San Jose, CA-based Vision Upright MRI has agreed to implement a monitored corrective action plan and pay a $5,000 fine as part of a U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) settlement over the exposure of protected health information (ePHI).
The settlement involves an OCR investigation concerning the breach of an unsecured server containing the medical images of 21,778 individuals, according to the HHS OCR May 15 press release. The OCR initiated a compliance review of the imaging center after learning that the provider experienced a breach of ePHI stored on its PACS server, due to an unauthorized third party's impermissible access.
Vision Upright MRI had never conducted a HIPAA Health Insurance Portability and Accountability Act (HIPAA) risk analysis and failed to complete timely breach notification within 60 days of discovering the breach, the HHS OCR said.
"Small providers also must conduct accurate and thorough risk analyses to identify potential risks and vulnerabilities to protected health information and secure them," the HHS OCR noted.
