Meghan O’Connor, Sarah Erdmann and Simone Colgan Dunlap Outline Implications of HIPAA-Related Settlement in Article for Journal of Health Care Compliance

Article

Quarles & Brady partners Meghan O’Connor, Sarah Erdmann and Simone Colgan Dunlap wrote an article for the Journal of Health Care Compliance about the lessons that can be learned from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settlement with New York-based accounting and advisory firm BST & Co. CPAs LLP (BST).

O’Connor, Erdmann and Colgan Dunlap are members of the firm’s Health & Life Sciences Practice Group, of which Colgan Dunlap is national vice chair, and Data Asset Management, Privacy & Cybersecurity team, which O’Connor co-chairs.

The investigation that led to OCR’s settlement with BST centered around a possible violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. As part of the settlement, BST must pay $175,000 to OCR and execute a corrective action plan to be monitored by OCR for two years. The authors noted that this case sends a clear message about OCR enforcement under the Trump administration, particularly as it relates to the constantly evolving HIPAA security requirements.

An excerpt:

Based on the continued enforcement actions under the Initiative, HIPAA-covered entities and business associates that have not completed a risk analysis recently should plan to timely undertake one, set a regular cadence for risk analyses, and be prepared to update timelines as necessary to address changes in IT systems or architecture, organizational changes, or in response to a new threat or incident.

The BST settlement confirms that the Initiative remains a priority across administrations, and that OCR expects all regulated entities, no matter their size, to maintain robust, well-documented risk analysis programs. With more aggressive requirements potentially on the horizon, organizations cannot afford to treat risk analysis as a checkbox exercise. The stakes are too high, both in terms of regulatory exposure and he very real threat of cyberattacks that compromise patient data. Regulated entities that treat security compliance as an ongoing commitment rather than a onetime project will be best positioned to protect both patients and their organizations from harm.

Visit our Federal Policy Watch: Monitoring White House Developments page for more insight about navigating changes at the federal level.

Resources

Originally published by Journal of Health Care Compliance, January/February 2026

Follow Quarles

Subscribe Media Contact
Back to Main Content

We use cookies to provide you with the best user experience on our website and to analyze statistics related to our website. To understand more about how we use cookies, or for instructions to change your preference and browser settings, please see our Privacy Notice. Please note that if you choose to reject cookies, doing so may impair some of our website's functionality.