Tag: Security Risk Assessment (SRA)

The HHS Office for Civil Rights (OCR) just sent another clear message: HIPAA compliance isn’t optional no matter your practice size.

The OCR has reached a resolution with Vision Upright MRI, a small California imaging provider, after a breach of unsecured protected health information (PHI) impacted 21,778 patients. The breach originated from an unsecured server that housed radiology images and lacked proper risk analysis, audit controls, and breach notification procedures.

What happened:

• No HIPAA risk analysis ever conducted
• Breach notification wasn’t sent within the required 60-day timeframe
• ePHI was stored on an unprotected PACS server

As a result, the total settlement cost was a $5,000 fine plus 2 years of monitoring in addition to mandatory corrective actions including:

• Risk analysis 
• Mandatory training 
• Updated policies and procedures
• Encryption and audit protocols  

Why this matters to you:

Whether you’re a solo provider or part of a large system, OCR expects every HIPAA-covered entity to:

• Identify where ePHI resides
• Conduct and update risk analyses regularly
• Encrypt ePHI in transit and at rest
• Provide HIPAA training tailored to roles
• Maintain up-to-date breach response protocols
• Monitor audit logs and respond to anomalies