance about the PrivacySecurity, and Breach Notification Rules can also be found on OCR’s website.

Note: No matter if you are a medical practice, billing & collection company, or any other type of healthcare provider, everyone today is subject to cyber-threats. Protect you company now!

Rescuers for Medical Practice Oversight

 

HIPAA Settlement FAQs

What led to the HIPAA settlement with Comstar, LLC?

The U.S. Department of Health and Human Services (HHS) settled with Comstar, LLC after a ransomware breach compromised the electronic protected health information (ePHI) of over 585,000 individuals. The investigation revealed Comstar failed to conduct a proper risk analysis—an essential requirement under the HIPAA Security Rule. Incidents like these highlight the critical need for regular cybersecurity assessments and compliance planning.

How can my practice avoid a HIPAA-related cyber breach?

Avoiding HIPAA violations requires a proactive approach. Start with a thorough risk analysis of all systems storing or transmitting ePHI. Implement safeguards such as encryption, access controls, audit logs, and staff training. Reed Tinsley, CPA helps practices assess compliance gaps, improve their HIPAA readiness, and design security protocols that protect both your data and your reputation.

What is a HIPAA risk analysis and why is it required?

A HIPAA risk analysis identifies and evaluates potential vulnerabilities to the confidentiality, integrity, and availability of ePHI. It’s a foundational requirement of the HIPAA Security Rule. Without it, healthcare organizations are far more susceptible to cyber threats. Reed Tinsley works with medical practices to ensure this analysis is comprehensive, documented, and integrated into your business operations.

Who must comply with the HIPAA Security Rule?

HIPAA applies to covered entities like healthcare providers and health plans—as well as their business associates, such as billing or IT service providers. Comstar’s case underscores that even third-party vendors are subject to enforcement. Reed Tinsley advises both providers and business associates on HIPAA compliance strategies to help minimize liability and maintain trust

What should I do after a cyber incident or data breach?

Following a breach, it’s essential to report the incident, conduct a full investigation, notify affected individuals (if required), and update your risk management plan. OCR may investigate your compliance history, as it did with Comstar. Reed Tinsley offers advisory services to guide practices through incident response, compliance reviews, and preventive planning to strengthen security moving forward.

Have questions? I’m here to help.

Categories
Accounting and Tax Services Litigation Support Managed Care Consulting Managed Care Contract Negotiations Medical Practice and Healthcare Entity Valuation Medical Practice Assessment Medical Practice Brokerage Medical Practice Embezzlement Consulting Medical Practice Management Medical Practice Merger Advice Medical Strategic Planning Newsletter Personal Financial Planning Oversight Physician Compensation Models Physician Compliance Physician Financial Management Services Retirement Uncategorized
About Reed Tinsley, CPA

As a top advisor to physicians, I help increase practice profits by delivering hands-on, expert medical accounting/tax support, practice counsel, and revenue-building strategies. Read More >

Reed Tinsley, CPA for Physicians