The latest HIPAA enforcement action should serve as a loud and clear warning to every medical billing company: HIPAA is not optional—it’s the law. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with Comstar, LLC, a Massachusetts-based ambulance billing company, after a ransomware breach exposed the electronic protected health information (ePHI) of 585,621 individuals.
The cost?
- $75,000 fine
- A 2-year corrective action plan monitored by the OCR
- Long-term damage to trust and reputation
But here’s the kicker: this breach could have been prevented with proper security measures. Comstar failed to conduct a proper HIPAA risk analysis—a fundamental requirement of the HIPAA Security Rule—which would have uncovered vulnerabilities to ePHI.
What Went Wrong?
In March 2022, Comstar’s systems were breached. Hackers gained unauthorized access to network servers and deployed ransomware, encrypting sensitive data like medical assessments and medication records.
OCR’s investigation revealed Comstar had not performed an accurate and thorough risk analysis—a key step in identifying vulnerabilities before they become disasters.
And Comstar isn’t alone. This marks OCR’s 13th ransomware enforcement action and 9th under its Risk Analysis Initiative. Clearly, the message hasn’t sunk in for many healthcare organizations.
What This Means for You
If you work with ePHI—you are legally required to protect patient information.
That starts with the risk analysis.
HIPAA Risk Analysis: What You Must Do
OCR recommends the following to stay compliant and secure:
- Map your ePHI: Know exactly where electronic protected health information enters, moves through, and leaves your systems.
- Conduct a risk analysis: Identify potential threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Develop a risk management plan: Actively mitigate and address identified risks.
- Implement audit controls: Monitor who is accessing what, and when.
- Train your team: Ensure every staff member understands HIPAA and their role in protecting patient data.
- Encrypt ePHI: Both in transit and at rest.
- Review and revise your policies regularly: Especially after any incidents or updates in your systems.
Don’t Let Complacency Be Your Weak Point
Too often, organizations put off HIPAA risk analysis because it feels technical, complicated, or time-consuming. But as Comstar’s case shows, the cost of inaction is far higher than the cost of preparation.
Compliancy Group helps healthcare organizations simplify HIPAA compliance—from comprehensive risk assessments to training your staff. Learn more about our risk management module!
