HHS penalizes imaging provider for allegedly violating patient privacy laws

Health and Human Services recently penalized a California imaging provider for allegedly violating federal standards for protecting sensitive patient information. 

The HHS Office for Civil Rights on May 15 announced the settlement agreement with San Jose-based Vision Upright MRI, which has agreed to pay $5,000 to resolve the allegations. Authorities said the small healthcare organization experienced a breach of its picture archiving and communication system after an unauthorized third party gained access to its systems. 

This resulted in the release of protected health information representing 21,778 impacted individuals, HHS said. An investigation launched in 2020 determined Vision Upright MRI allegedly failed to properly assess potential security threats to protected health information and did not notify customers within the required 60 days. 

“Cybersecurity threats affect large and small covered healthcare providers,” Anthony Archeval, acting director of the Office for Civil Rights, said in a statement. “Small providers also must conduct accurate and thorough risk analyses to identify potential risks and vulnerabilities to protected health information and secure them.”

Vision Upright MRI has additionally agreed to implement a corrective action plan that will be monitored by HHS for two years. The imaging group also will take steps to improve its compliance with federal security and breach notification rules, along with protecting private patient information. These actions will include: 

• Providing required breach notifications to impacted patients, HHS and the media. 
• Submitting the most recently completed risk analysis to the Office for Civil Rights. 
• Implementing a risk management plan to address any vulnerabilities identified during the analysis. 
• Developing and maintaining written policies and procedures to comply with the Health Insurance Portability and Accountability Act. 
• Providing training on HIPAA policies to all employees who have access to protected health information. 

The HHS Office for Civil Rights also offered recommended steps radiology groups can take to avoid a similar situation. You can read the agreement and corrective action plan here. 

This is the second such agreement between the Office for Civil Rights and a radiology group this year. HHS on April 10 announced a settlement with Northeast Radiology, which agreed to pay $350,000 and implement a corrective action plan.