California MRI provider hit with HIPAA fine

Vision Upright MRI LLC agreed to a two-year Corrective Action Plan with the U.S. Department of Health and Human Services after violating HIPAA by exposing patient information, requiring the company to implement stricter privacy and security measures.

What happened

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a $5,000 financial penalty against Vision Upright MRI LLC, a small magnetic resonance imaging (MRI) provider in San Jose, California. The settlement resolves alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), specifically the Security Rule’s risk analysis provision and the Breach Notification Rule.

Going deeper 

OCR initiated its investigation into Vision Upright MRI on December 1, 2020, uncovering multiple serious HIPAA violations. Investigators found that the imaging provider had never conducted a comprehensive and accurate risk analysis, a foundational requirement of the HIPAA Security Rule. This failure left the provider ill-equipped to identify and address vulnerabilities to electronic protected health information (ePHI).

In addition, Vision Upright MRI failed to notify both the HHS and affected individuals within the mandated 60-day period following the discovery of a data breach. The breach, which exposed the ePHI, including radiology images, of at least 21,778 individuals, had not been reported to the California Attorney General either. The only public notice from the provider appears in the OCR breach portal dated March 10, 2025, involving 23,031 individuals, though it remains unclear whether this listing is related to the current enforcement action.

OCR’s investigation revealed that the compromised data resided on an unsecured Picture Archiving and Communication System (PACS) server, which was accessed by an unauthorized third party. It is still unknown whether the access was the result of hacking, security research, or inadvertent exposure.

What was said

The U.S. Department of Health and Human Services (HHS) issued a Corrective Action Plan (CAP) to Vision Upright MRI LLC (VUM) following a HIPAA violation involving the exposure of protected health information (PHI). Under the CAP, VUM agreed to take several corrective steps. According to the document, “VUM hereby enters into this Corrective Action Plan (CAP) with the United States Department of Health and Human Services, Office for Civil Rights (HHS).”

Key requirements include:

• Notifying affected individuals and the media: “VUM shall provide OCR its draft breach notification… and media notification… consistent with 45 C.F.R. §§ 164.404 and 164.406.”
• Conducting a risk analysis: “VUM shall conduct… an accurate and thorough analysis of security risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.”
• Implementing a risk management plan: “The plan shall include a process and timeline for implementation, evaluation, and revision of risk remediation activities.”
• Updating and distributing HIPAA policies: “VUM shall develop, maintain, and revise… policies and procedures to comply with the Federal Standards.”
• Training staff and documenting compliance: “VUM shall require… signed certification from staff stating they have read and will follow the policies.”
• Reporting non-compliance (“Reportable Events”): “VUM shall report such events to HHS… or submit a quarterly attestation if none occurred.”
• Submitting reports: “The Implementation Report… shall include an attestation… that all workforce members have completed training.”

The CAP is in effect for two years, with possible extensions if violations are found.

“The Compliance Term shall not end until HHS notifies VUM that it has determined that the breach has been cured.”

Why it matters 

The case demonstrates the increasing scrutiny by OCR on two important HIPAA compliance areas: risk analysis and breach notification. The HIPAA Breach Notification Rule mandates that covered entities report breaches of unsecured ePHI to OCR, notify affected individuals within 60 days, and issue a media notice for breaches affecting 500 or more individuals.

This is the second enforcement action this year to include a penalty for delayed breach notification, reinforcing OCR’s intent to crack down on such delays, regardless of an organization’s size.

Bottom line

Vision Upright MRI will pay a $5,000 penalty and enter into a two-year corrective action plan (CAP). Under the CAP, the provider must conduct a thorough risk analysis, implement a risk management plan, update HIPAA policies and procedures, train its workforce, and issue overdue breach notifications.

This settlement sends a message that no healthcare provider is too small to fall under OCR’s enforcement radar.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

Who enforces HIPAA regulations?

HIPAA is enforced by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).

What triggers a HIPAA investigation?

Investigations may be triggered by complaints, breach reports, media reports, or random audits.

How does the OCR determine penalty amounts?

Penalties depend on the nature of the violation, the level of negligence, and the organization's compliance efforts.