The HHS’ Office for Civil Rights has announced its 8th financial penalty under the Trump administration, with the latest financial penalty resolving an alleged violation of the risk analysis provision of the HIPAA Security Rule and a violation of the HIPAA Breach Notification Rule.  The California magnetic resonance imaging (MRI) service provider, Vision Upright MRI LLC, has agreed to settle the alleged violations and will pay a $5,000 financial penalty.

OCR currently has a risk analysis enforcement initiative and has imposed 9 penalties under this initiative. OCR is focusing on risk analysis compliance as the risk analysis is a foundational Security Rule requirement that is essential for risk management and implementing safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). The failure to conduct a comprehensive and accurate risk analysis is also one of the most commonly identified HIPAA violations.

OCR also appears to be looking closely at Breach Notification Rule compliance. The HIPAA Breach Notification Rule requires notifications to be issued to the HHS Secretary (via the OCR breach portal) and the affected individuals within 60 days of the discovery of a data breach. A media notice is also required for breaches affecting 500 or more individuals. This is the second HIPAA compliance case this year to include a penalty for late breach notifications.

Vision Upright MRI is a small healthcare provider with one location in San Jose, California. OCR notified Vision Upright MRI on December 1, 2020, that OCR had initiated an investigation into compliance with the HIPAA Rules. It is unclear from the settlement agreement how OCR discovered the data breach, as the data breach was not reported to OCR, and the affected individuals were not notified. The breach also does not appear to have been reported to the California Attorney General. The only breach notice on the OCR breach portal from Vision Upright MRI is a March 10, 2025, breach with 23,031 affected individuals.

OCR’s investigation revealed Vision Upright MRI had never conducted a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI, and also failed to notify the affected individuals within 60 days of the discovery of a data breach. OCR said the ePHI of 21,778 individuals, including medical images and associated ePHI, was stored on an unsecured Picture Archiving and Communication System (PACS) server. The server and PACS were used for storing, retrieving, managing, and accessing radiology images, and the server had been accessed by an unauthorized third party. It is unclear whether the access was by a hacker, a security researcher, or another individual.

Under the terms of the settlement, Vision Upright MRI will pay a $5,000 financial penalty and adopt a corrective action plan (CAP) to ensure HIPAA compliance. Compliance with the CAP will be monitored by OCR for 2 years. The CAP requires Vision Upright MRI to conduct a comprehensive and accurate risk analysis to identify risk and vulnerabilities to ePHI; develop, implement, and maintain a risk management plan to reduce any risks and vulnerabilities identified through the risk analysis to a low and acceptable level; develop, implement, and maintain policies and procedures to comply with the HIPAA Rules; distribute the policies and procedures to the workforce and provide HIPAA training; and issue breach notifications to the HHS, the media, and the affected individuals.

“Cybersecurity threats affect large and small covered health care providers,” OCR Acting Director Anthony Archeval said. “Small providers also must conduct accurate and thorough risk analyses to identify potential risks and vulnerabilities to protected health information and secure them.”

The post Medical Imaging Service Provider Settles HIPAA Risk Analysis & Breach Notification Failures appeared first on The HIPAA Journal.