Vision Upright Settlement

Small healthcare providers should take note of the latest HIPAA settlement announcement. HIPAA enforcement happens to all sizes and types of covered entities and business associates.

Last week, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Vision Upright MRI, a small California health care provider that conducts magnetic resonance imaging and related services, concerning potential HIPAA violations. The settlement resolves an OCR investigation concerning the breach of an unsecured server containing the medical images of 21,778 individuals.

HIPAA Enforcement Continues Under Trump

This is the eighth HIPAA enforcement action announced by HHS under the Trump administration.

OCR initiated a compliance review of Vision Upright MRI after learning that the provider experienced a breach of electronic protected health information (ePHI) stored on its Picture Archiving and Communication System (PACS) server, which was used for storing, retrieving, managing, and accessing radiology images, due to an unauthorized third party’s impermissible access.

OCR’s investigation revealed that Vision Upright MRI had never conducted a HIPAA risk analysis and had failed to complete timely breach notification, within 60 days of discovering the breach, to the 21,778 individuals affected.

Under the terms of the resolution agreement, Vision Upright MRI agreed to implement a corrective action plan, which OCR will monitor for two years, and paid $5,000 to OCR.

Vision Upright MRI will also take steps to improve its compliance with the HIPAA Security and Breach Notification Rules and protect the security of ePHI, including:

  • Providing required breach notifications to affected individuals, HHS, and the media;
  • Submitting to OCR its most recently completed risk analysis to include all electronic media, regardless of its source or location (i.e., electronic equipment, data systems, programs, off-site data storage, and applications) that contains, stores, transmits, or receives ePHI;
  • Developing and implementing a risk management plan to address and mitigate any security risks and vulnerabilities identified in its risk analysis;
  • Developing, maintaining, and revising, as necessary, written policies and procedures to comply with the HIPAA Rules; and
  • Providing workforce training on HIPAA policies and procedures to all workforce members who have access to ePHI.
Free HIPAA Checklist
What best describes you?